Preparing for the EU Cyber Resilience Act

Guest blog by Verona Johnstone-Hulse, UK Government Affairs and Global Institutions Engagement Lead at NCC Group

What is the Cyber Resilience Act (CRA)?

The imminent Cyber Resilience Act is set to introduce a wide-ranging framework governing the cybersecurity of digital products sold in the EU. The draft Act sets out essential cyber security requirements for the design, development, and production of "products with digital elements" (PDEs). Broadly speaking, PDEs refer to all hardware and software products with some exceptions, such as medical devices, national security, and vehicles regulated elsewhere.

Manufacturers, developers, and vendors will need to meet the CRA requirements before their product can be put on the market in the EU.

What are the requirements of the CRA?

All the essential requirements are set out in Annex I of the CRA, broadly covering:

Embedding Secure-by-Default principles from the outset
Ensuring the product does not have any known exploitable vulnerabilities
Implementing authentication and identity or access management systems
Protecting the confidentiality and integrity of data (e.g., through encryption or other technical means)
Protecting the availability of essential functions
Designing, developing, and producing products to limit attack surfaces, including external interfaces
Providing security-related information
Ensuring vulnerabilities can be addressed through security updates

It also sets out essential requirements for the vulnerability handling processes to be put in place (see Annex II) to ensure cybersecurity is considered for the whole life cycle of a product. This includes drawing up a software bill of materials (SBOM).

Products deemed "important" under the Act will be required to apply a relevant standard or undergo a third-party assessment to demonstrate their compliance.

Once the Act enters into force, the Commission will be able to direct standardisation organisations to draft harmonised standards for the essential requirements. This will build on work by the European agency ENISA, which has already been working on three cyber security certification schemes as part of the Cyber Security Act, including the EU's Common Criteria (EUCC) for ICT products, the Cloud Certification Scheme (EUCS), and the EU5G Certification Scheme.

For a small number of products considered "highly critical," manufacturers and vendors will have to gain mandatory EU certification before they can sell the product into the EU.

When will products have to be compliant?

Once the CRA is enacted, vendors, manufacturers, and developers will have 21 months to comply with the incident and vulnerability requirements and 36 months to comply with the remaining requirements.

Is the UK adopting similar laws?

Outside of the EU, governments are pursuing a mix of mandatory and voluntary measures to enhance hardware and software security standards. This includes the United Kingdom, where manufacturers of consumer IoT devices must comply with the requirements set out in the UK Product Security and Telecoms Infrastructure (PSTI) Act 2021.

The UK Government is also crafting and driving the uptake of Codes of Practices for Apps and App Stores and software security. While these Codes are voluntary at this stage, they could be mandated in the long term.

What do vendors, developers, and manufacturers need to do now?

While the compliance deadlines for vulnerability reporting and cyber security requirements are still at least 21 months and 36 months away, respectively, affected organisations must begin building security considerations into their product development cycles now. Failure to do so could mean that new products in development today will not meet the standards required to be sold into the EU market in a few years' time.

Breaking these regulations will not only make new products less secure but also come with a hefty cost. Non-compliance could result in fines of up to €15 million or up to 2.5 % of the organisation's total worldwide annual turnover for the preceding financial year—whichever is higher.

While the Act's coming into effect may seem some time away, manufacturers are advised to begin preparing for these legislative changes sooner rather than later.

Specifically, we recommend prioritising the following steps:

Determine which products within your portfolio will be introduced once the CRA comes into force. This includes any new products, as well as those which are due to have a substantial modification regarding (security) functionality.
For each product, determine which category they fall under and whether self-assessment, an independent conformity assessment, or certification is required.
Start creating a Software Bill of Materials (SBOM) for all software components in the product portfolio. Note that there is yet to be a consensus on the required depth of SBOM.
Create a process to monitor, fix and report vulnerabilities, aligning with existing standards such as ISO/IEC 29147:2018.

Now is an excellent time to ensure you are following best practices, adhering to the existing certifications introduced through the EU Cybersecurity Act, and making security a priority throughout the production process.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more