Questions and answers on the Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) is expected to enter into force in the fall of 2024. Here are some preliminary answers to the most frequently asked questions about this new European regulation and how it will be applied in Belgium. Please keep it mind that the guidance provided here is for informational purposes only and is not intended as legal advice. The legal text of the CRA, once published, will prevail over any of the explanations provided here.
What is the CRA ?
The Cyber Resilience Act is the first European regulation that imposes minimum cybersecurity requirements for all connected products put on the EU market. Its objective: making the so-called “internet of things” (IoT) more secure. The new rules will apply in all EU countries and will be implemented in phases. The CRA is ultimately expected to contribute to the CCB’s vision of making Belgium more cyber-secure by ensuring that its citizens and organisations, whether public or private, are less vulnerable to cyberattacks.
Citizens and organisations increasingly rely on connected products in their day to day. At the same time, many connected products put on the market still have low cybersecurity standards (e.g. weak default passwords, no encryption of data, difficult update processes…), making them ideal targets for cyberattacks. Because users are often not aware of the risks and are insufficiently equipped to protect themselves, the CRA is designed to ensure that manufacturers do their part in designing products that are more cyber secure and in making it easier for users to maintain the products in a secure state throughout the whole product lifecycle.
What kind of “connected products” will be subject to the CRA?
Products to be covered by the CRA range from low-cost consumer products to B2B software and high-end complex industrial systems. More specifically, “products with digital elements” are defined as products that can be connected to a device or network of some sort and include:
- hardware products with connected features such as for example smartphones, laptops, home cameras, smartwatches, connected toys, but also modems, firewalls, and smart meters,
- software not embedded in a product and sold on a standalone basis, for example accounting software, online games and mobile apps.
Products NOT subject to the CRA requirements include non-commercial open source software, cloud services and software as a service (SaaS), the last two being already regulated under the NIS2 Directive,
Who is subject to the new rules?
All manufacturers placing products on the EU market will have to comply with the CRA even if they are based outside the EU. For instance, the CRA applies to a US developer selling a mobile app on European phones or to a Chinese manufacturer selling solar panels in Belgium. Moreover, distributors and importers of connected products will also have to ensure compliance.
What will the new requirements be ?
The major novelty of the CRA is that it defines a minimum level of cybersecurity for all connected products that are available on the EU market – something that did not previously exist. For instance:
- In line with the principle of “cybersecurity by design”, connected products will have to be conceived with cybersecurity in mind, e.g. by ensuring that data stored or transmitted with(in) the product is encrypted, and that the attack surface is as limited as possible.
- In line with the principle of “cybersecurity by default”, the default settings of connected products must whenever possible contribute to reduce vulnerabilities, e.g. by prohibiting weak default passwords, by foreseeing an automatic installation of security updates, etc.
- In order to help users make well-informed purchasing decisions, i.e. not only based on price and functionality, but also based on the level of cybersecurity, the CRA enhances user transparency by requiring, among other things, clear disclosure, on the product or its packaging, of the end of support date, i.e. the date until when the manufacturer commits to provide security updates.
- To support information-sharing on vulnerabilities and rapid fixes through patching, the CRA will require the reporting of all actively exploited vulnerabilities, as well as severe incidents impacting the security of connected products, to public authorities, within 72h (with an early warning within 24h). To make the notification process easy for manufacturers and to ensure a secure and efficient sharing of the data among European Computer Security Incident Response Teams (CSIRTs) and ENISA, the CRA foresees the creation of a new single reporting platform with different national “end-points”.
Will the rules be identical for all products?
Yes, and no. On the one hand, the CRA contains a single set of cybersecurity requirements in that will apply to all connected products, no matter whether they are cheap or expensive, whether they are used by individual consumers or sophisticated business users. The requirements to report vulnerabilities and to clearly indicate the end of the support period on the product, for example, will apply to all types of products.
On the other hand, the procedure to assess whether products are in conformity with the CRA rules will be different for standard products and for products deemed more sensitive from a cybersecurity point of view. These products are called “important” or “critical” products and listed in Annexes III & IV of the Regulation (e.g. password managers, firewalls, smartcards, smart meters…). They will have to undergo stricter conformity assessment procedures, e.g. by obtaining an EU cybersecurity certification (or corresponding national certification), by being assessed for compliance by a third party auditor under the existing product legislation framework (NLF), or – in limited cases – by complying with harmonised standards recognised at European level to cover the CRA requirements. The EU is now working on developing the necessary standards for these of products
What about software?
