Cyber Resilience Act: What Does It Mean For Your Digital Business?
Last Updated on November 25, 2024
Software developers push thousands of lines of code every day, helping enterprises shape the tools and applications we all rely on, starting from banking to entertainment. However, we shouldn’t forget that behind every successful deployment lies a hidden challenge – what cyber security measures should be taken to protect the source code, hardware and software products, and critical company and customer data?
To help digital businesses address cyber threats and improve their cyber resilience, the European Commission proposed Cyber Resilience Act (CRA). So, let’s get a sneak peek at what CRA is, how to meet its requirements, and actually who should follow that regulation.
EU Cyber Resilience Act: who is it for?
Before we jump at understanding what the CRA is, let’s figure out who this cyber legislation is for. Well, the reach of it is wide – from the companies that operate within the European Union to those that operate outside but supply their services or products to the EU markets.
Digital technologies such as smart devices, operating systems, software – all of the mentioned is in the focus of the CRA. A broad range of industries, encompassing hardware and software manufacturers, Internet of Things (IoT), device providers, and developers of network-connected critical infrastructure should follow the requirements of the Cyber Resilience Act.
Are there any exceptions?
Free and open-source software that is freely available and not generating income doesn’t fall under the Cyber Resilience Act.
The exception here is open-source software from which developers can derive income, for example, if it has paid support or commercial data use – then, it will need to comply with the CRA.
Also, pure SaaS providers that do not process remote data are excluded from the CRA and they shouldn’t comply with the regulation’s requirements.
What the EU Cyber Resilience Act is
Proposed in 2022 by the European Commission and passed by the European Parliament in March 2024, the EU Cyber Resilience Act comes into force on December 10th, 2024. Since that moment organizations have 3 years to ensure that their services and products meet the CRA’s requirements to remain eligible for operating in the EU.
The main goal of this EU legislation is to address the issue of low-level cybersecurity measures and vulnerabilities that companies face. According to the CRA’s findings:
“European organizations are the most targeted in the world by cyber attacks… Attacks will cost US$ 10.5 trillion by 2025, a 15% increase in cost every year.”
The key CRA’s goals
Well, let’s sum up the top goals the European Commission sees by adopting the legislation:
- Ensure higher levels of security for all internet-connected devices and software in the European single market
- Mandate manufacturers to maintain cybersecurity responsibility throughout a product’s life cycle
- Provide customers with accurate and comprehensive information about their products’ cybersecurity features
- Harmonize regulatory requirements to eliminate overlaps and simplify compliance for device manufacturers
The top benefits of complying with the Cyber Resilience Act
Why does the European Cyber Resilience Act matter? Why not take a look at the benefits it brings to both businesses and their customers? So, the the cybersecurity act:
- ensures a unified approach to IoT security across the EU, simplifying compliance for manufacturers and avoiding regulatory overlap;
- reduces the risk of cyberattacks, safeguarding businesses and consumers from data breaches, financial losses, and reputational harm;
- helps prevent costly data breach incidents, potentially saving businesses millions;
- boosts customer trust through improved security, encouraging demand for secure digital products;
- provides clear, accessible information about devices, empowering customers to make informed choices;
- strengthens data and privacy safeguards, ensuring IoT-collected data is secure from breaches.
Risk-based classification of products and services
According to the associated cybersecurity risk level, the EU CRA divides products into a few categories:
- default or a non-critical one, which covers 90% of all the products on the EU market,
- important, which, in turn, is divided into Class I and Class II,
- and critical.
Default or non-compliance products
As we have already mentioned the majority of products, to be precise, almost 90% fall into this category. Such products as smart coffee makers or refrigerators, games, photo editing software, non-critical wearables, like fitness trackers, and so on this group.
However, while they have lower risk, they are still subject to the general cybersecurity and vulnerability handling requirements of the CRA.
Important products
The EU Cyber Resilience Act divides important products into two categories. The first is Class I, which includes password managers, operating systems, identity management systems and privileged access management software, security information and event management (SIEM) systems, VPNs, boot managers, personal wearable products, and medical devices for health monitoring and children, and so on.
The products from Class II relate to higher cybersecurity risk than those from Class I. Here we can mention tamper-resistant microprocessors and microcontrollers, firewalls, intrusion detection or prevention systems, antiviruses and anti-malware, etc.
