The Cyber Resilience Act: Implications for Businesses

Understanding the Cyber Resilience Act

On September 15, 2022, the European Commission presented the Cyber Resilience Act, an ambitious effort to standardise cyber security regulations for digitally enabled products. The CRA aims to accomplish the following by establishing a uniform baseline for cyber resilience:

1. Strengthen security for all digital products: Many digital products now available on the market lack proper security features, making them vulnerable to exploitation. For example, smart home devices such as connected thermostats or security cameras can be particularly susceptible to cyber attacks if not properly secured. To address this, the CRA requires secure development techniques, vulnerability management, and security standards at every stage of a product’s lifespan.
2. Empowering customers and companies to make informed decisions: The cyber security aspects of digital products are often not prominently featured, making it difficult for consumers to assess their risks. The CRA helps both businesses and consumers make informed choices by requiring greater transparency regarding these products’ cyber security features.

The CRA sets mandatory cyber security standards for digital goods producers, distributors, and operators to accomplish these objectives.

Timeline and Important Compliance Checkpoints

Businesses should be aware of the following significant dates and milestones as the CRA moves through the EU legislative process:

• Political Agreement: After several revisions and stakeholder engagements, the European Commission reached a political agreement on the CRA on December 1, 2023. This agreement shows broad support for the CRA’s goals.
• Compliance Window: Following legislation, companies will have specific deadlines to comply:
  – 21 Months: To fulfil the CRA’s event and vulnerability reporting obligations.
  – 36 months: To ensure complete adherence to all CRA regulations, particularly those about EU certification, secure development procedures, and transparency.

Businesses may organise compliance activities using this staged timeframe, but early action is essential to prevent disruptions.

Implications for Businesses Across Sectors

The CRA impacts various businesses that deploy digital products, with software and hardware developers likely to be the most directly affected. The CRA’s provisions also extend beyond the European Union, meaning that non-EU companies that offer digital products or services within the EU market must also comply with the CRA’s requirements. This means that any business, regardless of its location, must ensure its products meet the CRA’s cyber security standards if they are to be used within the EU. The following summarises the potential effects of the CRA on different business types:

1. Vendors of digital services and technology providers

The CRA places strict standards on businesses that create software or offer digital services, including secure development, vulnerability management, and regular updates. Technology providers must prioritise vulnerability reporting and implement secure coding practices to reduce security risks across widely used platforms and applications.

2. Manufacturers of IoT devices and hardware

Security elements must be incorporated into the design and development stages for manufacturers of digitally integrated hardware, including Internet of Things (IoT) devices. These companies might be scrutinised, primarily if they produce “high-risk” goods affecting public safety, healthcare, or vital infrastructure. The CRA may also require hardware modifications to guarantee safe, future-proof goods that meet EU standards.

3. Distributors and Retailers of Digital Goods

Distributors and retailers contribute to cyber security by ensuring their goods meet CRA regulations. They must also enable traceability, keep up-to-date records of cyber security features, and inform customers about the security characteristics of their products.

4. Healthcare Providers and Critical Infrastructure

Cyber threats can target organisations that oversee vital infrastructure, including transportation, healthcare, and energy. The CRA establishes a requirement for strict incident response procedures and monitoring of real-time cyber security metrics for these industries.

5. SMEs (small and medium-sized enterprises)

Despite the CRA’s broad applicability, SMEs may encounter difficulties because of limited resources. The CRA encourages SMEs to implement basic security procedures that improve resilience without putting an undue financial burden on them.

How to Prepare for CRA Compliance

As the CRA and associated implementation guidance develops, businesses have an opportunity to take the initiative in aligning their operations, services and products with the requirements of the Act.

Ryan Hides outlines his top 5 key areas of focus for businesses to ensure they’re CRA-ready:

1. Risk Management and Assessment

Conduct thorough risk assessments to identify potential vulnerabilities in your systems and processes. Implement robust risk management strategies to mitigate identified risks and ensure continuous monitoring to adapt to new threats. The CRA requires that manufacturers incorporate security measures from the design and development phases to ensure products have fewer vulnerabilities

2. Data Protection and Privacy

Ensure that all data, especially personal and sensitive information, is adequately protected. Implement strong encryption methods, access controls, and regular audits to comply with data protection regulations and safeguard against breaches.

3. Incident Response Planning

Develop and maintain a comprehensive incident response plan. This should include clear procedures for detecting, reporting, and responding to cyber incidents. Regularly test and update the plan to ensure it remains effective against evolving threats.

4. Employee Training and Awareness

Invest in regular training programs to educate employees about cyber security best practices and the importance of compliance. Foster a culture of security awareness to reduce the risk of human error and insider threats.

5. Vendor and Third-Party Management

Evaluate and manage the cyber security practices of vendors and third-party partners. Ensure they comply with CRA standards and integrate their security measures into your overall cyber security framework to prevent supply chain vulnerabilities.

The outlook for cyber resilience and the CRA

The Cyber Resilience Act is a proactive step towards creating a more secure digital future for the EU. In addition to avoiding fines, CRA compliance helps businesses build consumer trust, improve brand reputation, and lower cyber risk.

Compliance with the CRA sets the foundation for a resilient future in which security is integral to every digital product and service offered within the EU.