What Is the Cyber Resilience Act? Secure EU Compliance Simplified
Here’s what IT leaders need to know about the European Cyber Resilience Act and its global impact.
The Cyber Resilience Act (CRA) is a new set of cybersecurity rules in the European Union (EU) that regulates products and services with digital elements. This means it mandates security requirements for pretty much everything from software to IoT.
“The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent," said Lead MEP Nicola Danti in a statement.
“Parliament has protected supply chains ensuring that key products such as routers and antiviruses are a priority for cybersecurity. We have ensured support for micro and small enterprises, better involvement of stakeholders, and addressed the concerns of the open-source community, while staying ambitious. Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years,” Danti added.
The Cyber Resilience Act is the first legislation to regulate cybersecurity globally. The Act mandates specific cybersecurity requirements for manufacturers and retailers to replace inadequate cybersecurity features with better protection.
The European Cyber Resilience Act is expected to enter into force in early 2024. It was proposed in September 2022, and agreed upon in December 2023.
Understanding the Cyber Resilience Act
The European Cyber Resilience Act is comprehensive, and all affected parties should review it carefully. But in the way of a general overview, here are the key points:
Scope: The Act applies to any product or service with a digital component from inception to end of the lifecycle.
Objectives: To establish and enforce a unified cybersecurity compliance framework in the EU.
Mandate: Manufacturers must prioritize and comply with security-by-design requirements throughout the product’s lifecycle.
Exemptions: The CRA exempts certain connected devices covered by sectoral legislation. Exempted products include cars, medical devices, in vitro products, and certified aeronautical equipment -- all of which are controlled through separate regulatory frameworks addressing stringent cybersecurity requirements fitted to the uniqueness of these products and industries.
Compliance: Manufacturers must declare conformity with security mandates, provide technical documentation of such, affix a conformity mark to the product, and disclose within 24 hours any actively exploited vulnerabilities. Non-compliance results in significant fines and/or sanctions.
Timeline: Manufacturers, importers, and distributors have 36 months to comply from the date the Act is formally adopted.
What Is the European Cyber Resilience Act and Who Does It Affect?
“Companies that don’t comply could be subject to the highest fine of either administrative fines of up to €15 million or 2.5% of the organization’s global annual turnover for the previous fiscal year, whichever is greater. Alternatively, businesses that mislead market surveillance authorities with incorrect, incomplete, or manipulated information will be presented with a fine of €5 million or 1% of global annual turnover,” warns Ilona Cohen, HackerOne's Chief Legal and Policy Officer and former General Counsel to the White House OMB under Obama. Cohen is heavily involved in contributing to and advising on global policy moves like the EU Cyber Resilience Act.
Given that most modern companies sell products globally, the Cyber Resilience Act reaches far beyond the borders of the European Union. In short, it’s likely to affect almost every company everywhere in much the same way as the EU’s General Data Protection Regulation (GDPR) did.
“The global implications of the Cyber Resilience Act are multifaceted. It sets a precedent for international cybersecurity regulation, potentially influencing global standards for digital product security. Countries outside the EU may adopt similar regulations, leading to a more harmonized global cybersecurity framework. It could also impact international trade, as non-EU companies will need to comply with these regulations to access the EU market. Moreover, it may encourage a global shift towards prioritizing cybersecurity in product development, enhancing overall cyber resilience worldwide,” says Surjeet Mahant, head of Cyber Risk Management services at K2 Integrity, a risk/advisory firm.
Key Provisions and Their Impacts
Besides the broad scope of affected products and the global implications, there are some key provisions to understand when considering the impact of this Act.
For one thing, it replaces the NIS Directive with much higher cybersecurity standards. The intent is increased consumer protections and the fines and sanctions for non-compliance are proof of the seriousness of that intent.
The Essence of Strengthening Digital Defenses
While the consensus is that the Cyber Resilience Act is a good development in cybersecurity, it is unknown if the outcome matches the intent.
“The goal is admirable. The approach appears to have been either short-sighted or a little too heavy-handed. The response from industry groups with a vested interest in the Act shows it’s not well received. Neither was GDPR. In time, the industry learned to live with it, understand how to avoid major pitfalls and find other ways to compensate for the cost of compliance,” says Morgan Wright, Chief Security Advisor at SentinelOne.
“The tricky part of compliance is that it’s not always black-and-white. The intent of the Act is one thing. How it is interpreted and applied by regulatory authorities is another. This is why the legal profession will always have a built-in market,” Wright adds.
Navigating Compliance
As is usually the case, navigating compliance can be a frustrating, exacting, and costly exercise. The front-end costs tend to be the heaviest burden. Later, companies learn more about what is expected and how to comply and eventually find a path forward that’s easier to follow.
“Harmonized standards play a crucial role in meeting requirements. Industry and regulators will need the full three years of the compliance period to ensure they are well crafted. We encourage regulators to maintain dialog to ensure global consistency and interoperability of emerging measures,” says Matt Fussa, head of Cisco's Trust Office.
Steps to Ensure Your Organization Adheres to the CRA
While compliance may require additional or extra steps as the CRA matures, here are some general steps to help ensure your organization is in compliance from the start.
