This article is based on Jose Manuel Pulido (Consulting Manager at jtsec, and Applus+ Company) presentation during the EUCC scheme webinar organized by Applus+ Laboratories in October 2024.
The Cyber Resilience Act (CRA) is a regulatory framework designed to enforce mandatory cybersecurity requirements for all products with digital elements within the European Union. This presentation explores the key elements of the CRA, its impact on various product categories, and how the EUCC (European common criteria-based cybersecurity certification) scheme can help meet CRA requirements.
Overview of the Cyber Resilience Act
The CRA applies to a wide range of products, including hardware, software, firmware, and remote data processing solutions. It mandates cybersecurity requirements to ensure the protection of information and the security of products with digital elements The CRA sets obligations for manufacturers, such as conducting cybersecurity risk assessments, providing security patches, and reporting vulnerabilities.
Key Deadlines and Requirements
The CRA was adopted by the European Union Council in October 2024 and will start to apply by January 2028. The regulation defines essential security requirements, divided into two parts: security functionalities and properties (Part 1) and manufacturer obligations (Part 2). These requirements aim to ensure a consistent level of cybersecurity across all products with digital elements.
Product Categories and Conformity Assessment
The CRA categorizes products into critical, important (Class 1 and Class 2), and default (non-important and non-critical) categories. The conformity assessment methods vary based on the product's criticality. For critical and important products, assessment methods include NLF assessment methods through Module B plus Module C, and full quality assurance through Module H. Self-assessment is possible only for non-critical and non-important products. The CRA also introduces the concept of presumption of conformity, where products certified under a European cybersecurity certification scheme, such as EUCC, can be presumed to comply with CRA requirements.
Mapping EUCC to CRA Requirements
The EUCC scheme, based on common criteria, can help meet CRA requirements through its security functional requirements (SFRs) and security assurance requirements (SARs). By establishing an equivalence between EUCC and CRA requirements, manufacturers can demonstrate compliance with CRA through EUCC certification. The EUCC's vulnerability management obligations and patch management processes also align with CRA requirements.
Addressing Gaps and Implementation Strategies
To bridge gaps between existing certifications and CRA requirements, manufacturers may need to update security targets and protection profiles. The EUCC scheme can be adapted to include new SFRs and SARs, ensuring compliance with CRA. For products with remote data processing solutions, additional assessment methods, such as harmonized standards, may be required. For those products where the scope of the EUCC assessment is smaller than the full product, it might be required to demonstrate that the evaluated portion of the TOE guarantees the security of the full product.
Industry Landscape and Protection Profiles
The Common Criteria industry is dominated by protection profiles, with a significant portion of certifications being PP-compliant. Critical and important products, such as smart cards and network devices, can benefit from EUCC certification to meet CRA requirements. For non-important products, functional packages and assurance packages can be designed to model the mapping between CRA and EUCC requirements.
Future Developments and Challenges
The integration of EUCC with CRA is an ongoing process, with efforts to update protection profiles and develop new assessment methods. The goal is to avoid multiple compliance analyses and ensure a streamlined certification process. The industry must adapt to new regulations while maintaining high standards of cybersecurity.
In conclusion, the Cyber Resilience Act represents a significant step towards enhancing cybersecurity across the European Union. By leveraging the EUCC scheme, manufacturers can ensure compliance with CRA requirements, providing a robust framework for the certification of digital products. The ongoing efforts to harmonize standards and update protection profiles will play a crucial role in achieving this goal.
Download the full presentation
Watch the full video:
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.