Cyber Resilience Act
Cyber Resilience Act (CRA) is an EU regulation establishing cybersecurity requirements for products with digital elements. CRA requires manufacturers to implement security by design, provide security updates, and report vulnerabilities throughout the product lifecycle.
What is Cyber Resilience Act?
Cyber Resilience Act Definition
Cyber Resilience Act (CRA) is a European Union regulation adopted in 2024 that introduces mandatory cybersecurity requirements for products with digital elements sold on the EU market. CRA aims to ensure that digital products - from smart home devices to business software - are designed and maintained with security in mind.
CRA Scope
Products covered:
- Software (operating systems, applications)
- IoT devices (cameras, sensors, smart home)
- Computer hardware with firmware
- Network devices (routers, firewalls)
- Video games and mobile applications
Exclusions:
- Medical devices (MDR)
- Vehicles (UN R155)
- Aviation
- SaaS services (covered by NIS2)
Key CRA Requirements
Security by Design:
- Security from the design phase
- Secure default configurations
- Attack surface minimization
Vulnerability Handling:
- Vulnerability management process
- Incident reporting to ENISA
- Coordinated vulnerability disclosure
Security Updates:
- Free updates throughout lifecycle
- Minimum 5 years (or product lifetime)
- Automatic or easy to apply
Documentation:
- Secure usage instructions
- SBOM (Software Bill of Materials)
- Supported update information
Product Categories
Class I (lower risk):
- Most consumer products
- Self-assessment conformity
- Example: smart TV, games
Class II (higher risk):
- Security-critical products
- Third-party assessment
- Example: firewalls, ICS systems, HSM
Implementation Timeline
- 2024: Regulation adoption
- 2025: Vulnerability reporting obligations entry into force
- 2027: Full requirements entry into force
CRA vs NIS2
| Aspect | CRA | NIS2 |
|---|---|---|
| What it regulates | Products | Entities/operators |
| Who it applies to | Manufacturers, importers | Essential service providers |
| Focus | Product security | Organizational security |
CRA and NIS2 are complementary - CRA for products, NIS2 for operators.
Penalties and Enforcement
- Non-compliance with requirements: Up to €15M or 2.5% of turnover
- Failure to report vulnerabilities: Up to €10M or 2% of turnover
- Product withdrawal from market for serious violations
Implications for Manufacturers
- Processes: Security Development Lifecycle (SDL)
- Teams: Dedicated PSIRT (Product Security Incident Response Team)
- Tools: SBOM generation, vulnerability scanning
- Documentation: Compliance declarations, instructions
Cyber Resilience Act is a groundbreaking regulation that will fundamentally change how digital products are designed and maintained in the EU.