i46

Asset 2

The Cyber Resilience Act: A revolution in the world of IoT cybersecurity.

What is the CRA ?

The EU’s Cyber Resilience Act (CRA) is a game-changer regulation with international ripple effects. It establishes a single set of cybersecurity standards for all digital products sold in Europe, including hardware and software. This has an international impact, especially considering a significant portion of the EU’s booming Internet of Things (IoT) market comes from Asian manufacturers.

With the ever-growing number of IoT devices, the CRA tackles the critical issue of low-level cybersecurity and vulnerable devices by mandating regular updates and ongoing support. This not only enhances security for European consumers but also pushes manufacturers worldwide to adopt a more secure-by-design approach.

The EU’s CRA casts a global net. Within a few years, all IoT device makers selling in Europe, especially those in Asia, will need to comply. This means state-of-the-art cybersecurity built right in, not bolted on later. The good news? The CRA streamlines regulations, eliminating the compliance maze for manufacturers. It’s a win-win for secure innovation and a level playing field.

Why cyber resilience matters?

Benefits for both businesses and consumers

Harmony

The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.

Security

The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.

Economy

The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.

Reliability

With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.

Profitability

This increase in demand can translate to higher profitability for manufacturers.

Transparency

The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.

Privacy

A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.

To whom does the CRA apply ?

The Cyber Resilience Act applies to economic operators such as manufacturers, distributors, or importers who supply digital products within the European single market, regardless of their country of origin. The regulation requires that products with digital elements meet specific essential security requirements before they can be made available on the market. Manufacturers of digital products must take into account cybersecurity features during the design and development phase of their products to comply with the CRA.
It is important to note that software provided as a service is not covered by the CRA. However, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and other sectorial legislation ensure that systems provided as a service or developed in-house, such as electronic health record (EHR) systems, meet equivalent technical requirements for cybersecurity and provide the same level of protection against cyber threats.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products. Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features. By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers of digital products. 

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

Manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data. 

Products must be updateable and patchable to address vulnerabilities that might appear. Information about products’ cybersecurity features to users must also be provided in a clear and comprehensive way.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the European Union Agency for cyber-security (ENISA) within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as 15 millions euros or 2.5% of annual turnover.

Get started now, for free