European organizations are the most targeted organizations in the world by cyberattacks. There will be 30.2 billion IoT devices by 2030: +108% of today’s 14.5 billion devices. The Cyber Resilience Act enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products.
The act aims to safeguard consumers and businesses who are buying software or hardware products that include a digital component. Additionally, the act addresses the lack of cybersecurity in many products and the lack of timely security updates. The act also aims to combat the challenges when deciding which products are cyber secure and how to set them up securely.
Who Does the CRA Apply To?
The Cyber Resilience Act is a disruptive legislation that applies to various business industries. The primary businesses the act applies to are manufacturers, importers, and distributors of products with digital elements placed on the European Union (EU) market. Digital elements include hardware and software products, and remote data processing solutions.
Products that are affected by CRA include:
- Connected devices: smart appliances, IoT devices, wearables, smart home devices
- Software applications: operating systems, mobile apps, desktop
- Other networking hardware: routers and switches
Key Requirements Under the CRA
The Cyber Resilience Act (EU) outlines key requirements for manufacturers of products with digital elements. These requirements include:
Secure-by-design principles
- Products must be designed and developed with security at the forefront, ensuring an adequate level of cybersecurity.
- Products must be delivered with a secure default configuration to minimize the risk of vulnerabilities.
Mandatory cybersecurity assessments and risk management
- Manufacturers must perform a risk assessment to identify and mitigate cybersecurity risks.
Incident reporting obligations
- Manufacturers are obligated to report cybersecurity incidents promptly to the relevant authorities.
Obligations for software updates and vulnerability handling
- Manufacturers must provide regular software updates throughout the product’s lifecycle to address vulnerabilities.
- Manufacturers must maintain public archives of software versions and inform users about the risks associated with using unsupported software.
Documentation and compliance responsibilities
Manufacturers must adhere to documentation and compliance responsibilities, including:
- Providing technical documentation, including the description of the product, its design, development, production processes, a vulnerability handling process, a cybersecurity risk assessment, and a description of security solutions.
- EU Declaration of Conformity, which confirms the essential requirements of CRA have been met.
- Software Bill of Materials (SBOM), which provides a detailed listing of software components and their vulnerabilities.
- Information and Instructions to the user that provides clear, user-friendly information about the product’s security features
- CE Marking, which is a certification mark that indicates the product complies with CRA requirements.
Timeline for Compliance
The Cyber Resilience Act was established by the European Council on October 10th, 2024. The act entered into force on December 10th, 2024. The CRA provides manufacturers, importers, and distributors a 36-month grace period to adapt to new requirements starting from the date it was entered into force. There is also a 21-month grace period for incident reporting and vulnerabilities from the date it was entered into force.
The main obligations of the act will not be enforced until December 11th, 2027. However, incident reporting requirements will be applicable as early as September 11th, 2026.
What Happens If You Don’t Comply?
Several consequences can occur for those who do not comply with the requirements set by the Cyber Resilience Act, including:
Penalties and fines for non-compliance
Non-compliance can lead to substantial fines with the potential to reach €15 million or 2.5% of the global annual turnover, whichever is greater. Products in non-compliance may also face market restrictions, including bans or product recalls. Authorities can also order companies to stop selling non-compliant products or make corrections.
Reputational and operational risks
Non-compliant companies risk their reputation with customers as it shows the company’s lack of commitment to ensuring adequate security. This can impact sales and threaten the company’s ability to operate.
Ultimately, products that are non-compliant with the Cyber Resilience Act threaten the long-term success of the company. While significant fines are one potential outcome, companies are likely to erode the trust of customers and face market restrictions, affecting the business’s ability to operate.
How to Prepare for the Cyber Resilience Act
Businesses can prepare for the Cyber Resilience Act in various ways. To begin with, companies can conduct a cybersecurity audit of their products and supply chain. This helps identify vulnerabilities, ensures compliance, and improves incident response.
Companies should also implement secure development and update practices. This means integrating security considerations throughout the entire software development lifecycle.
It’s also critical that companies establish or enhance their vulnerability management processes. Vulnerability processes are essential for enhancing security, reducing the risk of cyberattacks, and helping meet compliance requirements.
Investing in compliance tools and expertise will also be necessary to prepare for CRA. Having the right tools and expertise offers enhanced operational efficiency, improved transparency, and reduces security risks.
Companies must also train their teams on regulatory expectations. This ensures that all individuals understand the requirements set by CRA and what practices are expected to maintain compliance.
How YobiHouse Can Help
YobiHouse provides a variety of services to help businesses protect themselves from cyberattacks. We support businesses with cybersecurity strategy and compliance to ensure your business is ready ahead of the Cyber Resilience Act. Some services we offer, include:
- Risk assessments: Our risk assessment provides organizations with a roadmap to navigate the ever-evolving cyber risks.
- Secure software development consulting: We focus on integrating security considerations into every stage of the software development lifecycle.
- Reporting mechanisms: Incident reporting is a critical component of CRA. We provide reporting mechanisms to document and share information about security incidents.
Prepare Your Business for the Cyber Resilience Act
Understanding and preparing for the Cyber Resilience Act is crucial for organizations selling or distributing products, as this act sets a new standard for product cybersecurity.
Companies that implement security-by-design principles and proactively address vulnerabilities can ensure compliance, avoid penalties, minimize risks, and maintain trust with customers.
Enhancing cybersecurity begins with the right team that takes a holistic approach to cybersecurity. Get your organization CRA-ready by contacting YobiHouse for help.
