EU Cyber Resilience Act: What it Means for R&D Leaders

The EU Cyber Resilience Act (CRA), adopted in October 2024, introduces mandatory cybersecurity requirements for hardware and software products. The CRA applies to all Products with Digital Elements (PDEs) sold within the EU and has steep penalties for failing to comply with the requirements of the CRA.

This legislation marks a major milestone in cybersecurity for anyone involved in the development of IoT products. R&D leaders must act now to begin putting the appropriate processes, documentation, testing, and security measures in place, or risk facing penalties of up to 15M Euros, or 2.5% of global turnover, whichever is larger.

Key Objective of the CRA

The CRA was created to address the serious lack of security standards in digital products sold within the EU. While some companies have built high levels of security into their products, this has not been consistently true. As a result, many products have been deployed with significant security issues resulting in significant and costly cyber-attacks. The Cyber Resilience Act has three primary goals:

  1. Enhancing Product Security by requiring manufacturers to integrate robust cybersecurity measures during the design and development phases and maintaining them throughout the product lifecycle.
  2. Increasing Transparency by requiring manufacturers to provide clear, detailed information about the security features of digital products to empower customers to make informed choices.
  3. Harmonizing Regulations by establishing a unified cybersecurity framework. The CRA simplifies compliance across EU member states to ensure delivery of secure digital products across the entire EU marketplace.

What is Covered by the CRA

The CRA applies to all Products with Digital Elements (PDEs) sold in the EU. This means nearly all electronic products with software, chips, or networking capabilities, including IoT devices, are impacted. A PDE is defined as “Any software or hardware product and it remote data processing solutions, including software and hardware components to be placed on the market separately.” The scope is quite broad and includes:

  • IoT devices
  • A device that is not directly connected to a network, but is connected or potentially connected to another device
  • Components of an end product (hardware secure elements, processors, software libraries, firmware, operating systems, etc.)
  • Desktop and mobile applications
  • Open-source software, if used in a commercial product falling under the scope of the CRA. In this case, manufacturers using open-source software as part of their product are responsible for making sure the open-source components are compliant with the CRA.

Image source: https://www.european-cyber-resilience-act.com/

The CRA also devices products into categories based on their intended use, with more stringent requirements applying to critical products.

CRA timeline

The CRA provides a gradual rollout over which enforcement of its provisions will begin, allowing companies time to comply. Some of the key dates of the CRA are:

  • October 10, 2024: CRA enacted
  • December 10, 2024: The CRA enters into force
  • June 11, 2026: Certain provisions requiring notification of conformity will apply
  • Sept 11, 2026: Manufactures must comply with the reporting requirements for actively exploited vulnerabilities and sever incidents
  • Dec 11, 2027: Full enforcement of the CRA begins with mandatory compliance for manufacturers

Requirements for Product Developers

The CRA defines comprehensive requirements for implementing secure development processes and building security into their devices. CRA requirements include:

  • Following Secure by Design principles
  • Implementing authenticated firmware update mechanisms with rollback protection
  • Implementing security measures including encryption and access control
  • Providing a Software Bill of Materials (SBOM)
  • Developing a vulnerability management plan, including vulnerability reporting
  • Providing information on:
    • Installing security updates
    • Securely decommission a product
    • How to report vulnerabilities
  • Performing security assessments and security testing

Achieving compliance with the CRA requires addressing security from the beginning stages of product design and continues through the entire product life cycle.

Implications for R&D leaders

R&D leaders much change their mindset around cybersecurity. In too many cases, cybersecurity has been an afterthought or approached with a mindset of “what is the minimal acceptable level of security needed”. It is these approaches that have led to widespread cyberattacks and the proliferation of botnets of IoT devices.

Going forward, cybersecurity must be viewed as a high priority requirement. R&D leaders need to plan for cybersecurity in everything they do. This starts with budgets and staffing. R&D teams need to be appropriately staffed, trained, and enabled to properly implement cybersecurity. This will impact product development schedules, testing cycles, and post-release product support.

Achieving compliance with the CRA will be a heavy lift for R&D leaders. The good news is that the CRA timeline accounts for this, but companies must act now. Companies must budget for cybersecurity, add cybersecurity exports to their staff, and implement secure development processes, to ensure compliance with the CRA.

Summary

The enactment of the CRA marks a major milestone in cybersecurity. It defines clear requirements for manufacturers of electronic devices and their suppliers and includes stiff penalties for non-compliance. Compliance is mandatory and companies must act now to develop a plan to ensure their products are in compliance when enforcement begins.

About us

ARS Embedded Systems helps companies build electronic products. We have expertise in both hardware and software design for Sensors, IoT, Control, and Wearable devices, and can assist with building products compliant with regulations including Cyber Security Act (CSA), Cyber Resilience Act (CRA), and Radio Equipment Directive (RED).