Summary

The EU Cyber Resilience Act (CRA) is designed to enhance the cybersecurity of products with digital elements within the EU, aligning with and complementing the objectives of the NIS2 Directive.

Relevant CRA Provisions

Recitals: Recital (73), Recital (72), Recital (69), Recital (115), Recital (103)

Articles: Article 17, Article 70, Article 12, Article 3

Detailed Explanation

The CRA establishes a framework for the cybersecurity of products with digital elements, ensuring they meet essential cybersecurity requirements. It mandates the creation of a single reporting platform by ENISA for the swift dissemination of vulnerability and incident notifications to relevant Computer Security Incident Response Teams (CSIRTs). The CRA also requires manufacturers to comply with specific cybersecurity standards and undergo conformity assessments. Additionally, the CRA encourages Member States to provide single entry points for reporting requirements to simplify compliance and reduce administrative burdens. The Act ensures that notifications are handled securely and confidentially, particularly for vulnerabilities without available security updates. ENISA is tasked with preparing a biennial technical report on emerging cybersecurity risks, which is submitted to the Cooperation Group. The CRA also outlines provisions for public awareness and the management of high-risk AI systems, ensuring they meet cybersecurity requirements. The relationship with NIS2 is implicit in the coordination and information sharing mechanisms between ENISA and the CSIRTs, as well as the alignment of cybersecurity objectives and incident reporting requirements.

Obligations for Stakeholders

Manufacturers: Must ensure products with digital elements comply with essential cybersecurity requirements, undergo conformity assessments, and report vulnerabilities and incidents through the single reporting platform.

Distributors, Importers: Must ensure that products they make available on the market comply with CRA requirements.

Open Source Software Stewards: Must systematically support the development of free and open-source software intended for commercial activities, ensuring its viability and compliance with cybersecurity standards.

ENISA: Responsible for establishing and maintaining the single reporting platform, preparing technical reports, and supporting market surveillance authorities.

CSIRTs Designated as Coordinators: Must inform market surveillance authorities about notified vulnerabilities or incidents and provide helpdesk support to manufacturers.