The EU Cyber Resilience Act (CRA) becomes enforceable as EU regulation on December 11, 2024, bringing significant changes to a wide range of digital products and services. Despite its critical implications, many companies remain unprepared, with management often underestimating the regulation’s impact on both revenue and costs.

When implemented strategically, the CRA offers an opportunity to gain a competitive edge. However, neglecting its requirements could lead to severe financial and reputational consequences. Notably, the CRA also applies to existing products with substantial updates, making it imperative for businesses to act now.

Burkhard Stubert from Embeddeduse.com has written an excellent article covering the details of the regulation and linking to the relevant directives. Below, we provide a concise summary of the key points, but we strongly recommend reading the full article for comprehensive insights and relevant links.

Coverage

• Effective Date: The EU CRA becomes active on 11 December 2024.
• Scope: Applies to all products with digital elements (PDEs) connected directly or indirectly to networks, except those governed by stricter sector-specific regulations (e.g., medical, automotive, aviation).
• Devices Covered: Includes hardware/software products such as:
  • Embedded devices (e.g., WiFi-enabled tools, CAN-bus-connected systems).
  • General-purpose hardware (routers, microcontrollers, SoCs).
  • Software applications (browsers, VPNs, operating systems).

Key Deadlines

• Notification Date: Starting 11 September 2026, manufacturers must report severe vulnerabilities and incidents.
• Penalty Date: From 11 December 2027, non-compliance can result in penalties.

Classification of PDEs

• Critical PDEs: Includes devices like smartcards, secure hardware modules.
• Important PDEs:
  • Class I: Password managers, VPNs, embedded browsers, routers.
  • Class II: Firewalls, hypervisors, intrusion detection systems.
• Default PDEs: All other products not classified as critical or important.

Compliance Requirements

• Conformity Assessments: Manufacturers must follow one of four procedures based on the product’s risk level.
• Support Period: Minimum 5 years or aligned with the product’s typical lifespan.

Impact

• Affects manufacturers of both new and legacy products with “substantial modifications” post-2027.
• Encourages secure design and proactive vulnerability management to improve product competitiveness.

Unique Provisions

• Open Source: Free and open-source software can undergo lighter self-assessments (CAP1).
• End of Support: Manufacturers may release source code to enable ongoing security updates after the product’s lifecycle ends.

Credits

This summary is based on insights from Burkard Stubert’s detailed analysis with real examples. For further information and all relevant links, please refer to the original article.

‍