The Cyber Resilience Act: Because One More Cybersecurity Requirement Couldn’t Hurt, Right?

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

Just when you thought that European cybersecurity regulations couldn’t get more comprehensive after NIS2 (Directive (EU) 2022/2555) and DORA (Digital Operational Resilience Act), here comes another major legislative package to keep you on your toes—the Cyber Resilience Act (CRA). With digital threats evolving faster than most businesses can keep up, the European Union has taken yet another bold step to safeguard the integrity of connected products and digital services across the single market.

While we’re already busy grappling with the complex frameworks introduced by the NIS2 Directive, aimed at bolstering network and information systems security, and DORA, focused on the digital resilience of financial institutions, the CRA arrives to fill the gaps left for products that power our digital world. As the CRA is expected to be adopted this year (2024), the clock will start ticking on a 36-month countdown before enforcement begins. So, yes, it’s time to prepare for this next-level cybersecurity regulation, which promises to redefine how companies approach product design, security updates, and vulnerability management.

The Purpose and Scope of the Cyber Resilience Act

The Cyber Resilience Act (CRA) is part of the EU’s broader strategy to create a safer digital space for consumers and businesses alike. The act focuses on ensuring that products with digital components—whether hardware, software, or services—are secure throughout their entire lifecycle. The CRA requires that these products are designed, developed, and maintained to a standard that minimizes cybersecurity risks, ensuring they do not pose a threat to users, businesses, or the larger digital infrastructure.

The CRA has a wide scope, covering:

• Standalone software products, such as SaaS applications.
• Embedded software in connected devices (e.g., IoT devices, routers).
• Hybrid solutions, combining cloud services with on-premise appliances or virtual appliances.

The aim is twofold:

1. To increase the cyber resilience of digital products and connected devices in the European market.
2. To ensure consumer and business protection by mandating that manufacturers meet stringent cybersecurity standards.

The CRA, like NIS2 and DORA, is grounded in the EU’s digital sovereignty and security strategy. Together, these pieces of legislation form an interwoven framework that aims to regulate various aspects of digital infrastructure, networks, and services.

Interaction Between the CRA, NIS2, and Other EU Legislation

The CRA does not exist in isolation. It is designed to complement other European cybersecurity legislation, including:

• NIS2 Directive (Directive (EU) 2022/2555), which governs the security of network and information systems for essential and important services, ranging from energy to financial services.
• DORA (Digital Operational Resilience Act), which targets the digital resilience of the financial services sector, ensuring that financial entities are able to resist and recover from cyberattacks and other IT-related disruptions.
• GDPR (General Data Protection Regulation), which focuses on the protection of personal data and may intersect with the CRA when data security is compromised due to cyber vulnerabilities.

The CRA specifically fills in the gaps left by these regulations, focusing more on the product security of connected devices and software. While NIS2 significantly emphasizes infrastructure security for essential services, and DORA aims at operational resilience in financial institutions, the CRA zooms in on the resilience of individual products, ensuring that everything from a connected home device to a complex SaaS platform is secured against vulnerabilities.

In practice, this means that a company providing SaaS to a financial institution may need to comply with both DORA and CRA, ensuring that the software’s operational resilience meets DORA standards while also being designed and maintained according to CRA’s security requirements. Similarly, businesses falling under the NIS2 Directive may find that their connected products must comply with the CRA to meet both network/system and product security mandates.

Key Requirements of the Cyber Resilience Act

For companies providing digital products, including SaaS providers and manufacturers of connected devices, the CRA introduces several critical obligations:

1. Security-by-Design and Security-by-Default

The CRA mandates that products be built following security-by-design and security-by-default principles. This means that cybersecurity must be integrated into the product from the very start of its design, and that the product’s default configurations should ensure a high level of security for users.

• Security-by-design: Cybersecurity measures, such as encryption, user authentication, and data protection, must be embedded into the architecture of the product, ensuring that it is secure from the moment it is deployed.
• Security-by-default: Products should come with secure default settings, requiring minimal action from the user to achieve a high level of protection.

For SaaS products, this means ensuring that software architecture, user authentication systems, and data handling processes are built with robust cybersecurity features that minimize risk. For example, collaboration tools or CRM systems must encrypt user data and communications by default, without requiring users to manually enable these settings.

2. Regular Security Updates and Patch Management

One of the cornerstones of the CRA is the requirement for manufacturers and SaaS providers to deliver regular security updates to address vulnerabilities that arise throughout the lifecycle of a product.

• Vulnerability monitoring: SaaS providers and manufacturers must continuously monitor their products for vulnerabilities and deliver timely patches to fix identified risks.
• Lifecycle security: Updates must be provided for the entire duration of a product’s lifecycle, ensuring that even older versions of software or connected devices remain protected.

For example, SaaS products that handle sensitive customer data (such as enterprise software or security platforms) must ensure that they have mechanisms in place for delivering critical updates quickly and efficiently.

3. Vulnerability Detection, Reporting, and Notification

The CRA places a significant emphasis on vulnerability management and disclosure. If a vulnerability is identified in a product, manufacturers or providers must:

• Notify the relevant EU authorities, such as ENISA (European Union Agency for Cybersecurity).
• Inform customers about the vulnerability, including the risks it poses and any available fixes or mitigation measures.

