Cyber Resilience Act: sidekick for NIS 2 directive coming

With the Cyber Resilience Act (CRA), the EU wants to protect companies and consumers who use networked products in particular from these threats.
Categories:

In an increasingly digitalized world, cyber attacks and data leaks pose a growing threat. With the Cyber Resilience Act (CRA), the EU wants to protect companies and consumers, especially those who use networked products, from these dangers. The most important contents of the CRA at a glance.

Objective of the Cyber Resilience Act

In today's digital world, products with digital components are ubiquitous, from baby monitors to smartwatches. However, these products harbor significant security risks that are often not immediately apparent. This is because devices that are connected to the internet in any way can have vulnerabilities that can be exploited by cyber criminals. These vulnerabilities not only affect traditional IT systems, but increasingly also Internet of Things (IoT) devices that are used in households, businesses and even critical infrastructures such as energy supply or healthcare.

The Cyber Resilience Act was developed to better address these challenges. The main aim of the Act is to ensure that products with digital elements are designed, developed and operated securely throughout their entire life cycle. This should not only improve user security, but also strengthen trust in digital products and services.

Main elements of the Cyber Resilience Act

The Cyber Resilience Act sets out a number of requirements that manufacturers, importers and distributors of digital products must meet. These requirements include both technical and organizational measures to ensure that products are resistant to cyber threats.

  1. safety requirements throughout the entire life cycle:
    Manufacturers must ensure that their products are developed securely and remain secure throughout their lifecycle. This includes regular software updates and security patches during the expected service life to respond to newly discovered vulnerabilities.
  2. Transparency and information obligations:
    Companies must provide detailed information about the security features of their products. This also includes the disclosure of security vulnerabilities and measures to rectify them. Users should be informed about possible risks and the manufacturer's security practices.
  3. Safety assessments and certifications:
    The CRA stipulates that certain products must undergo strict safety assessments before they can be placed on the market. The regulation defines the requirements for access to the EU internal market and thus extends the scope of application. If the CRA comes into force, the already familiar CE mark will for the first time not only stand for safety, i.e. operational safety, but also for security, i.e. information security.
  4. Strict sanctions for violations:
    To ensure compliance with the regulations, the Cyber Resilience Act provides for severe penalties for companies that violate the security requirements. In the event of breaches, the provision of a product on the market can be prohibited or restricted. The competent supervisory authority can order the product to be withdrawn from the market or recalled. In addition, fines are defined which are to be provided for in national legislation for cases of non-compliance. This is intended to create an incentive for companies to invest in the safety of their products and ensure that they comply with the latest safety standards.

Impact of the CRA on companies and consumers

The Cyber Resilience Act will have a significant impact on companies that manufacture, import or distribute products with digital components. These companies must ensure that they have the necessary technical and organizational resources to meet the new requirements. This may require additional investment in research and development and in security infrastructures.

For consumers, the Cyber Resilience Act means more security and transparency. They can trust that the products they buy meet strict security requirements and that vulnerabilities are quickly rectified. This should increase confidence in digital products and could also lead to a competitive advantage for companies that offer particularly secure products.

Link tip: Cyber Resilience Act in the current version

CRA and NIS-2 Directive

As the European Commission emphasizes, the Cyber Resilience Act is intended to supplement the NIS-2 Directive. The NIS 2 Directive sets out cyber security requirements. These include security measures in the supply chain and obligations to report security incidents for essential and critical facilities in order to increase the resilience of the services they provide.

The Commission hopes that a higher level of cybersecurity of products with digital elements will also facilitate compliance by entities falling within the scope of the NIS 2 Directive and increase the security of the entire supply chain.

Reading tip: Implementation of the NIS 2 Directive in the EU - the current status

The Cyber Resilience Act was passed by the European Parliament in March 2024 and is due to come into force in the second half of 2024 following approval by the Council. Manufacturers will then have until 2027 to bring compliant products onto the market in the EU.

Tags:
Share this post :
en_USEnglish