Summary

The Cyber Resilience Act (CRA) mandates specific cybersecurity requirements for products with digital elements to ensure their security both at the time of placing on the market and during their expected use. These requirements aim to enhance the cybersecurity of products for consumers and businesses, taking into account the risks associated with their use and integration within larger systems.

Relevant CRA Provisions

• Recital (10)
• Recital (55)
• Recital (38)
• Recital (54)
• Recital (86)
• Recital (52)
• Recital (9)
• Article 1
• Article 6
• Annex I

Detailed Explanation

The CRA establishes essential cybersecurity requirements for products with digital elements to ensure they are secure when placed on the market and during their expected use. These requirements include designing and developing products to ensure an appropriate level of cybersecurity, addressing vulnerabilities without delay, and complying with specific technical standards. The essential cybersecurity requirements are detailed in Annex I, Part I and Part II, covering both the properties of the products and the vulnerability handling processes. Manufacturers must conduct a cybersecurity risk assessment to identify relevant risks and apply suitable standards. There is a presumption of conformity for products that meet the common specifications adopted by the Commission.

Obligations for Stakeholders

• Manufacturers: Must ensure products meet essential cybersecurity requirements, conduct risk assessments, document vulnerabilities, provide security updates, and facilitate vulnerability disclosure.
• Distributors and Importers: Must ensure that products they make available on the market comply with the CRA’s requirements and maintain necessary documentation.
• Open Source Software Stewards: Must adhere to the essential cybersecurity requirements and vulnerability handling processes as applicable.