Navigating the European Union Cybersecurity Resilience Act: A Guide for Device Manufacturers

Understanding the Cyber Resilience Act

The CRA introduces mandatory cybersecurity requirements for a wide range of products with digital elements, including both hardware and software. The primary goal is to enhance the security of these products, ensuring that they can withstand and quickly recover from cyber incidents.

Key aspects of the CRA include:

1. Scope of the Act: The CRA covers all products with digital elements, ranging from consumer devices like smart home assistants to industrial equipment such as smart meters and secure crypto-processing devices​.
2. Categories of Products:
   • Default Category: Products that pose lower cybersecurity risks and can undergo a self-conformity assessment by the manufacturer.
   • Important Products with Digital Elements (PDEs): These include products like firewalls and operating systems, which require third-party conformity assessments.
   • Critical PDEs: High-risk products such as tamper-resistant microprocessors and smart meter gateways. These require the most stringent conformity assessments​.
3. Cyber Risk Management: Manufacturers must conduct a cyber risk assessment before marketing their products. This includes due diligence on third-party suppliers and implementing essential cybersecurity requirements as outlined in Annex I of the CRA​.
4. Vulnerability Management: Throughout the product lifecycle, manufacturers are responsible for managing vulnerabilities, which involves regular testing, patch management, and maintaining a responsible disclosure program. Security updates must be provided for at least five years, or for the product’s expected usage period if shorter.
5. Incident Reporting: In the event of a significant cybersecurity incident, manufacturers must notify the European Union Agency for Cybersecurity (ENISA) and relevant Computer Emergency Response Teams (CERTs) within 24 hours.

Compliance and Market Surveillance

Compliance with the CRA is crucial for market access in the EU. Each member state will designate market surveillance authorities to enforce the regulations. Non-compliance can result in significant penalties and impact market access​.

Challenges and Industry Feedback

While the CRA has been welcomed for its potential to strengthen cybersecurity, there are concerns about its impact on open-source projects and small developers. The legislation's requirements could impose significant burdens on these groups, potentially hampering innovation and the rollout of new technologies.

How Kudelski IoT Can Help

Navigating the complexities of the CRA can be challenging for manufacturers. Kudelski IoT offers comprehensive services to help device manufacturers understand their gaps and ensure compliance:

1. Gap Analysis: Kudelski IoT can conduct thorough assessments to identify where your products and processes do not meet CRA requirements.
2. Security Architecture Design: Our experts can help you design a robust security architecture tailored to your specific products and use cases, ensuring all necessary protections are in place from the ground up.
3. Pre-Market Testing: Before your products hit the market, we offer rigorous testing services to identify and mitigate vulnerabilities, ensuring compliance with the CRA’s pre-market requirements.
4. Post-Market Surveillance: Kudelski IoT can assist in setting up effective post-market surveillance programs, including continuous monitoring, vulnerability management, and incident reporting to meet ongoing CRA obligations.