Overview Series on the EU Cyber Resilience Act (CRA): Part 2 - Who does the CRA Impact?

I. Introduction

One of the most impactful ways in which the EU’s Cyber Resilience Act (CRA) differs from the existing Network and Information Security (NIS) directive is its significantly expanded scope across both public and private sector entities. Understanding the types of organisations covered under the CRA allows appropriate assessment of implications as stakeholders chart compliance journeys.

Analysing the coverage also provides insight into EU’s evolving regulatory philosophy around cyber protections – emphasising systemic resilience alongside traditional stand-alone entity readiness. We assess some key expansions with respect to the public sector below.

II. Public Sector Entities Included

The CRA specifies coverage of a number of public administration bodies managing functions crucial to societal well-being. Some entities covered include:

Public Administration Institutions: Government bodies providing public services related to taxes, benefits, transport, infrastructure now fall under CRA obligations. Their networked nature and vast usage amplifies vulnerabilities making cyber readiness critical.

Healthcare Sector: Public hospitals and ambulance services, centres for disease control along with ancillary product/service providers will need to comply given reliance on digital technologies for operations and patient data security sensitivities.

Transport, Energy and Utilities: Public transportation, electricity and gas grid operators as well as water and wastewater management bodies face stringent risk management and reporting with potentially enhanced staffing/investment requirements.

The above sectors have traditionally lagged private industries in cybersecurity funding and preparedness. By covering these under a harmonised EU regulation like CRA focused on raising baseline spending and maturity backed by supervisory oversight, resilience shortcomings can be methodically addressed over the coming years.

III. Private Sector in Scope

In addition to the public sector, a substantial number of private industries find themselves obligated to adhere to the CRA’s provisions including:

ICT Third Party Services: Managed service providers like cloud infra, data centre ops, content delivery networks previously excluded even in NIS2 now fall under the CRA given their overarching cyber supply chain risks highlighted recently. Identity and access management services also included.

Disaster Recovery and Incident Response: Business continuity and incident response services provided externally to companies have specific resilience requirements given their criticality in crisis.

Extraction Companies: Mining and downstream/midstream energy entities like oil and gas pipelines find themselves under CRA oversight unlike exemptions under NIS laws previously after attacks disrupted production recently like Colonial pipeline breach.

Financial Institutions: While some regulations exist currently, the EU aims to harmonise cyber reporting and systemic risk management mechanisms further for the financial services sector considering criticality for the economy.

IV. Scope and Size Thresholds

An expansive variety of medium to large companies across the above crucial sectors fall under CRA. But the EU also recognizes preparedness lags among smaller entities servicing communities regionally. Hence the CRA also covers small firms below 250 employees for:

• Postal and courier services
• Waste management related services
• Manufacture/distribution/storage of chemicals
• Healthcare institutions as analysed before

This calibrated approach expands obligations in a risk-tiered fashion – targeting sectors with potential outsized impact irrespective of firm size.

V. Supply Chain and Vendor Coverage

Supply chain cyber risks have taken centre stage globally after major attacks like SolarWinds led to thousands of downstream compromises (Young & Aleksiev, 2023). Aligning to the emphasis on software supply chain security highlighted in U.S.’s Executive Order 14028, the CRA also brings such threats within its ambit through the following:

ICT Services Providers: Cloud computing, data centre and content distribution network providers face explicit requirements around risk assessments, incident reporting and coordinating with procuring organisations they service per recent attacks with cascading impacts.

Third Party Obligations: Provisions have been included like the American “know your supplier” approach with mandatory cyber due diligence by entities on suppliers and service providers before procurement and during contract periods from fraud prevention and resilience perspectives.

VI. Key Expansions Over NIS Directive

The CRA prescribes cyber obligations for a wider set of sectors and entity types compared to its predecessor. Some notable expansions include:

Wider Industry Coverage: CRA incorporates 8 additional sectors such as manufacturing, data processing, digital providers, waste management, chemicals etc. alongside existing NIS categories like energy and transport.

Lower Size Thresholds: Only previously companies designated as operators of essential services with 250+ employees were included. Now all medium and large companies across designated sectors under CRA must comply irrespective of criticality designation.

Elevated Supply Chain Focus: High degree of emphasis on securing software delivery pipelines and managed service operations supporting industries globally. Cascading breach risks addressed more explicitly than remaining vague previously.

Thus, the CRA lays down a marker cementing cyber resilience on par with physical, personnel and operational risk management practices for businesses holistically aligning policy to the realities of complex, technology-driven sectors.

VII. Summary and Implications

The Cyber Resilience Act’s extensive scope applying advanced cybersecurity obligations to over 200,000 entities across public and private sectors marks a seminal moment for Europe. It elevates cyber risk management discourse from siloed, discrete conversations within industries to integrated governance recognizing interdependencies required for economic stability and national security in the 21st century.

By pulling small/medium businesses into the fold along with software supply chain and managed service providers, proactively addressing capability gaps through calibrated policy is embodied. This graduated philosophy tailored to sectoral cyber maturity realities, coupled with streamlined EU-wide reporting and resilience benchmarking ushers the possibilities of uplifting cyber preparedness at scale in the coming decade.

Of course, the provisions must transcribe effectively into implementation recognizing the diversity of capacities and limitations that exist presently. But the CRA's intent and sweep clearly meet the urgency of the climactic changes underway in the region’s cyber threat landscape. In parts ahead, we evaluate other facets like compliance timelines, costs, enforcement approaches etc. that will shape outcomes. But the extensive scope cements cyber resilience firmly within vital infrastructure policy and enterprise risk management roadmaps for the foreseeable future.

The extensive scope signals the necessity to embed cyber resilience firmly within infrastructure policy and enterprise risk management roadmaps.

In the next part, we analyse the specific risk management, reporting and accountability related compliance obligations introduced through the CRA to enable this step change in cyber maturity across old and new sectors under focus. Understanding these operational stipulations in depth will be essential as public and private entities chart implementation journeys suited to unique constraints yet serving the larger shared vision of systemic cyber readiness as Europe's digital transformation accelerates.

References

Young, M., & Aleksiev, A. (2023). The EU’s Cyber Resilience Act Has Now Been Agreed. Inside Privacy. https://www.insideprivacy.com/cybersecurity-2/the-eus-cyber-resilience-act-has-now-been-agreed/

European Commission. (2023, December 1). Cyber Resilience Act - Questions and Answers. Retrieved from https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_6375