Cyber Regulation: CRA in Development

The CRA distinguishes between four levels:

• Standard/Basic Products (Art. 6)
  • e.g. household appliances, measuring instruments, IoT (Internet of Things) devices, mobile or PC applications
• Important Products (Class I) (Art. 7, Annex III)
  • e.g. virtual assistants, smart door locks, baby monitors, wearables for health monitoring
• Important Products (Class II) (Art. 7, Annex III)
  • e.g. firewall appliance
• Critical Products (Art. 8, Annex IV)
  • e.g. HSM appliance

All assurance levels must comply with Annex I, i.e. all activities must always be carried out.

The difference between the assurance levels lies in the design of the product, which must guarantee a level of cybersecurity appropriate to the assurance level (Annex I Part I para. 1), and in the conformity assessment procedure (Annex VIII).

At present, there are no harmonized standards for the regulation. Harmonized standards are technical standards that are recognized by the EU Commission and enable a legally simplified conformity assessment.

Until such harmonized standards are published, manufacturers can fall back on established standards such as the IEC 62443 series of standards.

This is possible for products at the „Standard/Basic” security level (Art. 32 para. 1, Endnote 91). The associated procedure (Module A) is described in Annex VIII Part I and requires:

• ensuring that the design, development, manufacture and treatment of vulnerabilities correspond to the CRA
• drawing up the technical documentation in accordance with Annex VII
• affixing the conformity marking (CE marking) and drawing up the EU declaration of conformity

The manufacturer must ensure and declare on his own responsibility that the CRA is complied with. See also „Do I need processes for this? Why? Which ones?” and „What are the penalties for non-compliance with the CRA?”.

The proof of conformity depends on the safety level of the product.

Standard/Basic Products

• see above

All higher safety levels require the involvement of a notified body.

Important Products (Class I) (Art. 32 para. 2)

• EU type examination (module B) according to Annex VIII, part II and Conformity to type (module C) according to Annex VIII, part III.
  • This corresponds to the standard procedure for obtaining the CE marking.

or

• Conformity based on full quality assurance (module H) according to Annex VIII, part IV
  • The quality system must be approved and regularly inspected by a notified body.
  • This procedure allows the manufacturer to certify conformity based on the approved quality system on behalf of the notified body.

Important Products (Class II) (Art. 32 para. 3)

• According to module B and module C and module H (see Class I)

Critical Products (Art. 32 para. 4)

• Requires a European CybersecurityCertificate, at least assurance level “medium” according to Regulation EU 2019/881

The central element of the CRA is the assessment of cybersecurity risks. This document is created at the beginning of product development and then regularly updated (Art. 13 para. 2, 3).

The product development (planning, design, development phase) must take into account the results of the risk analysis in order to minimize the cybersecurity risks, prevent security incidents and minimize the impact of security incidents.

The product must be designed, developed and manufactured in such a way as to ensure an appropriate level of cybersecurity in view of the risks.

The cybersecurity requirements (Annex I Part I) must be met. Among other things, the following are required:

• Security by Design and best practices for a secure (software) development cycle
• Security by Default (e.g. secure standard configuration
• Minimization of potential attack surfaces
• Protection against unauthorized access
• Confidentiality, integrity and availability (e.g. secure boot)
• Protection of personal data
• Logging of security-relevant data and events

The Technical Guideline TR-03183-1 of the BSI describes the state of the art in detail.

Is a software bill of materials required?

A software bill of materials (SBOM) is mandatory and must be provided in a machine-readable format (Annex I Part II para. 1). Possible formats are CycloneDX or SPDX.

Technical Guideline TR-03183-2 of the BSI describes the requirements for an SBOM in detail.

The documentation is divided into two parts:

• Technical documentation
• User documentation

The technical documentation must contain all relevant data or details of how the manufacturer ensures that the product complies with the CRA (Art. 31 para. 1).

The technical documentation must be complete and written in easily understandable language and made available to the market surveillance authorities upon request (Articles 53, 58). It must enable the market surveillance authorities to understand the design, development, manufacture and handling of vulnerabilities (Article 31 (2)).

The technical documentation shall include at least (Annex VII):

• general description of the product
• Description of the design, development and manufacturing of the product
• Description of the vulnerability management process
• Cybersecurity risk assessment
• Information taken into account in determining the support period referred to in Art. 13 para. 8
• A list of the harmonized standards applied in full or in part, or a description of the solutions adopted to meet the essential cybersecurity requirements set out in Annex I
• Reports on the tests and inspections carried out
• EU declaration of conformity
• Software bill of materials

The documentation must be prepared before the product is placed on the market and updated throughout the entire life of the product (Art. 31 para. 2).

Chapter 6 of the Technical Guideline TR-03183-1 of the BSI goes into the documentation requirements in detail.