Summary

This article provides a detailed, practical framework for manufacturers and distributors to systematically identify, evaluate, and mitigate cybersecurity risks in compliance with the requirements of the Cyber Resilience Act (CRA). It outlines the essential steps and considerations necessary to conduct a thorough cybersecurity risk assessment, ensuring that products with digital elements meet the necessary cybersecurity standards and protect against potential threats.

Relevant CRA Provisions

  • Recital (51): Discusses the compliance of high-risk AI systems with essential cybersecurity requirements and the application of conformity assessment procedures.
  • Recital (91): Explains the conformity assessment procedures for products with digital elements, including the option for manufacturers to use internal control or third-party assessments.
  • Recital (44): Describes the classification of important products with digital elements into two classes based on cybersecurity risk and the corresponding conformity assessment procedures.
  • Recital (55): Addresses the justification for non-applicability of certain essential cybersecurity requirements and the measures to be taken by manufacturers in such cases.
  • Article 12: Specifies the requirements for high-risk AI systems, including compliance with essential cybersecurity requirements and the applicable conformity assessment procedures.
  • Article 33: Outlines support measures for microenterprises and small and medium-sized enterprises, including awareness-raising, training, and the establishment of cyber resilience regulatory sandboxes.
  • Article 39: Details the requirements relating to notified bodies, including their independence, competence, and the necessary procedures for conformity assessment.
  • Article 3: Provides definitions relevant to the CRA, including terms such as “product with digital elements,” “cybersecurity,” and “conformity assessment.”

Detailed Explanation

Conducting a cybersecurity risk assessment under the CRA involves several critical steps to ensure that products with digital elements are secure and compliant with the regulation’s requirements. Manufacturers and distributors must systematically identify potential cybersecurity risks, evaluate their likelihood and impact, and implement measures to mitigate these risks. This process should be documented and regularly reviewed to adapt to new threats and changes in the product’s environment.

The assessment should consider both the product’s design and the processes used in its development, production, and maintenance. It must address vulnerabilities, including those specific to high-risk AI systems, and ensure that products are made available on the market without known exploitable vulnerabilities. Manufacturers are required to provide secure by default configurations, regular security updates, and mechanisms to protect data confidentiality, integrity, and availability.

For products classified as important or critical, additional assurance measures are necessary. Manufacturers may choose to follow internal control procedures or involve third-party assessments, depending on the product’s classification and the level of cybersecurity risk. The use of harmonised standards, common specifications, or European cybersecurity certification schemes is encouraged to demonstrate conformity with essential cybersecurity requirements.

Manufacturers must also establish and enforce policies on coordinated vulnerability disclosure, facilitate the sharing of information about potential vulnerabilities, and ensure that security updates are disseminated without delay. Where certain essential cybersecurity requirements are not applicable, manufacturers should provide a clear justification in the technical documentation and take appropriate measures to address any identified risks.

Obligations for Stakeholders

  • Manufacturers: Must conduct thorough cybersecurity risk assessments, ensure products comply with essential cybersecurity requirements, and provide regular security updates. They should also establish vulnerability disclosure policies and facilitate information sharing about potential vulnerabilities.
  • Distributors: Must ensure that products they make available on the market have undergone appropriate cybersecurity risk assessments and comply with the CRA’s requirements.
  • Notified Bodies: Must meet specific requirements for independence, competence, and procedures to carry out conformity assessments, ensuring that products with digital elements meet the essential cybersecurity requirements.
  • Microenterprises and Small and Medium-sized Enterprises: Are entitled to support measures, including awareness-raising, training, and access to regulatory sandboxes, to help them comply with the CRA.