The digital world is evolving rapidly - and so are the threats posed by cyber attacks. The Cyber Resilience Act (CRA) came into force on 11 December 2024 and is intended to ensure that only secure software and hardware products come onto the market. The aim is to minimise security vulnerabilities and increase the resilience of the European single market to cyber threats.
We asked our expert Dr Martin Neumann, Senior Consultant for Regulatory Affairs and Cybersecurity at infoteam, what challenges and opportunities the CRA brings for companies. Here are his answers to the three key questions:
What is the CRA and why is it necessary?
The CRA expands CE labelling, which previously focused primarily on functional safety, to include cyber security requirements. In future, it will not only be checked whether a product harbours mechanical or electrical hazards, but also whether it is protected against cyber attacks. This applies to all networked products with digital elements - from industrial control systems to IoT devices such as smart household appliances and software.
In contrast to the NIS2 Directive, which addresses operators of critical infrastructures, the CRA is aimed at manufacturers and covers a wide range of products. While sector-specific regulations previously applied, such as for medical devices or wireless technologies, the CRA implements horizontal regulation and now affects almost all digital products.
However, there are some exceptions:
- Open source projects, provided they are not used commercially.
- Software-as-a-Service (SaaS), which falls under NIS2.
- Sector-specific products, such as medical devices, aviation systems and vehicles, which are already regulated by other cybersecurity legislation.
New obligations for manufacturers
In future, manufacturers will have to state how long their products will receive security updates. Operators - for example in the laboratory and industrial sectors - can hope for longer support, as manufacturers, e.g. of networked analysers, must provide systems with updates for at least five years.
Until now, such information has often been difficult to access or completely absent. This can lead to essential devices becoming insecure at an early stage. In environments where sensitive data is processed and networked systems are essential for operation, this creates considerable security risks.
Security is not a static state, but a dynamic process: what is considered secure today may already be vulnerable tomorrow. This is why manufacturers are obliged to carry out vulnerability monitoring and provide regular security updates throughout the entire life cycle of their products. If critical security gaps occur, they are obliged to report them immediately to the relevant authorities such as ENISA.
The experts from infoteam Software AG's Cybersecurity Competence Centre explain how this can be implemented in practice.
Security by design and security by default
The CRA calls for cybersecurity to be integrated into product development at an early stage. This means:
- Cyber security must be considered from the outset, i.e. as early as the development phase.
- Standard configurations must not contain any insecure default settings.
- Products must not be secured at a later stage.
If a wrong design decision is made at the beginning, this can lead to a product never becoming compliant with the CRA. It is therefore crucial that security is integrated into the development process right from the start.
Our Cybersecurity Competence Centre supports companies in implementing state-of-the-art architectures in line with security by design.
New regulatory requirements
The CRA obliges companies to
- Risk analyses for their products
- Implement basic cybersecurity requirements (secure by design, secure by default)
- Introduction of vulnerability management
- Preparation of technical documentation with security aspects
- Carrying out the EU conformity assessment with CE labelling
- Management of a software bill of materials (SBOM) for greater transparency
What can companies do now?
The implementation deadlines of the CRA are short:
- 36 months after entry into force, all regulations apply
- 21 months for the vulnerability reporting obligations
Companies should therefore act early and adapt their development processes.
Recommended measures:
- comply with security standards and regulatory requirements such as BSI TR 03183, the CRA Annex and ETSI EN 303 645.
- create an SBOM for effective vulnerability management.
- define and establish internal security-by-design guidelines
- implement regular updates and security patches.
- train employees in cyber security.
- carry out penetration tests for proactive security analysis.
Conclusion
The CRA is becoming a prerequisite for market access and is increasing the requirements for manufacturers, dealers and importers. Companies that adapt early will benefit from a competitive advantage. Those who are already pursuing high security standards will have less effort to adapt - for everyone else: act now! Because cyber security is no longer an option, it is becoming a duty.
Do you need support? Depending on your needs, we offer customised consulting packages and practical cyber security training courses. Contact us without obligation.
