Time to Read 2 min
On December 10, 2024, the Cyber Resilience Act (CRA) came into force. It sets a minimum level of cybersecurity for electronic products (hardware, software, remote data processing) for which there are no specific regulations on the European market (such as medical products or critical infrastructure, for which their own regulations apply). The regulation provides for a phased approach until it must be complied with for all new products from December 11, 2027.
It is important to know that actively exploited vulnerabilities and serious security incidents must be reported from September 11, 2026.
What do I Have To Do?
Cybersecurity in Product Development
The CRA sets out specific requirements that must be taken into account during product development. The principles of security by design and security by default apply. The required risk assessment ensures that the CRA requirements are met and that possible threats are neither underestimated nor overestimated, thus avoiding the incorrect planning of measures.
Provide Proof of Cybersecurity
Processes (e.g. IEC 62443) and the documentation of process results ensure compliance with the CRA. Depending on the product category, the security can be verified by oneself or a notified body needs to be involved.
CRA defines the categories “Standard/Basic Products”, “Important Products” and “Critical Products”. The product categories do not influence the required activities (processes), but only the conformity assessment procedures (provision of evidence).
Cybersecurity During the Product's Lifespan
Cybersecurity must be guaranteed for the expected lifetime of the product, but at least for 5 years. This is done by regular and effective cybersecurity tests (e.g. penetration tests). This also includes updating the risk assessment. Weak points in the product must be reported immediately and eliminated by means of software updates. All these activities must be planned and documented. Here, too, processes ensure that this is done.
And What Else?
Various aspects of the CRA are still unclear. There are no harmonized standards yet and no notified bodies. The latter should be available in 2026.
Products that are already on the market are not covered by the CRA as long as they are not significantly modified. Guidelines for defining a significant change have not yet been drawn up. However, the CRA provides indications of what could be a significant change. For example, new features or feature updates that could have an impact on cybersecurity risk are to be considered significant changes. It follows that the change must be checked and evaluated, which means that at least a risk assessment of the product must be carried out.
You can find more details in our FAQ for Embedded Security.
Alois Cavelti
Do you have additional questions? Do you have a different opinion? If so, email me or comment your thoughts below!
What do I Have to Do in Product Development for the CRA?
The CRA sets out specific requirements that must be taken into account during product development. The principles of security by design and security by default apply. The required risk assessment ensures that the CRA requirements are met and that possible threats are neither underestimated nor overestimated, thus avoiding the incorrect planning of measures.
Which Proofs of Cybersecurity do I Have to Provide for the CRA?
Processes (e.g. IEC 62443) and the documentation of process results ensure compliance with the CRA. Depending on the product category, the security can be verified by oneself or a notified body needs to be involved.
CRA defines the categories “Standard/Basic Products”, “Important Products” and “Critical Products”. The product categories do not influence the required activities (processes), but only the conformity assessment procedures (provision of evidence).
What do I Have to Do Cybersecurity During the Product's Lifespan for the CRA?
Cybersecurity must be guaranteed for the expected lifetime of the product, but at least for 5 years. This is done by regular and effective cybersecurity tests (e.g. penetration tests). This also includes updating the risk assessment. Weak points in the product must be reported immediately and eliminated by means of software updates. All these activities must be planned and documented. Here, too, processes ensure that this is done.
And What Else?
Various aspects of the CRA are still unclear. There are no harmonized standards yet and no notified bodies. The latter should be available in 2026.
Products that are already on the market are not covered by the CRA as long as they are not significantly modified. Guidelines for defining a significant change have not yet been drawn up. However, the CRA provides indications of what could be a significant change. For example, new features or feature updates that could have an impact on cybersecurity risk are to be considered significant changes. It follows that the change must be checked and evaluated, which means that at least a risk assessment of the product must be carried out.
You can find more details in our FAQ for Embedded Security.
Alois Cavelti
Do you have additional questions? Do you have a different opinion? If so, email me or comment your thoughts below!
No Comments