The EU Cyber Resilience Act (CRA), explained

The EU Cyber Resilience Act (CRA) is a legislative proposal introduced by the European Commission to improve the security of digital products and services across the European Union (EU). The Act aims to set cybersecurity standards for connected devices and software, ensuring that manufacturers, developers, and distributors take responsibility for the safety of their products throughout their life cycle.

This blog post answers frequently asked questions about the CRA. 

What are the key mandatory security requirements associated with the CRA?

The CRA mandates that digital products be secure by design and by default, meaning that cybersecurity must be built into a product’s development and implementation from the start.

Manufacturers must ensure that products remain secure over time, providing timely updates to fix vulnerabilities as they emerge. In addition, products must undergo security assessments to verify compliance with cybersecurity standards before being launched on the market.

Who does the CRA apply to?

The Act applies to manufacturers of products with digital elements, including hardware (e.g., smart devices) and software (e.g., operating systems and applications). It covers products sold within the EU, whether they are manufactured in the EU or imported from other regions. Although the CRA is an EU regulation, many expect it to have significant global impact since companies that want to sell digital products in the EU market must comply with the Act’s standards.

The scope of the Act includes: 

• End user devices (e.g., laptops, smart phones, mobile devices, and smart speakers) 
• Network devices (e.g., routers, switches, and industrial control systems) 
• Software (e.g., firmware, operating systems, mobile apps, desktop applications, and video games) 
• Components (e.g., CPUs, GPUs, FPGAs, and software libraries).

What are the key dates for the CRA?

The CRA was officially adopted on October 10, 2024 and the regulation entered into force two months later on December 10. Below are other key dates: 

What are the recommended ISO and other frameworks for compliance?

The EU CRA draws heavily on principles from the following frameworks in mandating secure design, lifecycle security, and accountability:

• ISO/IEC 27001: Information Security Management Systems
• ENISA Guidelines
• IEC 62443: Industrial Automation and Control Systems Security
• General Data Protection Regulation (GDPR)
• ISO/IEC 27701: Privacy Information Management
• ISO/IEC 38500: Governance of IT
• NIST Secure Software Development Framework (SSDF)
• ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes) 
• NIST SP 800-161 focuses on managing supply chain risks
• ETSI EN 303 645: A European standard for IoT security

What are the responsibilities of manufacturers and distributors under the CRA?

Manufacturers are primarily responsible for ensuring that their products meet the relevant security requirements, conducting risk assessments, and fixing vulnerabilities. Distributors and importers must ensure that the products they handle comply with the CRA.

Products that pose a security risk have to be withdrawn from the market, and responsible parties must inform customers of any vulnerabilities and fixes.

What are the vulnerability management and reporting requirements under the CRA?

Companies must implement vulnerability handling procedures and provide security updates for their products. They must also report any actively exploited vulnerabilities or incidents to the EU cybersecurity agency, ENISA, within 24 hours of discovery.

What are the penalties for noncompliance?

The CRA imposes significant fines for non-compliance, with penalties reaching up to €15 million or 2.5% of the global annual turnover, whichever is higher.

What are other considerations under the CRA?

The first consideration is lifecycle security. The act ensures that products are secure throughout their lifecycle, from production and distribution to use and disposal. This includes continuous security monitoring and patching to address emerging threats.

The second consideration is support for consumers. The CRA aims to empower consumers by providing more transparency around the security features of digital products. Manufacturers must clearly communicate security related information, such as the expected lifespan of updates, to buyers.

What are the implications of the CRA?

For manufacturers and developers, the CRA places the burden of cybersecurity on product creators, requiring them to proactively ensure security and continuously update their products. This will likely increase compliance costs; however, it will also enhance product reliability and customer trust.

For consumers, buyers will benefit from more secure products and greater transparency, as well as a clear expectation as to how long products will receive security updates.

For the market, the CRA sets new cybersecurity standards, which could influence global regulations, similar to how GDPR impacted privacy laws worldwide.

How Bugcrowd can help with compliance

Bugcrowd can help organizations achieve CRA compliance in several ways. First, as manufacturers are primarily responsible for ensuring that their products meet CRA security requirements, they can invest in a managed bug bounty program or in penetration testing as a service. The second great use case has to do with vulnerability management. Vulnerability disclosure programs create streamlined vulnerability handling procedures. 

The EU CRA is a major step towards strengthening the cybersecurity of digital products in the European market. It promotes a proactive approach to security, ensuring that companies prioritize cybersecurity throughout the product lifecycle and that consumers are better protected against cyber threats. 

For more insights into EU security regulations, check out our blogs on DORA, the NIS2 Directive, and the EU AI Act.