The Cyber Resilience Act (CRA) was published on 20 November 2024. This new EU regulation contains “horizontal cybersecurity requirements for products with digital elements”. In other words, it imposes minimum cybersecurity requirements for all connected products put on the EU market, making the so-called “internet of things” (IoT) more secure. The new rules will apply in all EU countries and will be implemented in phases. Ultimately, the CRA is expected to contribute to the CCB’s vision of making Belgium more cyber-secure by ensuring that its citizens and organisations, whether public or private, are less vulnerable to cyberattacks.

Why this regulation  ?

Citizens and organisations increasingly rely on connected products in their day-to-day activities. Just think of smartphones, smart cameras used for security purposes, smart meters used to optimise electricity production and consumption, etc. At the same time, many connected products put on the market still have low cybersecurity standards (e.g. weak default passwords, no encryption of data…), making them ideal targets for cyberattacks. Such small weaknesses can even cause severe supply-chain attacks in essential entities, with potentially severe impact for our entire economy and society. Because users are often not aware of the risks and are insufficiently equipped to protect themselves, the CRA is designed to ensure that manufacturers do their part in designing products that are more cyber secure and in making it easier for users to maintain the products in a secure state throughout the whole product lifecycle.

What kind of “connected products” are subject to the CRA?

Products covered by the CRA range from low-cost consumer products to B2B software and high-end complex industrial systems. More specifically, “products with digital elements” are defined as products that can be connected to a device or network of some sort and include:

• hardware products with connected features such as for example smartphones, laptops, home cameras, smartwatches, connected toys, but also modems, firewalls, and smart meters,
• software not embedded in a product and sold on a standalone basis, for example accounting software and mobile gaming apps.

The following products are however not covered by the CRA requirements:

• non-commercial open source software,
• spare parts aimed at replacing identical components in connected products (provided they are manufactured based on the same specifications),
• prototypes presented at trade fairs (under certain conditions),
• unfinished software used for testing purposes for a limited period (under certain conditions),
• cloud services and software as a service (SaaS), which are regulated separately under the NIS2 Directive,
• products “developed or modified exclusively for national security or defence purposes” or specifically designed to process classified information,
• products covered by specific EU regulations such as medical devices, motor vehicles, marine equipment and products used for civil aviation.

Who is subject to the new rules?

All manufacturers placing products on the EU market must comply with the CRA even if they are based outside the EU. For instance, the CRA applies to a US developer selling a mobile app on European phones or to a Chinese manufacturer selling solar panels in Belgium.

The CRA primarily imposes obligations on manufacturers (in terms of design, conformity assessment of their products, reporting of vulnerabilities and incidents, transparency towards users…) to ensure that their products are secure before they are put on the EU market, but also afterwards throughout the whole lifecycle of the product.

The CRA also includes provisions affecting other operators such as importers, distributors, open source software stewards (such as foundations), conformity assessment bodies (CABs) and public authorities (national cybersecurity agencies, market surveillance authorities).

What are the main obligations for manufacturers of connected products ?

The major novelty of the CRA is that it defines a minimum level of cybersecurity for all connected products that are available on the EU market – something that did not previously exist. For instance:

• In line with the principle of “cybersecurity by design”, connected products must be conceived with cybersecurity in mind, e.g. by ensuring that data stored or transmitted with(in) the product is encrypted, and that the attack surface is as limited as possible.
• In line with the principle of “cybersecurity by default”, the default settings of connected products must whenever possible contribute to reduce vulnerabilities, e.g. by prohibiting weak default passwords, by foreseeing an automatic installation of security updates, etc.
• In order to help users make purchasing decisions not only based on price and functionality but also based on the level of cybersecurity, the CRA enhances user transparency by requiring clear disclosure, on the product or its packaging, of the end of support date, i.e. the date until when the manufacturer commits to provide security updates.
• In order to support information-sharing on vulnerabilities and rapid fixes through patching, the CRA imposes the reporting of all actively exploited vulnerabilities, as well as severe incidents impacting the security of connected products, to public authorities, within 72h (with an early warning within 24h). To make the notification process easy for manufacturers and to ensure a secure and efficient sharing of the data among European Computer Security Incident Response Teams (CSIRTs) and ENISA, the CRA foresees the creation of a new single reporting platform with different national “end-points”.

Are the rules identical for all products?

Yes, and no. On the one hand, the CRA contains a single set of cybersecurity requirements in that will apply to all connected products, no matter whether they are cheap or expensive, whether they are used by individual consumers or sophisticated business users. The requirements to report vulnerabilities and to clearly indicate the end of the support period on the product, for example, apply to all types of products.

