EU Cyber Resilience Act (CRA) - All you need to know in a nutshell

New regulations are always difficult to understand. They are filled with confusing terms and can seem scary, especially if they affect your development and manufacturing process. We collected the main key points of the EU’s Cyber Resilience Act (CRA) so you know what’s ahead.

What is cyber resilience?

Cyber resilience strives to make sure products and customers are safe in the virtual space. This can be achieved with a variety of elements, ranging from the anticipation of cyber attacks to the quick recovery when an attack is carried through successfully. In our everyday life, a lot of this might seem unlikely at first glance, just something that we read in the news. However, knowing that cybercrime had an annual global cost of €5.5 trillion in 2021, it’s only fair that these issues are addressed and regulations are kept up to date on this topic as well.

Why do we need the Cyber Resilience Act (CRA)?

Times are changing and the number of connected devices is growing exponentially. The only thing that keeps up with this growth is the number of new security vulnerabilities. We already had an existing framework, but it was time to bring it up to date with the new NIS2 Directive. The Cyber Resilience Act (or CRA for short) complements the NIS2 Directive making sure that connected devices don’t fall through the cracks of the upcoming new legislation when it comes to cybersecurity issues. CRA aims to cover all digital products that were not covered by the previous legislative framework before.

What is the impact of the CRA?

Let’s start with the where first. It will impact your business if you are operating in EU markets. The goal of the CRA is to introduce common rules in this fragmented industry and get all IoT players on the same page in terms of cybersecurity. If you fall into one (or more) of these categories your business will be affected:

• IoT developer
• IoT manufacturer
• distributor of products with digital elements

My business is affected, what now?

No need to worry, the goals of this act can be achieved through the following main directives:

• enhanced security - first of all, developers and manufacturers must ensure that all connected devices placed on the EU’s markets are more secure in general
• lifecycle management - the second goal is to ensure that manufacturers stay responsible for the cybersecurity of their devices (even after they leave the factory gates) to ensure that security issues are addressed throughout the whole lifecycle of the product
• informed customers - finally, consumers have to be properly informed about the cybersecurity aspects of the devices they purchase and use

How much time do I have to comply?

The first draft of the CRA proposal was published in September 2022 and it has a double time frame to allow us to adapt to this legislation. The time frame differs depending on your business activity:

• manufacturers have a 12-month time frame to prepare for reporting on the process of design, development and production under the cybersecurity requirements
• distributors have an extended compliance period of 24 months from entry into force.

Additionally, for the product lifecycle obligation, manufacturers must keep information on verified products and corrective measures for a period of 10 years.

Our take on the state of cybersecurity today

Having a common baseline for the IoT players who are affected by cybersecurity is definitely a step in the right direction. Before these regulations, it was up to the manufacturers to implement security elements and these solutions were as diverse as the IoT landscape. But “diverse” doesn't mean sufficient, the IoT sector was lagging behind in an alarming manner when it comes to security.

Despite the positive change, we are somewhat worried about the overlapping guidelines of the upcoming legislation. This can lead to a situation where the necessary security steps might be properly implemented when it comes to the reports and administrative tasks but will be lacking in real-world security resilience. Strong protective measures against practical exploitability is what matters for consumer safety at the end of the day.

Compliance in this case is a very welcome first step but creating truly secure IoT devices (and keeping them secure) will need more significant changes from all players in the industry. We built our cybersecurity tool with this in mind, regardless of the regulations or your place in the industry, we offer something that can be used in any situation to increase IoT cyber security across the board.