Critical products
To the most regulated group, we can attribute smartcards or similar devices that include secure elements, secure hardware devices with security boxes, cryptoprocessors, and more.
What are your duties within the CRA?
The EU Cyber Resilience Act places a wide range of duties on hardware and software producers. And these obligations cover the entire product lifecycle, covering both cybersecurity requirements and vulnerability ones. So, the essential cybersecurity requirements of the CRA include:
Requirement | Explanation |
Risk-based design | Ensure security based on the associated cybersecurity risks during the design and development phase, and the production |
No exploitable vulnerabilities | Products must be free of known exploitable vulnerabilities when released |
Secure-by-default Configuration | Offer a secure default configuration with reset options for tailored solutions |
Security updates | Provide mechanisms for timely updates, including automatic updates with user opt-out options |
Access control | Protect against unauthorized access using authentication and access management systems and appropriate control mechanisms |
Data protection | Safeguard data confidentiality with encryption and other state-of-the-art methods |
Data integrity | Prevent unauthorized modifications and report data corruption |
Data minimization | Limit data processing to what is necessary for the product’s purpose |
Function availability | Maintain essential functions after cybersecurity incidents using resilience measures |
Minimized interference | Avoid negatively impacting other devices or networks’ availability |
Attack surface limitation | Design to reduce external interfaces vulnerable to attacks |
Incident mitigation | Use mechanisms to minimize the impact of incidents |
Activity monitoring | Record internal activities like data access and modifications, with opt-out options for users |
Data removal | Provide users the ability to securely erase data and transfer it securely when needed |
Vulnerability documentation | Identify and document vulnerabilities with a software bill of materials |
Rapid remediation | Address vulnerabilities without delay and provide security updates |
Regular testing | Conduct periodic security tests and reviews |
Public disclosure | Share information on fixed vulnerabilities, impacts, and mitigation steps post-update |
Disclosure policy | Implement a coordinated vulnerability disclosure policy |
Information sharing | Enable reporting of vulnerabilities through a dedicated contact channel |
Update distribution | Ensure secure and timely updates, with security updates provided separately from functionality updates |
Free security updates | Offer security updates free of charge, accompanied by clear advisory messages |
Meeting compliance – steps to take
Even though the EU Cyber Resilience Act will come into full force after December 11th, 2027, it’s already time to start thinking about how to meet the legislation’s requirements.
First, it’s important to understand for which group, non-critical, important (Class I and Class II), or critical, the digital product or service you provide falls into.
After that, it’s vital to assess your security measures and how they meet the EU CRA requirements. Thus, you will be able to build a strategy to complete these security gaps until the regulation is in its full effect.
The EU CRA and other compliance regulations
The Cyber Resilience Act is a vital part of the European Commission’s strategy for improving and strengthening the cybersecurity posture of organizations that operate in the European Union. The regulation complements the NIS 2 Directive (Network and Information Security Directive), which came into effect on January 16th, 2023.
Though the CRA and NIS2 have a lot in common they are a bit different. The Cyber Resilience Act addresses a wider range of digital products and services without any focus on industries or sectors. The NIS 2 Directive, on the other hand, focal point is on particular industries and vital infrastructures.
What is worth mentioning is that if an organization that provides software is already covered by the NIS2 Directive, it doesn’t need to comply with the CRA for features already covered in it, as both the NIS2 and the CRA meet similar cybersecurity requirements under the European regulations.
Moreover, if the organization has already complied with the AI Regulation, it may also not need to comply with the CRA. Why? High-risk AI systems already covered by the AI Regulation do not need to meet full CRA requirements unless features not covered by the AI Regulation are relevant.
The CRA and backup & Disaster Recovery
The EU CRA, like other straightened security regulations requires organizations to react fast to disasters and ensure resilience in case of an incident. Here are just some of the quotes from the CRA’s Annexes:
“On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: […]
(k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; […]
(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;”
It means that properly built data protection measures, including backup and Disaster Recovery, are important for organizations to ensure their cyber resilience and business continuity.
With GitProtect backup & Disaster Recovery software for DevOps, digital companies can make sure that in any incident, they can restore their data quickly and eliminate data loss.
[FREE TRIAL] Ensure compliant DevOps backup and recovery with a 14-day trial🚀
[CUSTOM DEMO] Let’s talk about how backup & DR software for DevOps tools can help you mitigate the risks