Understand the requirements
Make security-by-design a universal rule across products and services
Do regular compliance checks
Proactively watch for updates and changes in requirements
The Toolkit for Cyber Resilience under the New Regulation
“Rather than a ‘tick-the-box' activity, the CRA should be viewed as an approach or concept. This mindset will enable organizations to readily adapt to potential amendments as the regulation evolves. We believe the CRA is a timely and fitting addition to the European regulatory landscape," says Csaba Virág, Chief Strategy Officer at Nortal.
“Compliance may prove difficult for those without security-first approaches. Success starts with a thorough risk assessment, addressing vulnerabilities in digital products, and establishing proper procedures. Existing cybersecurity frameworks provide a structured path towards CRA alignment while ensuring robust and best practice security measures,” Virág adds.
However, composing a toolkit to make compliance easier to manage is a smart idea. Among other things, an ideal toolkit for your company would contain:
Detailed instructions and guidelines
Checklists
Training materials
Mentors
Templates
Case studies
Reporting tools
Updates and Alerts systems
Challenges and Opportunities
“The opportunities are vast, and long overdue. Many companies in today’s landscape value cheap and fast to market over security and maintainability. This is especially obvious in the commercial IoT space, where every appliance has to be internet connected while running a full Linux distro in the background. Just like a system that an IT team maintains, that embedded system also requires lifecycle management and clearly setting expectations of EOL/EOS -- before the purchase is made,” says Nick Kathmann, chief information security officer at LogicGate.
Unfortunately, vast opportunities laden with the best of intentions also come with significant challenges and risks for companies.
“The challenge, however, is around the vulnerability disclosure to a central government agency. While the EU Cyber Resilience Act doesn’t go as far as China does requiring POC code and technical details, it does become another government-controlled vulnerability database that’s more closed in nature than, for instance, the CVE process. Also, even without technical details, just knowing an application has a vulnerability of a certain class can cause researchers -- both good and bad -- and attackers to point the microscope on that application and discover the vulnerability before the vendor has had a chance to reasonably remediate. Another challenge will be getting the assessment firms vetted and trained quickly,” Kathmann adds.
Balancing Security With Innovation
There is significant concern that the CRA may seriously curtail innovation.
“There is concern in some quarters that the Act will cause a chilling effect on innovation particularly in the IoT sector and cloud open-source platforms,” says Alex Feiglstorfer, co-founder and CTO at Storyblok.
And by “chilling,” those who fear CRA impact on open source typically mean it may result in the death of open source.
“The situation for open-source projects is more complicated as the individuals behind these initiatives often have little appetite or time to handle interactions with professional users of their software. They are unlikely to field questions around whether different applications of their software will comply with the Act,” says Feiglstorfer.
“Consequently, professionals who use open-source tech to build their products will need to either accept the risk and take their own security measures or abandon using open-source software altogether. There is a real chance this will cause a lot of problems in the open-source community with people abandoning these projects. Although, I do hold out hope that the Act could have the opposite effect with more users being willing to fund and support these initiatives so that they can comply with the Act,” Feiglstorfer adds.
Opening Doors for International Cooperation in Cybersecurity
The CRA creates many opportunities for global collaboration, alignment, and standards. Cross-border cooperation in cybersecurity leads to a safer world for all.
Global Implications
The Cyber Resilience Act has broader implications beyond the EU in upgrading international cybersecurity standards and potentially enforcement worldwide. In theory, at least, this would lead to a safer world for citizens in every country.
How the CRA Influences Global Cybersecurity Practices
Like GDPR, CRA will create a domino effect until a unified approach to cybersecurity eventually emerges.
“By mandating that cybersecurity is integrated from the earliest stages of product development and insisting on external validation for high-risk categories, the Act is aimed at ensuring a higher level of product security and consumer trust. Its global impact is further amplified through its push for transparency in vulnerability handling, setting a precedent for international cooperation in cybersecurity. The Act not only elevates the EU's approach to digital security but also serves as an opportunity to harmonize global cybersecurity initiatives,” says K2 Integrity’s Mahant.
The Industry’s Response
Tech giants tend to favor the CRA. That’s probably due to the nature of working and selling globally since one standard worldwide simplifies things for these manufacturers.
Feedback from Tech Giants and SMEs on the Cyber Resilience Act
“Compliance is a significant undertaking for the digital industry, but companies that have been focused on cyber security will be in the best position to implement the new rules from the CRA. For example, Cisco has used a secure development lifecycle for over 20 years; and we have been a leader in vulnerability management for many years. We are already pulling together a cross-functional team to ensure we address the full range of requirements in an industry-leading manner. At its heart will be the Cisco Secure Development Lifecycle (CSDL),” says Matt Fussa, head of Cisco's Trust Office.
Subject matter experts (SME) face a different set of circumstances.
“Adapting to the CRA presents challenges, especially for SMEs, in terms of costs, new requirements, and talent availability. However, compliance also brings opportunities. Improved cybersecurity posture positions businesses as trusted partners, compliance could become a standard procurement requirement,” says Nortal’s Virág.
Anticipating Future Amendments and Legal Developments
Companies should remain vigilant about future updates and amendments. If there is one area subjected to continuous fluctuations, it’s cybersecurity.
“Given the emerging threats and technological advancements, potential harmonizing with other regulations (i.e., GDPR) will likely result in future amendments to the Act. This, coupled with stakeholder engagement, feedback, and implementation experiences, may drive future amendments to ensure the regulations remain effective and relevant,” says Findlay Whitelaw, Field CTO, Insider Threat Program & UEBA Solutions at Securonix.
About the Author
You May Also Like