For many years now, Europe has been leading the legislative landscape in cybersecurity, serving as an example to other countries outside the Union.Several proposals in these years such as the publication of the GDPR (2016), NIS Directive 1 (2017) and NIS 2 (2022), the Cybersecurity Act (2019) or 5G Toolbox (2020) reinforce Europe’s position as a benchmark in the field of cybersecurity.
What is the Cybersecurity Resilience Act (CRA)?
The CRA is an initiative that aims to ensure that vendors establish appropriate cybersecurity safeguards in the digital products they sell. By establishing cybersecurity requirements before and after a product is marketed, the CRA will strengthen the security and resilience of the entire supply chain for the benefit of businesses and end consumers.
The main mission of the Cybersecurity Resilience Act is to fill existing gaps in legislation by creating horizontal legislation defining European cybersecurity standards for digital products and services, as currently EU product-specific legislation mostly covers security aspects and addresses cybersecurity only partially.
Cybersecurity requirements for manufacturers of digital products.
The CRA will impose a number of requirements on manufacturers of digital products wishing to market them in EU member countries..
These requirements will fall into two main categories: requirements for "ordinary" products (all those that fall within the scope of the CRA) and requirements for "sensitive" products (those used to handle secret information related to national security and defense).
Requirements for ordinary products will include:
What products are considered in the CRA?
It will include all digital products and ancillary products, meaning both software and hardware for commercial purposes, as shown in the chart below:
Products that are not within the scope of this proposal are:
Connection between CRA and EU certification systems
The EU cybersecurity certification framework is defined in the Cybersecurity Act (CSA) as voluntary systems. The CRA will not modify the CSA in either content or governance. Both laws are designed to be complementary. This will make it easier for companies to assess and certify their products under European systems, schemes and methodologies.
The only update to be taken into account is that the European Commission is considering the possibility of requiring, for the highest risk category of products, mandatory pre-market certification using the Cybersecurity Act schemes.
The CRA is being drafted by the European Commission in DG CNECT.H.2. following a public consultation on the proposal to which different bodies have been able to contribute. Today the proposal has been formally published, so the text will be sent to the European Parliament and the Council. By the first quarter of 2024 it is expected that there will be a consensus and that it will be formally adopted before it enters into force.