Cyber Resilience Act: Who is affected by CRA, and what needs to be done now

At the recent Embedded World trade fair in Nuremberg, it was one of the most discussed topics: the EU's Cyber Resilience Act (CRA). Many exhibitors and visitors seemed confused, as the law seems complex and its consequences unclear. It is therefore high time for a brief overview: What decision-makers in companies need to know about the CRA now – and which steps they should take right now.

Be it due to defective airbags, brakes, or locks: The automotive industry repeatedly conducts recalls, often affecting millions of cars. Meanwhile, the software industry is not familiar with such a procedure. Customers have to accept that software may contain vulnerabilities. According to the software vendors' terms of use, users are responsible for installing updates and patches themselves. This resembles a situation in which car owners would have to retrofit airbags and ABS into their vehicles themselves – and then would also oversee keeping these critical components in working order.

The risk potential is enormous: Last year, cybercrime caused damage amounting to almost 180 billion euros in Germany alone, according to German IT association Bitkom. The preferred attack vectors are phishing and stolen passwords. However, attackers also often exploit software vulnerabilities – both new ones and ones that have been around for a long time but have never been fixed.

At the same time, digitization is resulting in an escalating number of devices that contain IT components, increasing the attack surface. That is why the EU's CRA requires manufacturers of all products “with digital elements” to protect their products against abuse by implementing state-of-the-art technology. The law imposes several requirements on manufacturers of such devices:

• assess the cybersecurity risk
• meet basic cybersecurity requirements
• provide security updates for the expected product life cycle (but at least ten years)
• provide instructions and information for end users
• address vulnerabilities
• create technical documentation
• issue an EU declaration of conformity
• report exploited vulnerabilities and security incidents
• cooperate with supervisory authorities in the event of incidents

For industrial manufacturers, such a concept is not new. Here, the IEC 62443 standard has long been known as a framework for the safe operation of automation and control systems. In the industrial sector, this IEC standard therefore provides a good starting point for CRA implementation.

However, the CRA has a much wider scope. This is because the law affects a wide range of product types:

• of course, classic IT systems such as servers, PCs, and notebooks
• as well as smartphones, tablets, and other mobile devices such as smartwatches
• the industrial control systems mentioned above
• networked household appliances, such as autonomous vacuum cleaners
• vehicles, including agricultural vehicles (e.g., GPS-controlled combine harvesters)
• healthcare technology
• electric car charging stations
• networked toys
• the rapidly growing array of products carrying “AI” in their name and/or product description
• robots, and much more

All suppliers of equipment that contains digital components in any form must therefore prepare for the new law. Otherwise, they will no longer be allowed to sell their products in the EU from the end of 2027.

Two approaches

There are two approaches for continuing to bring products with digital elements to market in the EU: First, existing products can be retrofitted with components for IT and information security. Second, in the case of new products, security by design: Manufacturers integrate security measures from the start and document them.

The core challenge lies in protecting generated data in transit and at rest (i.e. stored locally). Well-established encryption protocols are used to ensure secure data transmission, while equally proven encrypted storage components are available for secure data storage. The good news is that both are suitable for retrofits as well as new product development in accordance with security by design.

The time to act is now

The CRA came into force in late 2024, and the transition period for implementation will expire in late 2027 – that is, in less than three years. Affected manufacturers must therefore take the following steps:

✓ Define or revise the product roadmap for the EU market

✓ If necessary, build up expertise and staff for secure product development

✓ Conduct a risk assessment for affected products, classify the products and, if classified as “critical” (class I or II), provide for certification

✓ Convert production processes to security by design (if not already implemented)

✓ Define secure default settings as the delivery state (“security by default”)

✓ Establish vulnerability management and reporting processes so that critical vulnerabilities can be reported within 24 hours

✓ Prepare technical documentation and certification (CE mark)

✓ Plan materials and communication channels for transparent end user information

✓ Create measures for ongoing monitoring of CRA compliance

✓ Start looking for a competent partner who can demonstrate experience with embedded components for secure data storage

The EU's Cyber Resilience Act poses enormous challenges for manufacturers of products with digital elements. Countless product groups are affected. This requires manufacturers to take a wide variety of steps, from security by design to documentation, reporting processes, and, in some cases, certification. This is the only way to ensure that products can continue to be marketed in the EU from the end of 2027. Companies should not delay taking the necessary steps. The changes to production processes required by the CRA can be extensive, so three years is not a big-time window. And no one wants to have to recall their brand-new product generation because the legally required airbag for stored data doesn’t work.

Resources

Infographic: Cyber Resilience Act - 9 Key Actions for Compliance [Click to enlarge]