An overview of EU's Cyber Resilience Act  

What is the CRA (Cyber Resilience Act)?  

The EU Cybersecurity Resilience Act (CRA) is an EU cybersecurity regulation proposed by the European Commission on September 15, 2022. Its objectives include:   

• Enhancing security in wired and wireless products connected to the internet.  
• Maintain its responsibility to manufacturers for the cybersecurity of a product throughout its lifecycle.  
• Properly informing consumers about the cybersecurity features of the products they purchase and use.  

The Cyber Resilience Act mandates that products with digital elements will only be made available on the EU market if they meet specific essential cybersecurity requirements specified in CRA-Annex I.   

What type of products are included in the CRA? 

The EU Cyber Resilience Act applies to a broad range of digital products. This includes consumer electronics like smartphones and laptops, Internet of Things (IoT) devices such as smartwatches and connected home appliances, network equipment like routers and modems, and various software products including operating systems and applications.   

The current Act covers the products with digital elements hardware or software sold or available in the EU.  

Depending on the product class type, different conformity assessments are applicable according to CRA. The classification for Important Products (Class I and Class II) and Critical Products can be found in CRA-ANNEX III and IV.

I am a Manufacturer, what steps shall I follow?

If you are a manufacturer, make sure you are aware of the main process and all the steps to be followed:

Contact Applus+ if you need help in understanding the requirements and how to proceed. We are walking all through this new regulation.

Is any product excluded or non-covered?

Yes, some products are not covered under the CRA or excluded

Amongst the excluded products are those sufficiently regulated on cybersecurity such as cars, medical devices, in vitro, and certified aeronautical equipment.   

These are some of the products that are not covered by CRA regulations:   

• Non-commercial projects, including open source in so far as a project is not part of a commercial activity.   
• Services, particularly cloud/Software-as-Service – except “remote data processing solutions”.  

Relation with EUCC and Other Schemes:

The EU Cyber Resilience Act is intended to work in conjunction with existing cybersecurity certification frameworks, including the European Union Cybersecurity Certification Scheme (EUCC) coming from the CSA (Cybersecurity Act). The EUCC, based on the Common Criteria for Information Technology Security Evaluation, offers a voluntary certification scheme. However, the Cyber Resilience Act introduces mandatory compliance requirements for certain products.   

It specifies which products must adhere to certification standards, potentially including those outlined in the EUCC and other relevant schemes. This approach ensures a more cohesive and comprehensive cybersecurity landscape across the EU, blending voluntary and mandatory measures to enhance overall digital security.  

When does the CRA enter into force?  

Entry into force is expected around the second half of 2024. We recommend following the updates in CRA on the ENISA CRA website.

What is the CRA transition period?  

Manufacturers will have to apply the rules 36 months after they enter into force.  Except for a more limited 21-month grace period for the reporting obligation of manufacturers for incidents and vulnerabilities.  

Applus+ Laboratories, providing support to help you navigate the CRA  

If you are a manufacturer, make sure you are aware of the main process and all the steps you’ll have to take to maintain the cybersecurity of your product throughout its lifecycle.  

If you have any doubts or questions our Applus+ Laboratories experts will be more than happy to walk you through this new regulation.