Cyber Resilience Act Summary

What is the Cyber Resilience Act (CRA) about?

The CRA aims to protect consumers and businesses by introducing mandatory cybersecurity requirements. These requirements are designed for hardware and software products with a purpose of reducing vulnerabilities of products placed on the market of the European Union. Because of these requirements manufacturers are expected to keep their products secure for their whole life cycle, or for a period of 5 years from the placing of the product on the market.

The proposal of the European CRA was published on 15.9.2022. More detailed dates have not been announced.
 

What is the applicability of CRA?

The CRA is not sector specific. It applies to products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It includes hardware, software (embedded and non-embedded) and ancillary service, which are essential to product functionality, such as cloud services. The products, which are out of scope includes passive components such as cables and cloud services (if not ancillary services) and noncommercial activity.
 

Key points of CRA

• Cybersecurity by Design: Cybersecurity by design and by default and delivering products with no known vulnerabilities. Vulnerabilities must be addressed with security updates for the whole life cycle (Max. 5 years). Also, encryption of data at rest and in transit is mandatory.
• Reporting Obligations: Within 24h, notify The European Union Agency for Cybersecurity (ENISA) about exploited vulnerabilities and notify security incidents of the product. Without undue delay, notify the users of the products and suggest corrective measures. Users of the product must also be informed regarding the cybersecurity of the product.
• Third Party Due Diligence: Due diligence is required when integrating components sources by third parties.
• Conformity assessments: Before placing a product with digital elements on the market, manufacturers must draw up the technical documentation and carry out or have the chosen conformity assessment procedures carried out for them.
• CE marking: Products with digital elements should bear the CE marking to indicate their conformity with the regulation so that they can move freely within the internal market.
• High-Risk AI Systems: The CRA has particular provisions regarding high-risk Artificial intelligence systems, which will be defined by the AI Act (Currently in draft).
• Requirements for Different Stakeholders
  • For Manufacturers: Manufacturers must assess the cybersecurity risks associated with a product with digital elements. The outcome of that assessment must be taken into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of such incidents, including in relation to the health and safety of users.
  • For Importers: Importers shall only place on the market products with digital elements that comply with the essential cybersecurity requirements defined by CRA. For example, the imported products must be delivered with a secure by default configuration, including the possibility to reset the product to its original state.
  • For Distributors: In case a vulnerability in the product with digital elements has been identified, distributors must inform the manufacturer without undue delay about the vulnerability. If the digital elements present a significant cyber security risk, distributors must immediately inform the market surveillance authorities of the Member States in which the product has been made available on the market.

In a case of non-compliance on essential requirements, the fines will be up to 15 million EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Further steps with product security

The first step is to understand where your organization currently stands because not every organization offers products with digital elements, which means that the regulation will not set direct requirements. However, it is worth noting that many of the services and products your organization uses may be within the scope of regulation. The regulation’s requirements are important to take into consideration in supplier management as they e.g., require notifying users of the product without undue delay, but at the same the improved transparency on security of hardware and software products benefits everyone.
Deloitte can help your organization to address product related cyber security by utilizing both, your already existing capabilities, and our expertise. This approach identifies the necessary action points to help your organization take the correct steps improve your product quality by making it more secure.

Examples of approaches:

Product cyber security assessment: Gain an overview of your current key development areas on product related cyber security and gain competitive advantage more secure products.

Third-party security assessment: Assess whether your third parties providing integrated components are follow leading security practices in development and production.

Assessment against the IEC 62443: This assessment aims to compare the overlap between the Cyber Resilience Act and series of international standards (IEC 62443) that address cybersecurity in automation, control systems and operational technology.

We at Deloitte, are happy to discuss more and provide further information on this matter.