The Cyber Resilience Act of the European Union mandates cyber security for all hardware and software.
Political consensus over the upcoming Cyber Resilience Act (CRA) has been reached by the European Parliament and the European Council. To the advantage of businesses and consumers throughout the European Union (EU), the Cybersecurity and Regulatory Assistance Act (CRA) was first proposed by the European Commission in September 2022.
All hardware and software must now adhere to reasonable mandatory cybersecurity standards; the security requirements vary depending on the risk level of the product. In addition, the CRA lays forth manufacturers’ legal obligations to promptly deliver security updates to customers for several years following the date of purchase.
Since manufacturers will now have to be more accountable and transparent about the security of their products, the measures aim to provide users the power to make more informed and secure decisions.
The European Parliament and Council must now formally approve the agreement reached. The CRA will become operative after it is adopted and published in the Official Journal. The new requirements will take effect in 36 months for hardware and software product manufacturers, importers, and distributors; however, there will be a shorter grace period of 21 months for manufacturers to report incidents and vulnerabilities.
EU CRA seeks to manage supply chain risks related to software
Solving the growing security issues and risks related to the software supply chain is a primary goal of the EU CRA. “The products that are sold in the EU market should give consumers a sense of security. The Cyber Resilience Act, which was approved today, will guarantee that the digital products we use at work and home adhere to strict cybersecurity regulations, according to Věra Jourová, vice president of the European Commission’s values and transparency division. “Those who release these goods onto the market ought to answer for their safety.”
According to Margaritis Schinas, vice-president of the European Commission for promoting our European way of life, “the EU CRA fills a gap by completing safety rules so that security by design applies to all products that reach EU consumers and users.” “Every connected product sold in the EU must comply with the new regulations, which ensure increased cybersecurity for our homes and businesses.”
Primary goals of the Cyber Resilience Act
To avoid duplication of requirements resulting from disparate laws in EU member states, the new law introduces cybersecurity requirements for the entire EU for the design, development, production, and marketing of hardware and software products.
This regulation will cover all products that are connected to a network or another device, whether directly or indirectly. Certain product categories—such as automobiles, medical devices, and aeronautical products—have specific cybersecurity requirements outlined in current EU regulations.
The proposal seeks to close any loopholes, make connections clear, and improve the coherence of the current cybersecurity laws. It does this by guaranteeing that digital products—such as “Internet of Things” (IoT) devices—are secure throughout their entire lifecycle and supply chain.
It will also be simpler for customers to recognize hardware and software products with the necessary cybersecurity features thanks to the regulation, which will enable them to consider cybersecurity when choosing and utilizing products that contain digital components.
The Commission’s proposal’s main ideas were kept
- The broadly accepted wording upholds the main ideas of the Commission’s proposal, specifically about:
- regulations to shift the burden of compliance responsibility to manufacturers, who are required to fulfill specific duties like supplying cybersecurity risk assessments, certifying products as compliant, and assisting with authority
- obligations for economic operators, such as importers or distributors, about vulnerability handling procedures for manufacturers to guarantee the cybersecurity of digital products
- steps to increase business and consumer users’ access to information about the security of hardware and software
- a system of market surveillance to uphold the regulations.
The Council emphasized the significance of evaluating the need for horizontal legislation in the long run to address all pertinent aspects of connected device cybersecurity, such as availability, integrity, and confidentiality, including defining conditions for placement on the market, in its conclusions from December 2, 2020.
The Cyber Resilience Act was first introduced by Commission President von der Leyen in her September 2021 State of the Union address. It was referenced in the Council conclusions of May 23, 2022, on the evolution of the European Union’s cyber posture, and the Commission was asked to submit its proposal by the end of 2022.
The Commission proposed a cyber resilience act on September 15, 2022. This act will supplement the current cybersecurity framework in the EU, which consists of the EU Cybersecurity Act, the NIS directive, and the NIS 2 directive. The NIS directive addresses network and information system security.