Importantly, non-commercial open source software is not subject to the CRA obligations, in recognition that many open source projects are based on the contribution of volunteers and that imposing strict legal obligations on such projects could risk undermining their very existence.
Other types of software distributed on a commercial basis will however be treated the same way as closed-source commercial software and thus be subject to the same CRA requirements. As an exception to this category, the CRA foresees a special regime for commercial open source software maintained under a foundation model, in recognition that foundations typically act as “stewards” of open source projects and cannot be held liable for the work of individual developers.
However, since so many commercial products heavily rely on free and open source software, the CRA closes the loophole by obliging manufacturers (or distributers or importers) of these products to make sure that the open source software they use is secure. In this manner, the possibility of supply chain attacks is limited.
Is there not a risk that small manufacturers will find it too burdensome to comply with the CRA?
In order to ensure that small and micro enterprises are not put at a disadvantage compared to larger firms, the CRA includes several provisions aimed at reducing the compliance burden for SMEs. Examples of such measures include the possibility for SMEs to use a simplified format for issuing the technical documentation of their products and the obligation for conformity assessment bodies to take a company’s size into account when determining the amount of fees to be paid for a conformity assessment.
Public authorities will also have a key role to play in supporting smaller manufacturers in their compliance efforts. The European Commission committed to publish CRA guidance specially targeted at SMEs, while each EU country has to establish a dedicated channel for communication with micro- and small enterprises to respond to their queries and requests for advice on CRA implementation.
The CRA foresees the creation of a single platform for the reporting of vulnerabilities at European level. Will this not make it easier for malicious actors to find and exploit weaknesses?
First, it is important to stress that manufacturers will only have to report actively exploited vulnerabilities to the single reporting platform. This means that the vulnerabilities notified under the CRA will already have been used.by malicious actors to perform cyberattacks.
Secondly, the purpose of the single reporting platform is to ensure a smooth and efficient transmission of information on vulnerabilities and incidents between national cybersecurity agencies (Computer Security Computer Security Incident Response Teams), and with ENISA. The platform will not store sensitive information about, for example, unpatched vulnerabilities. Several technical, operational and organisational safeguards will be put in place to ensure that the platform is developed and operates in a fully secure manner, with special attention given to the confidentiality of the data transmitted.
Finally, the single reporting platform established by the CRA should not be confused with the European vulnerability database established by the NIS2 Directive.
What will the CRA mean for consumers and business users of connected products?
Today, consumers usually find it difficult to know whether a connected product is sufficiently secure, or whether it can easily be hacked by third parties. Thanks to the CRA, European consumers will have the guarantee that the products they buy in the EU comply with minimum standards and do not have, for example, a major known vulnerability, or weak default settings.
But the CRA also empowers consumers to make more informed choices by requiring transparency from manufacturers on the level of cybersecurity offered by their products. One of the key novelties of the CRA is that it requires manufacturers to clearly indicate, on the product, on its packaging or on an easily accessible webpage, the date until when security updates will be provided for the product. In other words, users will be able to compare products not only based on their price and features, but also on the length of the support period – an important indicator to ensure that products can be used in a secure way during their expected lifetime.
When will the CRA enter into force ?
Because the CRA is an EU regulation and not a directive, it will be directly applicable in all EU countries without the need for national transposition. A transition period is however foreseen to ensure market operators have sufficient time to adapt to the new requirements. The European Parliament has already voted on a preliminary version of the text. Following a legal-linguistic review, the Act is expected to be officially voted into law by the newly elected European parliament and by the Council of the EU at the end of the summer of 2024. The final text will then be published in the Official Journal of the EU and will enter into force 20 days later. The implementation of the CRA will then occur in different phrases from the end of 2024 to 2027:
- 18 months after the CRA has entered into force, so probably not before the spring of 2026, conformity assessment bodies (CABs) will be authorised to assess the conformity of products with the CRA requirements.
- 3 months later, so probably around the summer of 2026, manufacturers of connected products will be subject to the mandatory reporting obligations for vulnerabilities and incidents.
- Finally, 3 years after the CRA has entered into force, so not before the fall of 2027, all CRA requirements will apply, including essential cybersecurity requirements before putting a product on the market, vulnerability handling during the whole lifecycle of the product, and transparency towards user.