On March 16, 2022, the European Commission invited citizens and organizations to share their views about the EU Cyber Resilience Act (CRA). The Commission hopes to receive input on how to shape the new Cyber Resilience Act that will become integral to the existing EU legislative framework in cybersecurity. Here are the top 10 things you should know about the EU Cyber Resilience Act.
1. Commission President Ursula von der Leyen announced the need for the EU Cyber Resilience Act in her State of the Union speech in 2021, stressing, "We cannot talk about defense without talking about cyber. If everything is connected, everything can be hacked.”
2. With the EU Cyber Resilience Act, the European Commission hopes to increase public trust in the digital market with a consistently high level of cybersecurity and increased transparency of cybersecurity features. Another goal is to mitigate risks and limit revenue losses due to cyberattacks.
3. Creating and implementing a uniform security standard that all manufacturers and vendors must follow also supports fairness among all providers. It also increases positive competitiveness and quality standards by leveling the playing field.
4. The EU Cyber Resilience Act aims to protect consumers from the lack of appropriate security in digital products by establishing a common framework of cybersecurity rules that manufacturers and vendors must follow. This includes ancillary services.
5. What is the scope? It concerns all digital products (e.g. smart sensors, smart cameras, mobile devices, network devices, etc.) including intangible and tangible (wireless and wired) products and ancillary services (digital services that in case of absence would prevent the tangible product from performing its functions such as a mobile application that activates a smart locker), covering both hardware and software products. This can consist also of non-embedded software (software that can be made available without hardware). Some families of digital products will be considered belonging to higher risk categories which might require satisfying some additional cybersecurity requirements that will be defined in other EU directives.
6. The EU Cyber Resilience Act will complement the existing Directive on the security of Network and Information Systems (NIS2 Directive) and the existing EU Cyber Security Act (EU CSA). The initiative is also based on the New Legislative Framework (NLF) for industrial products, which aims to improve market surveillance and the quality of conformity assessments. It is expected to satisfy the Radio Equipment Directive (RED) cybersecurity related requirements. This means that RED related harmonised cybersecurity standards (under development) will most probably become the basis of the EU Cyber Resillience Act requirements.
7. One of the main goals of the Cyber Resilience Act is to cover the entire lifecycle of digital products, processes, and services. This includes the design phase, commercialization, actual product use, decommission, and disposal. Security by design, security by default, the security of the supply chain and vulnerability handling will be the main domains to be addressed.
8. Certified ICT products and ancillary services according to the EU cybersecurity certification schemes (EUCC, EUCS, EU5G, ...) developed under the EU Cybersecurity Act are supposed to satisfy by default the EU Cyber Resillience Act requirements.
9. The proposed Cyber Resilience Act is expected to be adopted by September of 2022 and enforced by 2024/2025.
10. Am I concerned? Yes, if you are a manufacturer or developer of connected digital products (Hardware/Software) and ancillary services. All market sectors are concerned in a horizontal way.