The CRA aims to protect consumers and businesses by introducing mandatory cybersecurity requirements. These requirements are designed for hardware and software products with a purpose of reducing vulnerabilities of products placed on the market of the European Union. Because of these requirements manufacturers are expected to keep their products secure for their whole life cycle, or for a period of 5 years from the placing of the product on the market.
The proposal of the European CRA was published on 15.9.2022. More detailed dates have not been announced.
The CRA is not sector specific. It applies to products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It includes hardware, software (embedded and non-embedded) and ancillary service, which are essential to product functionality, such as cloud services. The products, which are out of scope includes passive components such as cables and cloud services (if not ancillary services) and noncommercial activity.
In a case of non-compliance on essential requirements, the fines will be up to 15 million EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
The first step is to understand where your organization currently stands because not every organization offers products with digital elements, which means that the regulation will not set direct requirements. However, it is worth noting that many of the services and products your organization uses may be within the scope of regulation. The regulation’s requirements are important to take into consideration in supplier management as they e.g., require notifying users of the product without undue delay, but at the same the improved transparency on security of hardware and software products benefits everyone.
Deloitte can help your organization to address product related cyber security by utilizing both, your already existing capabilities, and our expertise. This approach identifies the necessary action points to help your organization take the correct steps improve your product quality by making it more secure.
Examples of approaches:
Product cyber security assessment: Gain an overview of your current key development areas on product related cyber security and gain competitive advantage more secure products.
Third-party security assessment: Assess whether your third parties providing integrated components are follow leading security practices in development and production.
Assessment against the IEC 62443: This assessment aims to compare the overlap between the Cyber Resilience Act and series of international standards (IEC 62443) that address cybersecurity in automation, control systems and operational technology.
We at Deloitte, are happy to discuss more and provide further information on this matter.