The reporting process must be timely and transparent, ensuring that authorities and customers know the risk and can take appropriate action. This includes ensuring that the software and the underlying infrastructure (e.g., cloud hosting) are secure for SaaS products.

If your SaaS product is hosted on third-party infrastructure (such as AWS, Microsoft Azure, or Google Cloud), it is still your responsibility to notify customers and coordinate fixes if a vulnerability in the hosting environment impacts your service.

4. Hybrid Solutions and Appliances

The CRA introduces additional complexity for providers offering hybrid solutions—those combining cloud services with on-premise appliances or virtual appliances. The cloud and on-premise components must comply with the CRA’s security requirements.

For example:

• On-premise appliances, such as firewalls or data storage devices, must undergo regular security checks and receive updates to stay compliant with the CRA’s standards.
• Virtual appliances running in customer environments must also be subject to the same scrutiny as cloud-based services, ensuring vulnerabilities are patched quickly and efficiently.

This is particularly relevant for companies offering hybrid cloud and local installations, where both components must be equally secure and compliant with EU cybersecurity standards.

Certification and Conformity Assessment Under the CRA

The CRA introduces conformity assessment and certification requirements to ensure that products meet its cybersecurity standards. This process is mandatory for high-risk products, and companies must engage with Notified Bodies for certification.

1. Conformity Assessment for Different Risk Levels

Depending on the risk profile of the product, the CRA outlines two paths for conformity assessment:

• Self-assessment: Lower-risk products may be self-assessed for compliance. This involves internal reviews of the product’s design, development, and maintenance processes to ensure they meet the CRA’s security requirements.
• Third-party certification: For high-risk or critical products—those used in essential services or critical infrastructure—third-party certification is required. This certification will be carried out by an independent Notified Body designated by an EU member state.

2. Notified Bodies in Italy and Across the EU

Certification under the CRA will be conducted by Notified Bodies, independent organizations recognized by the EU to assess and certify products for compliance. Once a product is certified by a Notified Body, that certification is valid across all EU member states.

In Italy, potential Notified Bodies include:

• IMQ (Istituto Italiano del Marchio di Qualità): One of Italy’s largest certification bodies, offering a range of cybersecurity services.
• TÜV Italia: Part of the TÜV group, TÜV Italia provides certification and testing services, including for digital products.
• RINA: An Italian firm specializing in certification, advisory, and inspection services, including cybersecurity certification.

These bodies are recognized across the EU, meaning that one certification is sufficient for the entire European market. A company does not need to obtain separate certifications in every EU member state.

Vulnerability Disclosure and Ongoing Compliance

One of the most crucial aspects of CRA compliance is the obligation to manage vulnerabilities and maintain certification continuously. Once a product is certified, companies must ensure that it remains compliant throughout its lifecycle. This includes:

• Ongoing certification maintenance: Any changes or updates to the product must not affect its compliance status. If significant changes are made, the product may need to undergo additional conformity assessments to ensure continued adherence to CRA standards.
• Customer and authority notification: When vulnerabilities are discovered, companies must promptly notify both customers and EU authorities, providing clear information on the risk and how to mitigate it.

For SaaS providers, this process includes monitoring for vulnerabilities in both the software and the hosting infrastructure, and notifying customers if security issues arise in either area.

Timeline for CRA Adoption and Enforcement

The CRA is expected to be adopted in 2024, with a 36-month transition period before full enforcement begins. This provides businesses with a three-year window to align their products with the CRA’s requirements and ensure they are ready for certification and compliance by the time enforcement begins.

Conclusion: Preparing for the Cyber Resilience Act

The Cyber Resilience Act introduces a new set of obligations for manufacturers and SaaS providers operating in the EU. By mandating security-by-design, regular updates, and vulnerability disclosure, the CRA aims to ensure that digital products remain secure throughout their lifecycle. For companies providing digital products in the EU, this means prioritizing cybersecurity from the earliest stages of product development through to the end of a product’s life.

Compliance with the CRA will require businesses to engage with Notified Bodies for certification, maintain ongoing vigilance against vulnerabilities, and ensure that their products meet the high security standards set by the EU. With the CRA set to be fully enforced in just a few years, now is the time to start preparing.

In an era where cybersecurity is not just a technical requirement but a legal one, the Cyber Resilience Act is a critical step forward for ensuring the safety and trustworthiness of the digital products we use daily.

#CyberResilienceAct #CRA #SaaS #Cybersecurity #DigitalTransformation #NIS2 #DORA #EURegulation #ProductSecurity #CyberCompliance #DigitalInnovation #TechLegislation #CyberProtection

Related Posts via Taxonomies

• Cybersecurity Regulation: A Global Overview of Standards and Regional Approaches Influenced by Legal Systems
• My Latest Article on Hakin9 is on Ddos
• E-mail requirements change for a safe use in the post PRISM internet
• Regulation of Generative AI Across Global Jurisdictions: A Comparative Analysis
• Italian PiracyShield: An Hermeneutic Disquisition on the Shadows of Digital Control
• 8 Marzo – March 8
• Happy Lunar New Year 2022
• World Economic Forum on cybersecurity
• What is Democracy?
• Shrems II, Data transfer, and the USA: wheels are rolling.

To the official site of Related Posts via Taxonomies.

The Cyber Resilience Act: Because One More Cybersecurity Requirement Couldn’t Hurt, Right? by The Puchi Herald Magazine is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.