Summary

The EU Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products with digital elements, including those within the Internet of Things (IoT), by establishing essential cybersecurity requirements and ensuring secure development practices. The regulation seeks to address the growing cybersecurity challenges posed by the increasing number of connected devices.

Relevant CRA Provisions

Recitals: Recital 1, Recital 9, Recital 10, Recital 11, Recital 24

Articles: Article 2, Article 3

Detailed Explanation

The CRA emphasizes the importance of a secure internet and the need for high-level cybersecurity in products with digital elements, including those used by digital infrastructure providers. It mandates that these products be developed securely and comply with established internet security standards. The regulation applies to all connectable hardware and software products, aiming to facilitate compliance with supply chain requirements under Directive (EU) 2022/2555. It ensures that products used by digital infrastructure providers are secure and have access to timely security updates.

The scope of the CRA includes products with digital elements that have a direct or indirect logical or physical data connection to a device or network. It excludes certain products covered by other Union legal acts and those certified under specific regulations. The regulation also outlines critical and important products with digital elements, which include various hardware and software components essential for cybersecurity.

Manufacturers are required to ensure that all products with digital elements are designed and developed in accordance with the essential cybersecurity requirements. This includes products that are physically or logically connected and those indirectly connected to other devices or networks. The regulation aims to enhance cybersecurity for both consumers and businesses, ensuring that cybersecurity is integrated throughout supply chains.

Obligations for Stakeholders

  • Manufacturers: Ensure products with digital elements are developed securely, comply with essential cybersecurity requirements, and provide timely security updates.
  • Distributors: Make products with digital elements available on the market while ensuring they meet the regulation’s requirements.
  • Importers: Place products with digital elements on the market, ensuring they comply with the CRA.
  • Open-source software stewards: Provide sustained support for the development of free and open-source software intended for commercial activities, ensuring their viability and security.