jtsec is now part of

Cyber Resilience Act, the European initiative for the future of cybersecurity in digital products.


- Sept
Posted by: Javier Tallón
Cyber Resilience Act, the European initiative for the future of cybersecurity in digital products.

For many years now, Europe has been leading the legislative landscape in cybersecurity, serving as an example to other countries outside the Union.

Several proposals in these years such as the publication of the GDPR (2016), NIS Directive 1 (2017) and NIS 2 (2022), the Cybersecurity Act (2019) or 5G Toolbox (2020) reinforce Europe’s position as a benchmark in the field of cybersecurity.

What is the Cybersecurity Resilience Act (CRA)?

The CRA is an initiative that aims to ensure that vendors establish appropriate cybersecurity safeguards in the digital products they sell. By establishing cybersecurity requirements before and after a product is marketed, the CRA will strengthen the security and resilience of the entire supply chain for the benefit of businesses and end consumers.

The main mission of the Cybersecurity Resilience Act is to fill existing gaps in legislation by creating horizontal legislation defining European cybersecurity standards for digital products and services, as currently EU product-specific legislation mostly covers security aspects and addresses cybersecurity only partially.

Cybersecurity requirements for manufacturers of digital products.

The CRA will impose a number of requirements on manufacturers of digital products wishing to market them in EU member countries..

These requirements will fall into two main categories: requirements for "ordinary" products (all those that fall within the scope of the CRA) and requirements for "sensitive" products (those used to handle secret information related to national security and defense).

Requirements for ordinary products will include:

  • Security by design and by default for all products within the scope of the regulation.
  • Cybersecurity requirements throughout the life cycle (before and after the product is placed on the market).
  • Vulnerability management and (whenever possible) security patching.
  • Transparency of the supply chain of hardware or software components.
  • Enumeration of software components.
  • End-user information on the cybersecurity level of the product.
  • Security reporting requirements for each product.
  • Post-market security support requirements (probably limited to a period of 5 years after commercialization).
  • What products are considered in the CRA?

    It will include all digital products and ancillary products, meaning both software and hardware for commercial purposes, as shown in the chart below:

    Products that are not within the scope of this proposal are:

  • Passive components (cables, adapters...)
  • Open source hardware and software not linked to commercial applications.
  • Closed source free software with no economic activity.
  • Cloud services (if they are not ancillary services).
  • Web sites (HTTP) "One-way" web sites that focus primarily on providing information (such as blogs, newspapers, product advertising) both commercial and free of charge/hobby.
  • Connection between CRA and EU certification systems

    The EU cybersecurity certification framework is defined in the Cybersecurity Act (CSA) as voluntary systems. The CRA will not modify the CSA in either content or governance. Both laws are designed to be complementary. This will make it easier for companies to assess and certify their products under European systems, schemes and methodologies.

    The only update to be taken into account is that the European Commission is considering the possibility of requiring, for the highest risk category of products, mandatory pre-market certification using the Cybersecurity Act schemes.

    Next steps

    The CRA is being drafted by the European Commission in DG CNECT.H.2. following a public consultation on the proposal to which different bodies have been able to contribute. Today the proposal has been formally published, so the text will be sent to the European Parliament and the Council. By the first quarter of 2024 it is expected that there will be a consensus and that it will be formally adopted before it enters into force.

    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.