The EU Cyber Resiliency Act

Published just yesterday, the European Union’s Cyber Resiliency Act (CRA) aims to implement a set of standards that must be met by products that contain digital elements throughout their entire lifecycle.

The Act attempts to address a lack of transparency in cybersecurity when it comes to products with digital elements; think Internet of Things devices such as Internet-connected doorbells, kettles and cameras.

Under the Act, manufacturers will be required to consider cybersecurity in their planning and design phases. Manufacturers will have to clearly detail their plans for a product at launch, including how long they plan to support the product, what kind of security support is provided and their obligations to provide security patches in a reasonable period of time. Key to this aspect of the Act is the requirement that products be supported for at least five years.

The Act also states a number of requirements around vulnerability management. Manufacturers are required to generate a software bill of materials (SBOM) covering the top level dependencies of the product. When vulnerabilities arise, they are required to address and remediate vulnerabilities without delay and, once remediated, disclose fully a description of the vulnerability, what is affected and how end-users can go about applying the remediation.

One of the most challenging aspects of vulnerability management is coordination with users. To address this, the Act sets out what information must accompany products with digital elements when they are sold. This includes the name and both postal and email addresses through which the manufacturer can be contacted, a specific point of contact for cybersecurity concerns, and a location where the aforementioned Software Bill of Materials can be accessed.

Here at Secora we believe that these pieces of information alone will go a long way in putting information about the security of the product into the hands of the consumer.

Products themselves are divided into three categories:

• Default Category: Products in the default category are subject to self-assessment, meaning that the manufacturer themselves ensure that they are meeting the standards set out in the CRA. Examples of products in this category are devices such as the aforementioned doorbells, kettles and cameras.
• Critical Class I: Products in Critical Class I are required to go through a standard or third-party assessment procedure, meaning that manufacturers will be required to conduct a formal security assessment, or contract a third party to do so. Examples of products in this category include password managers and firewalls.
• Critical Class II: Products in this class must be assessed by a third party, and are considered the most critical of products covered by this act. Products included in this category are industrial firewalls and operating systems.

The Act will now be examined by the European Council and Parliament. If the Act is approved, Member States will have two years to adapt to the new requirements before they come into full effect, with one exception. The rule around disclosing actively exploited vulnerabilities will come into effect after one year.

This is simply a snapshot of the content contained within the Cyber Resiliency Act. You can read more about the Act at the European Commission website. We at Secora believe that this is a step in the right direction for a safer market. If you are concerned about the safety of your products and services, please contact us now to see how a partnership with Secora can help Secure your Success.