Summary

The Cyber Resilience Act (CRA) mandates comprehensive risk assessments and robust cybersecurity risk management strategies for products with digital elements. Companies must identify, evaluate, and mitigate cybersecurity risks throughout the product lifecycle to ensure compliance with the CRA’s essential cybersecurity requirements.

Relevant CRA Provisions

• Recital (38)
• Recital (50)
• Recital (51)
• Recital (58)
• Article 12
• Article 17
• Article 57

Detailed Explanation

The CRA requires manufacturers and other economic operators to conduct thorough risk assessments for products with digital elements. This involves identifying potential cybersecurity risks, evaluating their likelihood and impact, and implementing measures to mitigate these risks. The risk assessment must consider both technical vulnerabilities and non-technical factors, such as dependencies on high-risk vendors. Products classified as high-risk AI systems under Regulation (EU) 2024/1689 must comply with additional specific requirements. The CRA also mandates that manufacturers ensure their products meet essential cybersecurity requirements when placed on the market and throughout their lifecycle. This includes providing necessary security patches and updates. In cases where compliant products still pose significant cybersecurity risks, market surveillance authorities can require corrective actions, including recalls or withdrawals.

Obligations for Stakeholders

Manufacturers: Must conduct comprehensive risk assessments, ensure products meet essential cybersecurity requirements, provide necessary updates and patches, and cooperate with market surveillance authorities and ENISA in case of significant risks.

Distributors and Importers: Must ensure that products they make available on the market have undergone proper risk assessments and comply with essential cybersecurity requirements.

Open Source Software Stewards: Must support the development and maintenance of free and open-source software to ensure it meets essential cybersecurity requirements.

Market Surveillance Authorities: Must evaluate products, require corrective actions for significant risks, and inform the Commission and other Member States of measures taken.

ENISA: Must support risk assessment and management by providing technical reports, maintaining the European vulnerability database, and offering helpdesk support to manufacturers.

CSIRTs Designated as Coordinators: Must inform the public about severe incidents and provide helpdesk support to manufacturers regarding reporting obligations.