Set to come into force on December 10, 2024, the European Cyber Resilience Act defines cybersecurity requirements for hardware and software products with digital elements sold in the EU. What does the Cyber Resilience Act mean for cybersecurity professionals?
The latest piece of European legislation intended to update and account for modern technology and rapidly evolving use of it is set to come into force on December 10th, 2024.
The European Cyber Resilience Act, better known as CRA, takes European legislation that impacts cybersecurity beyond end users and end-user organizations. It is instead aimed at the vendor community, outlining a new set of legal compliance requirements for those producing and selling hardware and software with “digital elements” within the European Union (EU). With hardware and software, especially in connected environments, seen as avenues for cyberattacks, there is a need to ensure that products sold in the region do not prematurely become a weak point that can be exploited by bad actors. A cybersecurity incident affecting one product can impact a wider organization, a supply chain or even a home.
The act seeks to harmonize and update legislation, replacing disparate and varied local pieces of legislation, to create one pan-European approach serving as a level framework to follow and a singular approach to enforcing cybersecurity minimum requirements for a range of technology sold within the EU.
“The CRA will drive product security (or security of product) as a baseline requirement, which is part of general good cyber hygiene,” explained Jon France, CISSP, CISO of ISC2.
What are Digital Elements?
Products with “digital elements” covers quite a broad spectrum. For end-user devices, this includes computers, smartphones and similar mobile devices, routers, switches, sensors and cameras, a range of smart devices including smart robots, smart utility meters and smart speakers. Also of note is that it includes industrial control systems. Other hardware that falls under the prevue of the act includes processors and graphics cards.
On the software side, the CRA applies to device firmware, operating systems, mobile and desktop software, software libraries and app stores, as well as computer games.
“One of the key outcomes of this legislation that I see is as a positive is the commitment it will ensure to support a product with updates across a clear lifespan, a critical move forward in ensuring that products don’t become vulnerable once purchased/deployed,” France added.
This was a point that was also echoed by some of our European members that we spoke to ahead of the CRA coming into force.
“The CRA is poised to significantly enhance the digital landscape by promoting secure development practices that bolster overall cybersecurity posture and foster a more resilient digital ecosystem,” said ISC2 member Dimitris Georgiou, CISSP, CSO at Alphabit Security.
“By ensuring safer and more secure products, the CRA is expected to build trust and confidence in available digital technologies. Its standardized cybersecurity framework will harmonize compliance requirements, reducing burdens on organizations while encouraging innovation,” he added.
The Impact on Cybersecurity Professionals
The reach of the CRA is quite wide. While it is predominantly aimed at those responsible for the production and sale of products and services covered by the Act, this in turn will have knock-on implications for cybersecurity professionals within end-user organizations, as well as even having positive implications for end users by ensuring a greater degree of on-going cybersecurity support and improvement. Users of CRA compliant products and services will ultimately benefit from greater transparency and security, whereas non-compliant products potentially face greater risks in relation to data breaches, fraud, and privacy violations.
“The CRA emphasizes proactive risk management, requiring organizations to identify and address vulnerabilities early in the product lifecycle, thereby reducing the risk of exploitation. Collectively, these measures aim to minimize the attack surface and help prevent costly and disruptive cyber incidents,” Georgiou noted.
ISC2 participated in the public consultation that gathered expert feedback as part of the development of the act. With the CRA about to come into force, ISC2 considers the final legislation to be an important and positive step in improving and standardizing the cybersecurity baseline for a wide variety of hardware and software that we now rely on in day-to-day organization operation, including in our digital supply chains and in the safe and secure provision of services to end users across business and consumer environments.
“Most of the larger organizations are likely to be ready for the CRA to come into force. However, in the shorter term, if producers and creators are not ready now, they will face significant pressure to get to a compliant state quickly,” France said.
Maintaining Product Lifecycles
For smaller organizations, the CRA may result in an increased cybersecurity support and development overhead for any products they produce or sell. It is important to note that the CRA applies to all covered products sold in the EU, regardless of the size or resources of the organization behind them.
“Smaller organizations may face challenges in meeting the stringent requirements of the CRA. Providing sufficient support, such as technical assistance and clear guidance, is essential to help these organizations achieve compliance without hindering product development and innovation,” Georgiou said. “Failure to comply with the CRA can result in severe consequences, including substantial financial penalties, market bans on non-compliant products, reputational damage from negative publicity, the loss of customer trust and legal liability for damages caused by insecure products.”
The CRA emphasizes proactive risk management, requiring organizations to identify and address vulnerabilities early in the product lifecycle, thereby reducing the risk of exploitation. Collectively, these measures aim to minimize the attack surface and help prevent costly and disruptive cyber incidents.
Related Insights