Summary

This article outlines the strategies for embedding compliance with the EU Cyber Resilience Act (CRA) throughout the product development lifecycle, ensuring that security and resilience are prioritized from the initial design phase through to post-market surveillance.

Relevant CRA Provisions

• Recital (92)
• Recital (34)
• Recital (35)
• Recital (51)
• Recital (91)
• Recital (41)
• Recital (77)
• Recital (9)
• Article 12

Detailed Explanation

The CRA mandates that manufacturers of products with digital elements must integrate cybersecurity measures throughout the entire product development lifecycle. This includes the design, development, and production phases, as well as post-market surveillance. Manufacturers must ensure that all components, including those sourced from third parties, comply with the essential cybersecurity requirements outlined in the Regulation. This involves conducting due diligence to verify the conformity of third-party components, such as checking for CE markings, regular security updates, and the absence of registered vulnerabilities. For high-risk AI systems, specific cybersecurity requirements and conformity assessment procedures apply, as detailed in Article 12. Manufacturers must also identify and document all components within their products, including through the creation of a Software Bill of Materials (SBOM), to facilitate vulnerability analysis and enhance supply chain transparency.

Obligations for Stakeholders

• Manufacturers: Must ensure that products with digital elements comply with essential cybersecurity requirements throughout the development lifecycle. This includes conducting due diligence on third-party components, creating an SBOM, and ensuring that high-risk AI systems meet specific cybersecurity standards.
• Distributors and Importers: While the primary obligations lie with manufacturers, distributors and importers must also ensure that the products they place on the market comply with the CRA. They should verify that manufacturers have conducted the necessary due diligence and conformity assessments.
• Open Source Software Stewards: Must ensure that their software components, when integrated into products with digital elements, comply with the CRA’s essential cybersecurity requirements. This includes providing regular security updates and addressing identified vulnerabilities.