Building Cyber Resilience: The EU Cyber Resilience Act

The European Cyber Resilience Act (CRA) is a proposed regulation aimed at enhancing cyber security rules to ensure more secure hardware and software products. The regulation addresses the increasing number of successful cyber attacks against hardware and software products, with global costs predicted to surpass €7.4 trillion in 2023 alone. The CRA aims to create conditions for the development of secure products with digital elements, ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. 

As part of this proposal, there are plans to introduce a new audit model for CE markings, which will help ensure that products meet the necessary cyber security standards. Currently, CE markings are used to show that products fulfil the required health, safety, and environmental standards set by the EU. However, with the increasing prevalence of cyber threats, it has become clear that the security of customers can also benefit from this model. 

A Comprehensive Approach to Cyber Security 

The regulation sets out four specific objectives: 

• Improve the security of products with digital elements from the design and development phase and throughout the whole development life cycle. 
• Facilitate compliance for hardware and software producers. 
• Enhance the transparency of the security properties of products with digital elements. 
• Enable businesses and consumers to use products with digital elements securely. 

Under the Cyber Resilience Act, companies will be required to provide evidence that their products meet specific cyber security standards before they can be awarded a CE marking. This evidence will be provided through several means, including audits, which will depend on how critical the cyber security aspect of the product is and the potential damage to users if it is compromised. Products that provide security functions and that are used to manage critical systems and infrastructures are of particular interest. Assessments will be increasingly based on internationally recognised standards (e.g., IEC 62443) and will be carried out by accredited third party organisations. 

Additionally, the CRA enhances the transparency of security properties of products with digital elements, making it easier for businesses and consumers to select products with adequate cyber security properties. This is particularly important for critical systems, where the consequences of a cyber security breach can be severe. 

The CRA also ensures that businesses and consumers can use certified products securely by introducing essential objective-oriented and technology-neutral cyber security requirements for these products. This will increase the overall level of cyber security of all products with digital elements placed on the internal market, including critical systems. 

Far-Reaching with Room for Improvement 

Much like the General Data Protection Regulation (GDPR), which aims to protect the privacy of individuals within the EU, the CRA will apply to all kinds of software and hardware products, as long as they contain software components. Even though the regulation does not apply to service models such as Software as a Service (SaaS), the CRA does apply to all parts of a marketed solution, sold together or independently, including any remote data processing parts. The only significant exclusion from the regulation will be related to domains where more specific regulations already exist, such as the medical devices and healthcare industry (EU Regulations 2017/745 and 2017/746) or the automotive industry (EU Regulation 2019/2144), where requirements are much more stringent than those belonging to the CRA. 

In conclusion, the Cyber Resilience Act is an important regulation aimed at bolstering cyber security rules for hardware and software products. Its impact on critical systems is significant, as it seeks to ensure that products are developed with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. The act will help to prevent successful cyber attacks on all ranges of products, from household IoT devices to critical systems, and protect individuals, society, and the economy from the harm caused by cybercrime. 

About Critical 

We offer over 20 years of cyber security expertise, particularly in the domains of secure software development and in the design of cyber secure safety and business critical systems. We can help organisations in their roadmap to achieve compliance with CRA, through evaluation, assessment, and implementation. Get started today and organise a call by emailing [email protected].