As cybercrime increases in frequency, regulators are requiring organizations worldwide to strengthen their cybersecurity measures and resilience postures. To that end, the European Union has proposed the Cyber Resilience Act (CRA), legislation that is designed to regulate cybersecurity across the EU’s 27 member states. The act will establish common cybersecurity standards for digital products or “products with digital elements” and implement security obligations across the EU’s connected hardware and software ecosystem. It also standardizes cybersecurity policies across the EU's single market, enhancing collaboration and preparation against cyberthreats by imposing regulatory measures to help improve software and hardware safety for end users.
To ensure compliance, designated market surveillance authorities can enforce corrective actions, market withdrawals and fines for noncompliance. The CRA will be formally adopted later in 2024, and economic operators and EU member states will be given 36 months to comply. The only exception is the obligation for manufacturers to report actively exploited vulnerabilities and incidents, which applies 21 months after the act's enforcement date. To facilitate compliance, the European Commission will issue a formal request to develop technical standards for covered product categories.
Upon reviewing the CRA’s requirements, compliance could be challenging for manufacturers and software developers. However, the CRA also creates an opportunity to finally harmonize rules and regulations that could significantly impact cybercrime.
The key element of the CRA is that it recognizes the inadequate level of cybersecurity in many products and the inadequate security updates made to such products and software. It also recognizes that many consumers and organizations have neither the insight to determine which products are secure nor the knowledge to configure them to ensure their protection.
According to an EU statement, the CRA will:
- Harmonize rules when bringing to market products or software with a digital component
- Establish a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to meet at every stage of the value chain
- Require manufacturers to provide a duty of care for the entire lifecycle of such products
When fully implemented, products and software that pass the CRA’s compliance standards will bear a CE (Conformité Européenne) marking, which is currently used on other European products to convey safety to consumers. However, receiving the CE mark will not necessarily be easy.
Challenges of CRA Compliance
One of the challenges for hardware producers and software developers will be ensuring that third-party providers in their supply chains meet CRA standards. Many organizations have effective third-party risk management (TPRM) programs that identify vulnerabilities throughout their supply chains—a best practice that all organizations should consider when planning to achieve the CE mark on their products or services.
Many organizations find it challenging to modernize their risk programs to include TPRM. One useful resource is the Federal Deposit Insurance Deposit Corporation’s (FDIC) formal risk-based approach to understanding and managing third parties, which was updated last year. But even with entities providing such information, too many global organizations try to prevent a recurrence of their last disruption rather than proactively confronting the risks that may already exist within their supply chains.
As the regulatory landscape continuously evolves, many organizations already need to adhere to similar regulatory requirements, so they may not have a lot of work to do to specifically meet the CRA requirements. However, organizations that lack in-house experience may need assistance from a managed service provider or outside consultants to gather best practice information to build into their cybersecurity frameworks to ensure CRA compliance.
Tips for CRA Compliance
To ensure CRA compliance, organizations can take the following steps:
- Perform a gap analysis against the current and expected future state of the environment
- As there will likely be unforeseen hurdles along the way, start compliance efforts early
- Consult a firm with experience implementing guidelines, frameworks and regulatory requirements
By following these steps, organizations may not only comply with the CRA standards but also strengthen their overall resilience posture.
Global Implications of the CRA
Once the CRA is finally implemented and manufacturers achieve full compliance, the European Commission will review the CRA periodically and report on its progress in improving cybersecurity. Organizations should expect amendments and changes along the way due to the long adoption period, differing regional and global security cultures, the constantly evolving cyberrisk landscape, and the complexity of aligning already-existing regulations and governing bodies across EU member states.
The CRA affects every organization that participates in the EU market. By achieving compliance, organizations will not only be able to assure customers that they have implemented robust cybersecurity policies throughout the product development process, they will also help strengthen their overall resilience to cyberthreats.