Navigating the Cyber Resilience Act and its product security requirements for manufacturers
Is your organisation ready for the upcoming Cyber Resilience Act?
From connected home cameras and smart appliances to password managers and other hardware and software, our daily lives are intertwined with and dependent on technology more than ever before. This interconnectedness comes with inherent risks, including dramatic increases in cyber-attacks on products with digital elements. To better protect organisations and individual consumers across the European Union against cyber-attacks, the EU Commission is introducing the Cyber Resilience Act (CRA), with new, standardised product cybersecurity requirements. These new requirements reach far beyond any current EU product security standards and will have a substantial impact on the manufacturing, distributing and importing of products with digital elements in the EU.
Cyber-attacks on organisations and individual consumers are predicted to occur every two seconds by 2031, costing victims an estimated US$265 billion annually1. Consumers are often unaware of the security level in products with digital elements and of the fact that manufacturers, though their reputation may be damaged, do not have to bear the costs of cybercrime attacks.
In the current product security landscape within Switzerland and across the European Union the lack of a regulatory framework means that products with digital elements are not all held to the same set of cybersecurity standards. Consumers therefore have little guarantee that a product with digital elements has been developed with security in mind.
To enhance product security within the European Union and to better protect companies and consumers against cyber-attacks, the EU Commission proposed the Cyber Resilience Act (CRA) in 2022, which entered into force as of 11 December 2024.
The Cyber Resilience Act (CRA) in practice
The CRA defines cybersecurity requirements for products with digital elements. Importers2 , manufacturers3 , and distributors4 must adhere to it.
Importers, manufacturers, and distributors of products with digital elements in the EU will need to be more diligent in their entire process, from development through to production, marketing and distribution of the product and beyond. This applies to all software or hardware products and to their remote data processing solutions, including software or hardware components that are placed on the market separately.5
Impact of the CRA
The CRA will have the largest impact on manufacturers producing products with digital elements, including Swiss manufacturers selling products with digital elements in the European Union.
The CRA classifies and distinguishes these products by the category of the product, based on their vulnerability and the degree of risk they present.
The graphic below provides a complete overview of the CRA’s product categories and the requirements for them.
Product categories and requirements based on the CRA
Two ways to demonstrate conformity
Manufacturers can choose between the following two routes to demonstrate conformity with the CRA’s requirements:
Please see below which conformity route manufacturers can follow based on their product type:
If manufacturers decide to opt for the conformity assessment to demonstrate compliance with the CRA (instead of the other options, such as harmonised standards), there are different types of conformity assessments for their product category and levels of risks of adverse effects, as shown in the table below.
The main difference between the classes is the way in which the conformity assessment for the CRA requirements is conducted. Products in which the digital element poses less risk of adverse effects, in terms of their intensity and ability to disrupt, can conform to an internal control (module A) assessment, while products in which the digital element is more critical should adhere to thorough third-party conformity assessments or the EU Cybersecurity Certification (EUCC) controls listed below.
Examples of essential requirements for the conformity assessment
The CRA requirements for the conformity assessments are listed in Annex I (Essential Requirements) of the CRA. These include some of the following requirements:6
- Ensure protection from unauthorised access through appropriate control mechanisms, including, but not limited to, authentication, identity or access management systems, and report on possible unauthorised access.
- Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest and in transit using state-of-the-art mechanisms and other technical means.
- Ensure vulnerability handling and delivery of products without any known exploitable vulnerabilities, as outlined by the essential requirements in the CRA (Annex I, part I and part II.
- Conduct a cybersecurity risk assessment and document its outcome considering the assessment for the different product lifecycle phases (i.e., planning, production etc.).
- Exercise due diligence when integrating components sourced from third parties.
- Prepare technical documentation including a cybersecurity risk assessment for each product.
- Affix CE marking visibly on the product or the website accompanying the software product.
- Provide users with information and with a type, batch, or serial number as well as instructions relating to the product’s use.
- Report any exploited vulnerability of a product with digital elements to the European Union Agency for Cybersecurity (ENISA) and the Computer Security Incident Response Team (CSIRT – the designated coordinator) without undue delay.
Manufacturers can also comply with the CRA by demonstrating conformity through harmonised standards, common specifications or the European Cybersecurity Certification Scheme. See below for definitions:
If your product aligns with these standards (according to internal assessments), there is no need for further conformity testing against the CRA’s requirements. However, the notified body may perform routine checks of your Declaration of Conformity (DoC) against these standards and thespecifications of the certification scheme.
Lower criticality products can rely on the Harmonised Standards and Common Specifications
Manufacturers can use the harmonised standards and common specifications to demonstrate conformity with the CRA by conducting an internal assessment against the requirements in these standards and specifications. This has been introduced to help smaller organisations demonstrate compliance. The Harmonised Standards and Common Specifications will be specified later by the European Commission.
Higher criticality products must rely on the EUCC level of ‘substantial’
The European Cybersecurity Certification Scheme (EUCC) is the first cybersecurity certification scheme in the European Union. It certifies ICT products (including technical components such as chips and smartcards, as well as hardware and software).10 The EUCC is based on Regulation EU 2019/881 (EU Cybersecurity Act) and common international standards such as ISO/IEC 15408 and ISO/IEC 18045.11
Specific implementation controls and guidelines are yet to be defined. Based on the EU Regulation 2019/881 and ISO 15408, these are typical controls manufacturers of critical products might expect at a ‘Substantial’ (EAL4, coming from ISO/IEC 1540812) level:
The EUCC level of ‘substantial’ mandates that manufacturers undergo a third-party assessment. In the future the Commission will assess whether further certification schemes specific to the CRA will be needed. It may release delegated acts to specify how the EUCC certificate can be used to suspend the obligation to carry out the third-party conformity assessment for manufacturers.13
Product classes
Please refer to the drop-down menus below to check the requirements for each product class as defined in the CRA.
Conclusions
The CRA entered into effect on 11 December 2024. The regulation obliges importers, manufacturers, and distributors of products with digital elements to meet demanding new cybersecurity requirements. It might also introduce new challenges irrespective of each product category, such as alignment of vulnerability and incident management processes and risk management with the CRA, as well as overall governance of the new and amended processes. On the other hand, it brings opportunities for organisations to differentiate their products with digital elements from a quality perspective and become a leader and model producer of secure products within their industry.
Timeline
The CRA officially entered into force on 11 December 2024. Organisations that manufacture, distribute, or import products with digital elements for the EU market need to adhere to the vulnerabilities and incident reporting requirements by 11 June 2026, and have to comply with the full regulation 3 years after enactment, on 11 December 2027. This means that organizations have 36 months to adapt to all the requirements, as laid out in the legislation.17 In case of non-compliance, market surveillance authorities could prohibit or restrict products on the market and impose fines.18
How Deloitte can help your organisation navigate the requirements
We are well aware of the challenges and complexities that may arise from the introduction of the CRA. Please see below how we can help your organisation.
Our approach helps manufacturers navigate their way through the CRA in the most efficient and effective way, tailored to your organisation.
We will identify your current product portfolio and identify the applicable CRA method to conform with the requirements.
Once the method of conformity is determined, we will conduct a readiness assessment to identify upcoming areas where change might be needed and create a tailored roadmap to achieve conformity.
Author/ Contributor: Dominic Straub
