The Cyber Resilience Act (CRA): Explained

Posted byMargaux Posted on16 September 2022 Comments0
Tags: , , ,

Yesterday (15/09/22), the European Commission unveiled its proposal for the Cyber Resilience Act, a piece of legislation that would use security by design to address vulnerabilities in connected devices (IoT).

What is it for?

According to the CRA, “products with digital elements” must comply with cybersecurity regulations before being sold on the EU internal market. The argument is that everything is vulnerable when it’s connected to the internet and it includes both hardware and software.

As the CRA aims to increase consumer trust and confidence in the products, there are specifications for transparency and user information in addition to rules for product properties and vulnerabilities.

According to data from the EU Agency for Cybersecurity (ENISA), the total cost of ransomware damages worldwide reached almost €20 billion in 2021. Another indicator of the issue’s seriousness is the fact that in 2021, a corporate ransomware attack happened almost every 11 seconds.

The CRA aspires to complement other texts like the AI Act, the Cybersecurity Act, and the Network Information Security 2 (NIS2) Directive rather than replacing them.

What are the requirements?

Manufacturers are required to make sure that vulnerabilities are properly handled during either the anticipated product lifetime or for five years after being put on the market, whichever is shorter.

Economic actors and member states will have two years to adjust to the new standards after adoption. After a year, there will already be a reporting requirement for actively exploited vulnerabilities and incidents.

If a product’s vulnerability has been actively exploited or if there has been an event with security implications, manufacturers are required to notify the EU Agency for Cybersecurity (ENISA) within 24 hours.

My PoV

Although the idea represents a great advancement, I think the CRA may go too far, too soon. Given the broad breadth of the legislation, it might also be challenging to establish a rigid one-period-fits-all. Because the incident reporting requirement would go into effect after a year, there is a possibility that manufacturers won’t comply with it. The reporting could also lead to over-notification.

Sources:

Category

Leave a Comment