On the other hand, the procedure to assess whether products are in conformity with the CRA rules are different for standard products and for products deemed more sensitive from a cybersecurity point of view. These products, called “important” or “critical” products, are listed in Annexes III & IV of the Regulation (e.g. password managers, firewalls, smartcards, smart meters…). They will have to undergo stricter conformity assessment procedures, e.g. by obtaining an EU cybersecurity certification (or corresponding national certification), by being assessed for compliance by a third party auditor under the existing product legislation framework (NLF), or – in limited cases – by complying with harmonised standards recognised at European level to cover the CRA requirements.

What about open source software?

Importantly, non-commercial open source software such as software whose source code is publicly available and which is can be downloaded free of charge, is not subject to the CRA obligations, in recognition that many open source projects are based on the contribution of volunteers and that imposing strict legal obligations on such projects could risk undermining their very existence.

Other types of open source software are however distributed on a commercial basis and may be used on a large scale by individuals and organisations worldwide. Such software should be treated the same way as other commercial software and is thus subject to the same CRA requirements.

That said, the CRA foresees a special regime for commercial open source software maintained under a foundation model, in recognition that foundations typically act as “stewards” of open source projects and cannot be held liable for the work of individual developers. Under the special regime created by the CRA, open source software stewards will not have to undergo CRA conformity assessment procedures but will have to document their cybersecurity policy. They will also have to report severe incidents and vulnerabilities in which they are involved, and will be encouraged to take part in voluntary security attestation programmes.

Is there not a risk that small manufacturers will find it too burdensome to comply with the CRA?

In order to ensure that small and micro enterprises are not put at a disadvantage compared to larger firms, the CRA includes several provisions aimed at reducing the compliance burden for SMEs. Examples of such measures include the possibility for SMEs to use a simplified format for issuing the technical documentation of their products and the obligation for conformity assessment bodies to take a company’s size into account when determining the amount of fees to be paid for a conformity assessment.

Public authorities will also have a key role to play in supporting smaller manufacturers in their compliance efforts. The European Commission committed to publish CRA guidance specially targeted at SMEs, while each EU country has to establish a dedicated channel for communication with micro- and small enterprises to respond to their queries and requests for advice on CRA implementation.

What will the CRA mean for consumers and business users of connected products?

Today, consumers usually find it difficult to know whether a connected product is sufficiently secure, or whether it can easily be hacked by third parties. Thanks to the CRA, European consumers will have the guarantee that the products they buy in the EU comply with minimum standards and do not have, for example, a major known vulnerability, or weak default settings.

But the CRA also empowers consumers to make more informed choices by requiring transparency from manufacturers on the level of cybersecurity offered by their products. One of the key novelties of the CRA is that it requires manufacturers to clearly indicate, on the product, on its packaging or on an easily accessible webpage, the date until when security updates will be provided for the product. In other words, users will be able to compare products not only based on their price and features, but also on the length of the support period – an important indicator to ensure that products can be used in a secure way during their expected lifetime.

What role does the CCB play in ensuring the CRA is correctly implemented?

By promoting cybersecurity by default and by design, by mandating the reporting of actively exploited vulnerabilities and by ensuring a sound patching process, the CRA will help the CCB achieve its vision of making Belgium one of the least vulnerable countries in the cyber domain. As the national authority for cybersecurity, the CCB:

• works to educate citizens and organisations on the importance of cybersecurity and to raise awareness about effective protection measures. As such, it will this support awareness of and compliance with the CRA, with a special focus on small manufacturers and developers. For instance, the National Coordination Centre (NCC-BE) will inform Belgian market players about EU funding opportunities as well as trainings and tools available to support CRA implementation.
• acts as computer security incident response team (CSIRT) for Belgium, receiving vulnerability and incident notifications of organisations, whether these are required by law or optional. In the context of the CRA, the CCB will connect to the future single reporting platform to be developed by ENISA to collect vulnerability and incident reports of manufacturers of connected products subject to the CRA notification requirements.
• acts as National Cybersecurity Certification Authority (NCCA). In this capacity, the CCB actively contributes to the development of CRA standards and has a role in the oversight of the CRA conformity assessment framework – which in some instances will involve a cybersecurity certification.

When will the CRA enter into force ?

The CRA officially enters into force 20 days after its publication, i.e. on 10 December 2024. Because it is an EU regulation and not a directive, it is directly applicable in all EU countries without the need for national transposition. A transition period is however foreseen to ensure that economic operators have sufficient time to adapt to the new requirements. The implementation of the CRA will thus occur in different phrases from the end of 2024 to 2027:

• 18 months after the CRA has entered into force, conformity assessment bodies (CABs) will be authorised to assess the conformity of products with the CRA requirements.
• 3 months later, manufacturers of connected products will be subject to the mandatory reporting obligations for vulnerabilities and incidents.
• Finally, 3 years after the CRA has entered into force, all CRA requirements will apply, including essential cybersecurity requirements before putting a product on the market, vulnerability handling during the whole lifecycle of the product, and transparency towards user.