How to Comply with the New EU Cyber Resilience Act
Table Of Contents:
UK regulation rarely steals a march on the EU. Yet that is precisely what happened in April 2024 when the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which regulates connected devices, became law. However, what the PSTI managed in speed, it lost in scope. The EU version, the Cyber Resilience Act (CRA), is far broader and more detailed and will set a high bar for compliance—demanding a rigorous approach to cyber-risk management.
At a high level, the CRA is designed to improve the security and reliability of connected technology and make it easier for buyers to discern high-quality products thanks to a kite mark scheme. With penalties of up to €15m or 2.5% of annual turnover, non-compliance is not an option, and for UK firms wishing to tap the vast EU market, it’s a must. Fortunately, adherence to best practice security standards like ISO 27001 will do much of the heavy lifting.
What Does It Cover?
The CRA applies to:
- Products with digital elements (PDEs) – in other words, software or hardware capable of connecting to a device or network
- A PDE’s “remote data processing” solutions
- A PDE’s software or hardware components which are marketed separately
In practice, this means a wide range of products, including smart devices like smartphones, tablets, PCs, TVs and fridges, wearables and even children’s toys. Some product categories such as medical devices and vehicles, which are already regulated, are not covered by the CRA as of yet.
What Do You Need to Do?
The legislation will apply to manufacturers, their authorised representatives, importers, distributors, and retailers. Most of the compliance burden will fall on manufacturers, who must:
- Assess PDE cybersecurity risks and ensure products are designed and manufactured in compliance with the CRA’s essential cybersecurity requirements (ECRs)
- Ensure components sourced externally don’t compromise the PDE’s security
- Document and patch vulnerabilities in a timely manner
- Provide security support for five years or the product’s lifespan (whichever is shorter)
- Notify EU security agency ENISA within 24 hours of becoming aware of active vulnerability exploitation or another security incident, with information on corrective measures
- Provide detailed information on how to install product updates, whom to report vulnerabilities to, and other manufacturer details
- Establish a conformity assessment process to verify CRA compliance
Importers will need to be aware of the above in order to fulfil their obligations to ensure only compliant PDEs are sold in the EU. The CRA has an extensive list of ECRs listed in Annex I of the legislation, which are designed to be open-ended rather than detail-focused in order to keep them relevant as technology evolves. They include requirements for PDEs to be:
- Produced free from known exploitable vulnerabilities and with a secure configuration by default
- Designed and manufactured with “appropriate” levels of cybersecurity built in and in a way that will reduce the impact of security incidents
- Capable of protecting against unauthorised access with strong authentication
- Able to protect the confidentiality of stored, transmitted or processed information, such as via encryption
- Conformant to data minimisation principles
- Designed and produced with a limited attack surface
- Designed to ensure vulnerabilities can be patched via product updates, automatically where possible
- Produced alongside a vulnerability disclosure policy
Time to plan
John Moor, head of the IoT Security Foundation (IoTSF), explains that while it’s not time to panic just yet, manufacturers will need to start collaborating with their supply chains to determine how new products will comply with the CRA.
“Products on the market are out of scope for now but may need an end-of-life plan,” he tells ISMS.online. “Although the timeline is approximately 36 months, some provisions will come in sooner. Product manufacturers will need to be compliant on that date, and given that everyone in the supply chain must take ownership, that points to forward planning.”
In addition to working with these supply chain partners, manufacturers should also assess if internal processes are fit for purpose from a risk and vulnerability management perspective, Moor argues.
“Then we get to the product itself. This is where security and privacy-by-design practices come into effect. Many manufacturers will already be familiar with these elements beyond the traditional functionality, performance and power considerations,” he says. “Where can they get help? Consultants, test labs and organisations like the IoTSF. We were set up in 2015 and could see the way the world was headed. Hence, we have anticipated what was coming and have embedded advice, process and methodologies in our guides and tools.”
How ISO 27001 Can Help
Given the CRA’s lengthy and exacting compliance requirements, organisations may also benefit from following already established best practice standards relevant to the act. Moor says product development standards ISO/SAE 21434 for automotive and IEC/ISA 62443 for Industrial Control Systems are probably the most relevant. However, other experts also say there’s some overlap with ISO 27001.
Adam Brown, managing security consultant at Black Duck, tells ISMS.online that it could lay a “good foundation” for UK tech firms eyeing the CRA.
“ISO 27001’s systematic approach to risk management, secure development, supply chain security, incident response, and lifecycle management covers many of the same areas the CRA emphasises. However, ISO 27001 is aimed at organisational security whereas the CRA is aimed at individual products,” he adds.
“Organisations that have been through ISO accreditation will understand risk assessment; the CRA also mandates a thorough risk assessment per product. Secure by Design and Default: CRA Annexe 1(h) requires that products be designed, developed and produced to limit attack surfaces, including external interfaces. Likewise, ISO 27001’s Annex A.14 deals with secure development and support for information systems, including integrating security throughout the software development lifecycle.”
The good news is that aligning with ISO 27001 won’t just set manufacturers up for success with CRA compliance. It can also help create a secure foundation for a raft of other industry regulations and requirements, from NIS 2 to the GDPR. It may be time to take a look.
