Cyber Resilience Act, the European initiative for the future of cybersecurity in digital products.

Blog

15
- Sept
2022
Posted by: Javier Tallón
[Cybersecurity research]
Cyber Resilience Act, the European initiative for the future of cybersecurity in digital products.

For many years now, Europe has been leading the legislative landscape in cybersecurity, serving as an example to other countries outside the Union.

Several proposals in these years such as the publication of the GDPR (2016), NIS Directive 1 (2017) and NIS 2 (2022), the Cybersecurity Act (2019) or 5G Toolbox (2020) reinforce Europe’s position as a benchmark in the field of cybersecurity.

What is the Cybersecurity Resilience Act (CRA)?

The CRA is an initiative that aims to ensure that vendors establish appropriate cybersecurity safeguards in the digital products they sell. By establishing cybersecurity requirements before and after a product is marketed, the CRA will strengthen the security and resilience of the entire supply chain for the benefit of businesses and end consumers.

The main mission of the Cybersecurity Resilience Act is to fill existing gaps in legislation by creating horizontal legislation defining European cybersecurity standards for digital products and services, as currently EU product-specific legislation mostly covers security aspects and addresses cybersecurity only partially.

Cybersecurity requirements for manufacturers of digital products.

The CRA will impose a number of requirements on manufacturers of digital products wishing to market them in EU member countries..

These requirements will fall into two main categories: requirements for "ordinary" products (all those that fall within the scope of the CRA) and requirements for "sensitive" products (those used to handle secret information related to national security and defense).

Requirements for ordinary products will include:

  • Security by design and by default for all products within the scope of the regulation.

  • Cybersecurity requirements throughout the life cycle (before and after the product is placed on the market).

  • Vulnerability management and (whenever possible) security patching.

  • Transparency of the supply chain of hardware or software components.

  • Enumeration of software components.

  • End-user information on the cybersecurity level of the product.

  • Security reporting requirements for each product.

  • Post-market security support requirements (probably limited to a period of 5 years after commercialization).

    • What products are considered in the CRA?

    It will include all digital products and ancillary products, meaning both software and hardware for commercial purposes, as shown in the chart below:

    Products that are not within the scope of this proposal are:

  • Passive components (cables, adapters...)

  • Open source hardware and software not linked to commercial applications.

  • Closed source free software with no economic activity.

  • Cloud services (if they are not ancillary services).

  • Web sites (HTTP) "One-way" web sites that focus primarily on providing information (such as blogs, newspapers, product advertising) both commercial and free of charge/hobby.

    • Connection between CRA and EU certification systems

    The EU cybersecurity certification framework is defined in the Cybersecurity Act (CSA) as voluntary systems. The CRA will not modify the CSA in either content or governance. Both laws are designed to be complementary. This will make it easier for companies to assess and certify their products under European systems, schemes and methodologies.

    The only update to be taken into account is that the European Commission is considering the possibility of requiring, for the highest risk category of products, mandatory pre-market certification using the Cybersecurity Act schemes.

    Next steps

    The CRA is being drafted by the European Commission in DG CNECT.H.2. following a public consultation on the proposal to which different bodies have been able to contribute. Today the proposal has been formally published, so the text will be sent to the European Parliament and the Council. By the first quarter of 2024 it is expected that there will be a consensus and that it will be formally adopted before it enters into force.

    tags
    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
    Augst 23, 2023
    Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
    New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
    May 9, 2023
    New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
    jtsec achieves ENS High Certification.
    May 1, 2023
    jtsec achieves ENS High Certification.
    Common Criteria Statistics Report for 2022
    March 20, 2023
    Common Criteria Statistics Report for 2022
    CATEGORIES