In our Regulatory Review series, we have already covered a number of Acts that have come into place in recent years. This time, we are turning our attentions to a hotly anticipated piece of regulation coming from the European Union (EU); the EU Cyber Resilience Act (CRA). As the number of ‘smart’ devices in use continues to rise across Europe, the Act will bring forward the introduction of foundational computing standards for any connected device to enhance cyber resilience in both hardware and software.

The scope
The new Cybersecurity Act imposes significant security-related obligations on manufacturers, importers, and distributors of ‘products with digital elements.’ This includes software, hardware, and associated remote tools designed for data processing. Notably, the Act broadens the definition of ‘manufacturer’ to include any operator or entity that makes significant modifications to products, increasing accountability for the code they implement.

While the Act covers a wide range of products, it explicitly excludes medical devices, automotive vehicles, military hardware, certified aviation products, and marine equipment. These exclusions are because these sectors are already governed by their own specific cybersecurity regulations.

Products explicitly covered by the Act include identity management system software, password managers, biometric readers, smart home assistants, and private security cameras. These items were highlighted by Members of the European Parliament (MEPs) during the initial proposal of the Act, underscoring the broad scope and impact of these new regulations.

The measures
These connected products will be placed in two different lists depending on their criticality and the level of cybersecurity risk they pose. Those which are considered high-risk will be extensively analysed by an independent body, while the rest will go through a less severe, internally-managed assessment process.

Measures found under Articles 13,14, and Annex I then come into play for all product types. These consist of several requirements, obligations and processes a manufacturer must follow in order to be in compliance. For example, manufacturers will need to carry out a cyber risk assessment before any product is brought to market, while imposing due diligence checks against any third-party components involved in development. Annex I specifically outlines the ‘essential’ cybersecurity requirements that must already be in place before commercialisation.

Further pressure is placed on manufacturers to manage any vulnerabilities that arise for the entirety of a product’s lifecycle. This must be done through regular testing and validating, patching, disclosure programmes and transparent documentation.

Ensuring compliance
If any non-compliance with the obligations listed above are detected, significant fines will be levelled against businesses. For example, manufacturers would risk a fine of €15 million, or 2.5% of their annual turnover worldwide (whichever is greater), should they not align with the security requirements listed in Annex I. For other obligations within the Act, manufacturers, importers, and distributors would be required to pay €10 million or 2 % of their total annual turnover worldwide (again, whichever greater. Market surveillance authorities will be appointed by member states to enforce the CRA – and the fines – in each region.

These bodies will then work with the European Union Agency for Cybersecurity (ENISA), which, under the remit of the CRA, must be notified should any vulnerabilities be detected or an incident occur. Once the member state affected provides details of the incident, the Act will empower the Agency to assess the situation. If the risk is systemic, they will then update the other members so preventative measures can be implemented immediately.

Setting security standards
As of July 2024, the Act is still awaiting formal adoption by the Council before it comes into law. However, actions are already being taken in preparation for this. ENISA have already published a report mapping current cybersecurity standards against the CRA’s requirements so businesses can implement these to better protect their devices and their customers. Once in force, the majority of the CRA will be applicable within 36 months.

TCG are delighted that the importance of standards to CRA compliance has been highlighted by ENISA. Though our own standards and specifications are not included within the report, pairing them with the recommended ENISA solutions can put businesses across Europe in a better position to be compliant with the Act once its active. Where cyber resilience is concerned, manufacturers should look no further than our own CyRes specification, which provides the fundamental security building blocks required by the European Union, while enabling devices and products to return to a trusted state should it become compromised.