What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a regulation which defines harmonized rules within the European Union to make sure equipment manufacturers develop and maintain cybersecure hardware and software products.
Validated in March 2024 by the European Parliament, it will prescribe various additional cybersecurity activities to equipment manufacturers for the launch and maintenance of their existing and future products (articles 14 & 54).
It therefore includes:
- Categories to define eligible products by level of criticality
- Requirements for designing, developing, and launching secure products on the market
- Requirements for monitoring and patching security vulnerabilities throughout the product lifecycle.
- Documentation and reporting requirements regarding security activities and risks.
- Financial penalties in case of non-compliance.
Why was the Cyber Resilience Act introduced?
In 2021, according to the European Commission, the worldwide annual cost of cyberattacks on hardware and software products approximated 5,5 trillion euros.
The causes are multiple:
- The lack of security updates for products on the market
- The lack of information and awareness surrounding cybersecurity best practices and risks
The objectives of the European Union with this regulation are to:
- Ensure that OEMs improve the security of their products from the conception phase until the end of their lifecycle.
- Ensure a coherent set of rules within the European borders – not fragmented between the countries of the Union.
- Improve transparency on product security levels.
- Protect organizations and end-customers.
All this while respecting equipment manufacturers’ intellectual property.
The EU estimates that the CRA will help reduce cyber threats and save more than 180 billion euros each year for organizations by limiting the number of cybersecurity attacks.
What is the Cyber Resilience Act timeline?
To let device makers the time to adapt to the new regulation, they have 36 months from the regulation entry into force (planned in September/October 2024) to organize themselves and make the necessary adjustments.
However, reporting obligations for actively exploited vulnerabilities and incidents will begin 21 months after the regulation takes effect, and declarations to national conformity assessment bodies will be required 18 months after the regulation’s start date.
What are the risks of non-compliance?
Non-compliance with the Cyber Resilience Act carries significant consequences for equipment manufacturers. The directive 85/374/CEE complements this regulation by establishing rules on liability for defective products, ensuring that victims can seek redress for damages caused by such products. Manufacturers are held strictly liable for damages resulting from security flaws in their products. Failure to provide necessary security updates post-market release could therefore lead to liability for manufacturers.
Financial penalties
Failure to meet cybersecurity requirements may result in administrative fines of up to €15,000,000 or 2.5% of the company’s total annual worldwide turnover for the previous fiscal year.
Providing inaccurate, incomplete, or misleading information to notified bodies and market surveillance authorities in response to inquiries may incur fines of up to €5,000,000 or 1% of the company’s total annual worldwide turnover for the previous fiscal year.
The amount of the fine will depend on the nature, severity, and duration of the violation and its consequences, whether administrative fines have been previously imposed by other market surveillance authorities on the same operator for a similar offense, and the size and market share of the operator committing the violation.
Product recall
If products do not adhere to the regulation, the Commission may request an assessment by ENISA. Based on this evaluation, the Commission may adopt corrective or restrictive measures at the Union level, including product recalls, within a reasonable timeframe proportional to the risk. However, this action is exceptional when competent authorities fail to address the situation effectively.
