Cyber Resilience Act

With the Cyber Resilience Act (CRA), the EU regulates the cybersecurity of products that have a direct or indirect connection to a network or a network-capable device.

A product with digital elements must meet the requirements of the CRA from development to disposal. The granting of the CE marking is now tied to meeting the requirements of the CRA.
The EU has set a tight timeframe for the introduction and implementation of these regulations:
– From September 2026, there is an obligation to report vulnerabilities and security incidents
– From December 2027, all requirements of the CRA must be implemented and met
Failure to comply with the CRA regulations may result in substantial fines.
According to Article 33, there will be training and support measures for micro-enterprises, small and medium-sized enterprises, as well as start-ups. https://cyber-resilience-act.de/cra/kapitel-3/artikel-33-2/. Various companies, the Chamber of Industry and Commerce, or the BSI also offer support in implementing the CRA – https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html.
Manufacturers and distributors must classify affected products and issue a declaration of conformity. This certificate can be created either by themselves or by a “designated body”. A “designated body” is any competent consultant who is professionally capable of carrying out a risk assessment (e.g., testing organizations such as TÜV, etc.).
Crucial for the classification as well as the testing and certification of conformity is the categorization of products into one of the risk classes listed in Annex III to the CRA, with the respective products named:
– Products with digital elements
– Important products Class I
– Important products Class II
– Critical products

https://cyber-resilience-act.de/anhaenge/anhang-iii/

Even during product development, manufacturers must identify and address potential cybersecurity risks as part of the risk assessment. According to the principle of “secure by design”, networked products must be developed taking into account cybersecurity requirements.
Data stored or transmitted with the product must be encrypted and as invulnerable as possible. The default settings of networked products must contribute to increasing their security. This requirement can be met, for example, by mandatory strong default passwords or by automatically installing (free for the user) security updates. Vulnerabilities must be addressed mandatorily during product development. Tools for creating Software Bill of Materials (SBOM) must therefore be integrated. An SBOM comprehensively includes all libraries and other software components implemented in the product. The CRA mandates the creation of an SBOM. It must be maintained by the respective manufacturer.
To be able to act correctly, affected companies should clarify as early as possible who in the company is responsible for cybersecurity. This is because the process prescribed by the CRA ties up personnel and financial resources.
In a cross-functional team of employees from product development to sales, the portfolio of products should be examined for commonalities and potential risks and vulnerabilities. This also offers the opportunity to identify and efficiently eliminate potential multiple risks.
It is therefore part of the entrepreneurial due diligence to continuously check all processes in a company for possible risks, dangers, and vulnerabilities. This must also be comprehensively documented in each case.
Immediate action is mandatory when a vulnerability is detected.
If a vulnerability has been exploited through unauthorized access, this vulnerability must be reported to the responsible authorities within 24 hours to limit the damage caused. Customers must be informed immediately, and tools for closing the security gap must be developed and provided without delay.