Members
Miembros
What is the CRA and who does it apply to?
The CRA (Cyber Resilience Act) is a European legal directive that imposes a set of requirements and obligations on manufacturers, software developers, importers, suppliers, and other parties involved in the supply of digital products within the European space, to take cybersecurity seriously and effectively.
The application of CRA throughout the lifecycle of these products requires stakeholders to adopt effective cybersecurity measures or make use of secure development practices that range from security by design and by default to the protection of personal data (including compliance with the GDPR), as well as risk and incident management. This provides the supply chain with resources to implement quick and efficient mitigation processes in handling vulnerabilities and other security-related issues with their products.
In the context of the CRA, if a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to resolve it, including notifying users and CSIRTs (Computer Security Incident Response Teams) within a short period of time. In such cases, they must also cooperate with national authorities in the investigation and resolution of cybersecurity incidents related to their products.
These directives complement a set of other laws and measures that, individually, addressed or mitigated specific problems, forming a kind of legislative mosaic.
If you are a provider interested in complying with the Cyber Resilience Act (CRA), we have detailed the requirements for your services in the Trust Seal. One of its dimensions specifically covers the CRA. For more information, visit ciberia.usal.es
What is the motivation behind this measure?
Today, the main vectors used in cyberattacks are based on vulnerabilities and flaws present in hardware and software products. Due to the global nature of the internet and the increasing number of entities connected to it, a cybersecurity incident involving a single product tends to affect the entire organization, potentially spreading rapidly across the entire supply chain and customer base, and, without control, extending throughout the country or even beyond borders in just a few minutes.
Therefore, it is crucial to control and act swiftly on any vulnerabilities or flaws identified or pointed out by researchers in the field. In this context, effective response policies from manufacturers or software developers are essential. When facing updatable products capable of receiving fixes to address emerging vulnerabilities, and with all the relevant information about the cybersecurity features of the products, consumers will be better informed to make safer decisions.
What types of products do these measures target?
The types of products covered by this directive are described in Annexes III and IV, differentiating between important and critical products, which can be summarized as follows:
Common use equipment
Personal computers, laptops, tablets, smartphones
Business use equipment
Servers, NAS, industrial control systems
Networking equipment
Routers, Switches, firewalls
Protection and measurement equipment
Surveillance cameras, cleaning robots, measurement sensors
Software
Operating systems, applications, games, firmware
It is important to note that when referring to terms such as “personal computer” or “firmware,” we are not only referring to a laptop but also to any device that could incorporate these elements inside, such as a refrigerator, a Wi-Fi switch, or even a toy.
Exemptions in the application of the CRA
Free and open-source software is not covered by the rules and requirements defined by the CRA. However, all open-source software from which its developers derive any source of income (such as paid technical assistance or commercial use of data generated by software users) is subject to the application of the CRA. In this regard, and in accordance with Article 53 (10.a), fines for non-compliance DO NOT apply in these cases.
Pure software solutions distributed as SaaS (Software as a Service) are also not covered by the CRA, as long as they DO NOT process data remotely.
For all other types of software, if they comply with other European regulations (such as the NIS2 directive [still not transcribed into Portuguese law], the proposed regulation for AI solutions [Artificial Intelligence], etc.) with a level similar to cybersecurity resilience requirements, they do not need to additionally comply with the CRA for the cybersecurity resilience features already covered by these other regulations, as long as they comply in this manner.
Additionally, IoT products, which are covered by other European regulations (such as the European regulation on the health data space for electronic medical record systems) with a similar level of cybersecurity resilience requirements, do not need to additionally comply with the CRA, as long as all their requirements are already covered through these other Regulations.
What is the applicable legislation?
Since there is no transcription of this directive into Spanish legislation yet, we refer to the directive approved by the European Parliament as a reference.
Other important references
Mapping of Enisa CRA requirementsWhat are the penalties and/or sanctions?
Non-compliance with this directive could result in administrative fines, which, depending on various factors, could reach amounts of up to €15M or the equivalent of 2.5% of annual turnover for companies.
When will the CRA come into effect?
On October 10, 2024, it was adopted by the Council of the European Union. After this process and a few weeks later, the legislative act was signed by the presidents of the Council and the European Parliament and published in the EU Official Journal on November 21, 2024. Then, another 21 months will pass before the reporting requirements become enforceable and 15 more months after that before the technical requirements also become enforceable (i.e., 36 months after the law comes into force).
On October 10, 2024, it was adopted by the Council of the European Union. After this process, and a few weeks later, the legislative act was signed by the presidents of the Council and the European Parliament and published in the EU Official Journal on November 21, 2024. Then, another 21 months will pass before the reporting requirements become enforceable, and 15 more months after that before the technical requirements also become enforceable (i.e., 36 months after the law comes into force).
The CRA is a regulation of the European Union aimed at improving the cybersecurity of digital products and ensuring they are secure and resistant to attacks and vulnerabilities.
The CRA applies to manufacturers and suppliers of digital products, including hardware devices, software, and any other product containing digital elements.
The CRA covers important and critical products, such as personal computers, IoT devices, operating systems, and other devices that integrate software or firmware.
Manufacturers must ensure their products meet the established security requirements, perform risk assessments, and provide security updates over a defined period.
A "critical product" is one that has a significant impact on security, privacy, or key infrastructure, whose vulnerability could compromise the cybersecurity of important systems.
Compliance will be supervised by the competent authorities of each member state, which will carry out audits and controls on products in the market.
Penalties for non-compliance can include fines, bans on selling non-compliant products, and the obligation to remove products from the market.
Yes, some products may be exempt if they comply with specific existing security regulations or are considered low-risk.
The CRA aims to increase consumer trust by ensuring that digital products are safer and more resistant to attacks and vulnerabilities.