Articles

Cyber Resilience Act: How the EU’s new regulation affects your digital product

The Cyber Resilience Act (CRA) builds on the EU’s cybersecurity strategy presented by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy in 2020. The strategy was developed in response to our society’s enormous digital transformation over the past few years, especially during the COVID-19 pandemic.

The transformation has meant remarkable progress in innovation and technology, but it has also created an increasingly growing threat landscape when it comes to cybersecurity. Therefore, we are now in need of innovative solutions tailored to this new landscape.

As part of these solutions, CRA entered into force on the 10th of December 2024. That means that all products with a digital component will need to follow the new requirements by the 11th of December 2027. The requirements defined by the CRA will make digitalisation safer for both consumers and companies.

Article in summary:

  • The background to why the EU introduced the Cyber Resilience Act
  • What the regulation means for manufacturers of digital products
  • Which requirements apply to cybersecurity and lifecycle responsibility
  • How companies can prepare for the new rules
  • Why it’s important to start the process early

The CRA has three main purposes:

1. Make digital products safer
The CRA covers all wireless and wired products connected to the internet and software entering the EU-market. The intention of the CRA is to make these products safer for both companies and consumers by imposing requirements on the products.

2. Make the manufacturer responsible for the entire lifecycle
Another vital aspect of the CRA is that the manufacturer will be responsible for the cybersecurity of its products throughout their entire lifecycle. Currently, a lot of manufacturers don’t offer any updates to their products when new security risks affecting their products are identified, which can have significant consequences for the users.

3. Make it easier to understand a product’s cybersecurity level
Last but not least, the CRA is meant to make it easier for consumers to be properly informed about the cybersecurity level of the products they’re buying. Currently, there is no clear or standardised way for consumers or companies to quickly assess how safe a product is.

In the long run, the intention behind the CRA is to decrease the number of cybersecurity incidents that occur. That, in turn, will hopefully lead to an increased trust in products with digital components – as well as an increased demand.

What can I do now?

Exactly which changes will need to be done to the way companies work or their products are designed will, of course, vary a lot from company to company and sometimes even from product to product. It depends entirely on your current processes and how they compare to the new requirements.

For some companies, the CRA might mean massive changes that will require both time and resources to succeed. For others, the changes might not feel very drastic, even if there’s a lot to learn and consider. The important part is that you start early so that the transition can be made over time and feel like a natural part of your development as a company.

Regardless of your company’s current situation, there are a few practical steps you can take in order to put the changes you need to make into motion:

1. Look over your current internal processes

Compare the requirements set by the CRA with how you currently work. If you start adapting your processes now, you’ll be able to gradually make all the necessary changes over the next three years instead of trying to get everything into place last minute.

2. Internal cybersecurity education

Make sure that everyone who works at the company and is in any way affected by the CRA is educated on cybersecurity and what the new requirements mean. The more people within the company who know what’s required of the company and why, the easier it will be to avoid mistakes.

3. Plan for future necessary resources

The CRA means that companies will be responsible for their own products’ cybersecurity levels throughout their entire lifecycle. Therefore, it’s crucial that you take the time now to figure out what resources you will need in the long term. Do you, for example, already have experts at the company who will be able to work with these types of updates continuously? Or is that something you will need to recruit or hire consultants for?

4. Get involved in standard development

The easiest way to get better insight into coming standards and regulations such as the CRA is to become a member of a standardisation organisation such as ITS or ETSI. That way, you’ll not only know what standards are in the pipeline before they’re voted on, but you’ll also get to hear the discussions and arguments behind them. In addition to understanding the standards better, you’ll also have the opportunity to add your company’s perspective to the discussion and can be a part of shaping the final standards.

Newsfeed from ETSI

Membership

Be part of shaping the communication of the future

Become a member of our network that brings together Swedish industry experts in IT and telecommunications to influence the development of standards.

Become a member