The Cyber Resilience Act (CRA) EU regulation goal is to ensure the manufacturer employs appropriate processes ensuring the product is secure when placed on the EU market and the product security (compliance with the CRA) is maintained over the lifetime of the product.
The timeline
The CRA establishes a phased implementation approach and will be activated in two steps. First step is planed to be activated in September of 2026 and imposes reporting obligations related to actively exploited vulnerabilities and serious security incidents, this include all products that are already placed on the EU market. The requirement to be fully complaint with the CRA will be activated in December 2027.
The scope
All products with digital elements including hardware, software and remote data processing (applications and cloud services the product depends on and is produced by or under control of the manufacture of the products) are in scope of the CRA with a few exceptions listed by the regulation.
This effectively means any product that is capable of communication has to be evaluated for compliance with the CRA.
Obligations of manufacturers
The CRA introduces a number of obligations for compliance. The manufactures must ensure:
- The product is compliant with all essential requirements related to product security and vulnerability handling
- Product cybersecurity risk analysis is performed and documented on regular basis over the product support period
- Due diligence when integrating components is exercised to ensure cybersecurity risks that may be introduced by the components are understood and if necessary mitigated
- Relevant cybersecurity aspects concerning the product are documented and sufficient information is provided to third parties (including know vulnerabilities)
- Vulnerabilities are handled during the product support period
- Actively exploited vulnerabilities and severe security incidents are reported within 24h
Product classification
The “core functionality” of the product determines the product classification. Majority of the products in scope of the CRA belong to the “default” class. These are all products categories that are not explicitly mentioned by the CRA as important or critical products.
The are two classes of “important products” listed by the regulation: Class I and Class II, plus additional group of “critical products”.
Conformity assessment
Only products that belong to the default and Class I categories are allowed to be self assessed by the manufacturer, follow the module A assessment. The self assessment of a Class I product is only possible if the harmonized standard providing presumption of conformity for the specific Class I product category exist.
The assessment of other product categories needs to involve Notified Body (NB) and follow module B+C.
Another option is to follow the module H and perform process assessment with a NB to certify that the processes followed by the manufacturer ensure any product produced by the manufacturer is CRA compliant.
Regardless of the product classification the manufacturer may always decide to involve a NB in the product assessment.
Standards
A number of CRA related standards were requested to be developed in the standardization request targeted at CEN-CENELEC and ETSI. This includes three “horizontal” standards addressing process, vulnerabilities handling and catalog of controls plus a number of “vertical” standards requested for each of the important product classes.
All requested standards are to be harmonized and some of them (vulnerability handling and vertical standards) are expected also to provide presumption of conformity allowing manufacturer to perform self assessment.
Product evaluation flow
The first step in the product evaluation is the definition of the core functionality of the product. This important step determines the class of the product and what assessment module can be followed but also what specifications can be considered applicable.
The manufacturer of a product of the default class has a freedom to select any assessment module and use any specifications providing that they cover all CRA requirements.
Product assessment
In order to prove the conformity with the CRA the manufacturer needs to be in a position to demonstrate that the process is employed ensuring the product is secure and the security of the product (compliance with the CRA) is maintained over the lifetime of the product. This includes all obligations listed by the CRA.
While the manufacturer has the freedom to select any specification/criteria to achieve the compliance with the CRA the best approach is to follow the specifications that are being developed by European standardization organizations CEN-CENELEC and ETSI. These specifications are developed to cover the full scope of the CRA processes and product requirements for all product classes.
