Summary

The EU Cyber Resilience Act (CRA) aims to enhance supply chain security by imposing specific responsibilities and compliance requirements on manufacturers, suppliers, and other key stakeholders. It addresses both technical and non-technical risk factors to ensure the security of products with digital elements.

Relevant CRA Provisions

Detailed Explanation

The CRA introduces measures to enhance the security of products with digital elements by addressing both technical and non-technical risk factors. It mandates essential cybersecurity requirements for these products and allows Member States to impose additional requirements where necessary. The regulation also emphasizes the importance of vulnerability analysis through the documentation of components, including the creation of Software Bill of Materials (SBOM). Market surveillance authorities are empowered to conduct simultaneous coordinated control actions (sweeps) to further enhance product security, taking into account both technical and non-technical risk factors. The Commission is tasked with periodically evaluating and reviewing the regulation to adapt to changing conditions.

Obligations for Stakeholders

Manufacturers: Must ensure that products with digital elements comply with essential cybersecurity requirements. They should identify and document components, including creating an SBOM, to facilitate vulnerability analysis. Manufacturers are not required to make the SBOM public.

Suppliers: Need to ensure that the products they supply meet the cybersecurity requirements set forth by the CRA. They should be prepared for market surveillance actions, including sweeps, especially if their products are identified as posing significant cybersecurity risks.

Market Surveillance Authorities: Are responsible for conducting sweeps and other control actions to ensure compliance with the CRA. They should consider both technical and non-technical risk factors when determining which product categories to target.

Commission: Is required to adopt delegated acts to determine which products with digital elements need to obtain a European cybersecurity certificate. The Commission must also periodically evaluate and review the regulation in consultation with stakeholders.