Everything You Need to Know About the EU Cyber Resilience Act (CRA)

Our ongoing tracking of the EU market and legislation shows the lowdown on the new EU CRA and what it means for industrial CISOs.

Originally published Takepoint Research blog here

Download our free EU CRA Fact Sheet here - Key Takeaways for Industrial CISOs.

If you've been keeping an eye on the EU's cybersecurity landscape, you've probably heard whispers—or loud chatter even—about the new Cyber Resilience Act (CRA) . It's set to make some significant waves in how the EU approaches cybersecurity for digital products, and we should all get up to speed on it.

So, grab a cup of coffee (or your beverage of choice), and let's chat about what the EU CRA is all about. We’ll address questions such as how it will affect the industrial sector and the steps we should take to prepare. Without further ado, let’s get to it!?

So, What's the Deal with the Cyber Resilience Act?

In simple terms, the CRA is a new regulation from the EU aiming to ensure that hardware and software products are secure before hitting the market. Think about all those connected devices—everything from smart home gadgets to industrial control systems. The EU wants to ensure these products are built with cybersecurity in mind from the get-go.

The act introduces cybersecurity requirements for the design, development, and production of products with digital elements. The goal is to align the cybersecurity landscape across all EU countries and fill in any gaps, ensuring all members are on the same page.

Key Highlights

One of the standout features is products needing to display the CE marking to indicate compliance—not just with safety and health standards, but also with cybersecurity requirements. So, when you see that CE mark, it means the product has been assessed and meets the EU's high standards for safety, health, environmental protection, and cybersecurity.

The CRA applies to all products connected directly or indirectly to another device or network, including anything within the Internet of Things (IoT). Although, there are some exceptions for products already governed by existing EU rules, like medical devices, aeronautical products, and cars.

Who Needs to Pay Attention?

While the EU CRA primarily targets manufacturers, it has significant implications for us in the industrial sector. As CISOs, we need to be aware of how this regulation affects our organizations, especially supply chain security and the products we deploy in our operational environments.

Manufacturers

Manufacturers will need to meet these new cybersecurity requirements to sell their products in the EU. This means:

• Conducting risk analyses during product development.
• Ensuring secure configurations by default.
• Implementing robust access protection.
• Maintaining data confidentiality and integrity.

Industrial Organizations

For us, this means the products we procure must comply with the CRA. We'll need to consider this in our vendor selection processes and ensure that the products we deploy meet these new standards. It's also an opportunity to enhance our own cybersecurity practices, aligning them with the CRA's requirements.

Diving Deeper into the Requirements

Next, let's discover in more depth what the EU CRA is actually demanding.

Security by Design and Default

Manufacturers are expected to build security into their products from the ground up. This includes:

• Conducting thorough risk analyses during the development phase.
• Ensuring products are secure out of the box, with default settings that prioritize security.
• Implementing robust authentication and authorization mechanisms.
• Protecting data to ensure confidentiality, integrity, and availability.

Vulnerability Management

Another critical aspect is how vulnerabilities are handled. For example:

• Manufacturers must provide a Software Bill of Materials (SBOM) , giving transparency about the components used in their products
• Any discovered vulnerabilities need to be reported to the European Union Agency for Cybersecurity (ENISA) within 24 hours
• Security updates must be provided promptly and free of charge.

CE Marking for Security

The CE marking will now extend to cover cybersecurity compliance. Manufacturers must:

• Declare that their products meet the CRA's requirements.
• Maintain detailed technical documentation, which must be made available to authorities upon request.

When does this come into action?

The CRA has been adopted by the Council and is set to be signed and published in the EU's official journal soon. It will enter into force 20 days after publication. Then, there’ll be a 36-month window before the CRA fully applies, although some provisions will commence sooner.?

While it might seem like we have some time (until around 2027), it's essential to start preparing now. Early preparation will make the transition smoother and help us all tackle any compliance issues.

What Does This Mean for Industrial CISOs?

Let's get to the heart of the matter—how will this impact us?

Supply Chain Considerations

We’ll need to ensure that our suppliers and products comply with the CRA. This might involve:

• Updating contracts to include EU CRA compliance clauses.
• Engaging with vendors to understand their compliance roadmaps.
• Reevaluating our procurement criteria to prioritize CRA-compliant products.

Adjusting Our Risk Management Practices

The CRA's requirements should also be integrated into our risk assessment methodologies. This means:

• Including CRA compliance as a factor in risk evaluations.
• Updating internal policies to reflect the new requirements.
• Ensuring that our teams are aware of and understand these changes.

Enhancing Our Security Posture

The CRA isn't just about compliance—it's an opportunity to improve our overall security posture. With mandatory SBOMs, we'll have better visibility into the components within our systems, making it easier to assess risks and respond to security incidents.

So, What Exactly Should We Be Doing Now?

Here's how we can get ahead of the curve:

Educate Ourselves and Our Teams

First things first, let's make sure we fully understand the CRA and its implications. This may involve:

• Reading up on the specifics of the CRA.
• Attending webinars or workshops.
• Sharing knowledge with our teams to ensure everyone is on the same page.

Engage with Our Suppliers

Open up conversations with your current vendors about their plans for CRA compliance. Ask them:

• How are they preparing for the CRA?
• Do they have a timeline for compliance?
• What support can they provide to help us meet our own obligations?

Review and Update Our Policies

Now is a good time to revisit our internal policies and procedures. Consider:

• Updating procurement policies to include CRA compliance as a requirement.
• Revising security policies to align with the CRA's standards.
• Ensuring that our incident response plans incorporate any new reporting requirements.

Plan for Compliance

Conducting a gap analysis is a great way to see where we might not meet the new requirements. From there, we can develop a roadmap to address these gaps well before the CRA comes into effect.

Leverage the Benefits

Remember, the CRA isn't just about jumping through regulatory hoops. It's an opportunity to:

• Improve our security strategy.
• Increase transparency and trust with our clients and partners.
• Position our organizations as leaders in security-conscious markets.

Looking Ahead

While the CRA introduces new obligations, it also brings significant benefits. By ensuring that products are more secure, we're reducing the risk of breaches and enhancing the overall cybersecurity landscape.

Yes, there will be challenges. Implementing these changes will require resources and effort, and some suppliers might be slow to adapt. But by staying proactive, we can turn these challenges into opportunities.

Wrapping Up

The EU Cyber Resilience Act is set to bring about substantial changes in how we approach cybersecurity for digital products. As industrial CISOs, you have a crucial role to play in navigating these changes.

So let's stay informed, engage with our suppliers, update our policies, and use this as a chance to bolster our security practices. The CRA is on the horizon, and by preparing now, we'll be well-positioned to meet its requirements and enhance our organizations' security.

Stay tuned for more updates as we continue to monitor developments in the EU market and legislation. For more information about the CRA, download our FREE fact sheet today . If you have any further questions or need assistance navigating these changes, feel free to reach out. Let's tackle this together!