The EU Council has adopted the Cyber Resilience Act (CRA), a new law that aims to make consumer products with digital components safe(r) to use.
CRA requirements
The CRA outlines EU-wide cybersecurity standards for digital products, i.e. products that are connected – either directly or indirectly – to another device or to a network. This category includes “smart” home appliances, TVs, thermostats, toys, wearable health technology, baby monitoring systems, and so on.
Some connected products – e.g., medical devices, networking devices, cars, aeronautical products, products for national security or defense purposes – are exempt from the CRA because existing EU laws already specify their cybersecurity requirements.
“This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle,” the law states.
“It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency with regard to the support period for products with digital elements made available on the market.”
CRA establishes cybersecurity requirements for products based on their risk classification: products with lower cybersecurity risks must undergo a basic conformity assessment, while products with higher risks (e.g., those managing critical infrastructure or personal data) will also require stricter, third-party assessments and certification.
The regulation recognizes the specific challenges faced by microenterprises and small and medium-sized enterprises, and aims to minimize their burden. For example, free and open-source software distributed by microenterprises, especially if non-commercial, faces fewer regulatory obligations.
To improve vulnerability handling, the CRA mandates things like manufacturers setting up a single point of contact for vulnerability reporting; reporting actively exploited vulnerabilities and severe incidents to their designated Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA); and documenting components contained in their products with digital elements (though SBOMs don’t have to be made public).
“CRA will be signed by the presidents of the Council and of the European Parliament and published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage,” the EU Council concluded.