Cyber Resilience Act (CRA)
On this page:
What is the CRA?
The CRA will be an act of law, created by the European Union. Its aim is to protect consumers from cybercriminals attempting to gain access to connected products for illegal purposes. The CRA will do that by forcing manufacturers to consider cyber threats as part of the product development and lifecycle.
All manufacturers and companies bringing connected products to market in the EU will need to comply with the act. Although other cyber initiatives already exist, this is the only one that will be passed into law, making it mandatory and compulsory, rather than voluntary or optional.
It joins a growing portfolio of European regulations and acts designed to protect the industry and consumers.
What products will the Cyber Resilience Act impact?
The short answer is any electronic products that make use of online connectivity. Manufacturers inside and outside the EU will need to comply if they, or their agents, put those products onto the EU market.
The long answer is products with digital elements (PDEs), which covers both hardware and software. If a PDE’s intended or foreseeable use includes a direct or indirect logical or physical connection to a device or network, it will likely be subject to CRA legislation. The internet is the world’s biggest network and represents the biggest cyber threat.
The CRA is complementary to but different from the existing Cyber Security Act, which is non-binding and not uniform across the EU. All EU member states will have to adopt the CRA and put it into law in their own countries.
When does the Cyber Resilience Act take effect?
The Act was proposed by the European Commission on September 15th, 2022, and received its first reading on March 12th, 2024, when it was adopted by 517 votes to 12, with 78 abstentions. It is yet to be adopted into law but that is expected to happen before the end of 2024.
There will be a transition period, we expect 36 months, that will allow OEMs to bring their products up to compliance with the CRA. This is where EBV and its partners, including software specialist Witekio, can help.
To learn more, take a look at the SOLUTIONS we can offer today, and our PARTNERS ready to help.
What do OEMs need to know about the CRA?
Complying with the CRA is compulsory and as with other legislation will be demonstrated by affixing the CE mark to a product. This is similar to EMC compliance.
While EMC compliance often requires extensive testing, even when self-certifying, OEMs will be able to self-certify many products for CRA without the need to test. However, documentation will be essential.
Due to the nature of online threats, compliance with the CRA will require ongoing diligence. As well as completing a security risk during development, which involves documenting and identifying any vulnerabilities, the OEM will need to perform regular tests and remediate any vulnerabilities that emerge after the product goes into service. Any vulnerabilities discovered while a product is in service must also be reported.
OEMs may be expected to maintain this diligence for the product’s entire lifecycle, or five years, whatever is shortest (subject to final legislation details).
Some critical products will need to be independently verified by a third part. EBV can help OEMs navigate this process.
Non-compliance, if proven, will incur fines and penalties. These could be as high as €15 million or 2.5% of the company’s total worldwide annual turnover.
Products already in the market are exempt from the CRA. New products in development may be subject to the CRA, depending on when they are brought to market.
What should embedded electronic engineers do to comply with the CRA?
All new products, as well as new generations of existing products, must comply with the CRA when it comes into law.
Compliance should start with a risk assessment of a product’s potential vulnerabilities. Both hardware and software can contain vulnerabilities that represent a cyber attack vector.
Physical and cyber access points to a product should be considered vulnerabilities unless they can be shown to be invulnerable to attacks.
To learn more about the assistance EBV can provide, look at our SOLUTIONS and PARTNERS pages.
Engineers should develop and adopt best-practices to demonstrate and maintain CRA compliance. These may include:
- Consider possible vulnerabilities and look for them in your product design, at the earliest stage and throughout the product’s lifecycle.
- Change your organization’s culture to include Software Bill of Material (SBOM) documentation for every project.
- Create a preferred product list.
- Develop a reporting structure to manage vulnerability tracking and reporting.
- Support your engineers in becoming experts in deploying firmware over-the-air (FOTA) updates.
CONTACT US TO FIND OUT HOW EBV CAN HELP YOU
ebv content library/home/solutions/cyber-resilience-act/ebv - solutions - cra - intro static html
EBV - Solutions - CRA - Intro Static HTML
