The Cyber Resilience Act

In September 2022, the EU published a proposal for a new cyber security regulation called the CRA, which stands for Cyber Resilience Act. The Cyber Resilience Act aims to protect the market from products and software that have substandard security features or may pose a security risk. The Cyber Resilience Act will cover end-users, both businesses and consumers.

The Cyber Resilience Act -covers software and hardware

The proposal aims to set a new level of basic cybersecurity requirements for products that connect to the internet. The act includes IoT products, networking products, routers, etc. One of the main goals of the Cyber Resilience Act is to create the conditions for the development of secure products by ensuring that hardware and software products released on the market have fewer vulnerabilities. It obliges manufacturers to take security seriously by making them responsible for it throughout the product’s life cycle and up to five years after it has been put on the market. The second objective is to create conditions for users to take active action on cyber security when choosing and using products in this category. Users’ interests should be protected even after the manufacturer has delivered the product.

Different categories of products

Products and software will be defined in one of three different categories; regular, critical or very critical. The manufacturer’s control can assess the regular products without direct assessment by a control body. At the same time, manufacturers of regular products that take the CRA seriously will likely use external assessors.

Critical products

Critical products perform an essential security function, such as authentication, passage, intrusion or network protection. The definition is broad and includes network traffic monitoring systems, security information management systems and firewalls, and IoT devices if they are part of an alarm system.

In addition, IoT products may be considered critical if they play a central role in a broader system context or if they have the potential to harm several other connected products.

Highly critical products

Products could be considered highly critical if they meet both of the above criteria; in other words, they have an important security function and are central to an IoT environment from a broader perspective. This class includes virtual private networks (VPNs), industrial firewalls or industrial control environments.

A further group of products will be classified as ‘highly critical’ if they meet the dual condition of being used in a sensitive environment and central to managing a more extensive system. This product group includes integrated circuits, industrial automation and control systems, industrial IoT devices and smart meters for electricity and water.

The above are just a few examples that I consider relevant to my customers. The complete list of critical and highly critical products can be found in the annexe to the draft legislation.