Summary
This article examines the similarities and differences between the EU Cyber Resilience Act (CRA) and international cybersecurity standards, such as ISO/IEC 27001. It highlights how the CRA complements or diverges from these established frameworks, providing a comprehensive understanding of its unique contributions to cybersecurity regulation.
Relevant CRA Provisions
Recital 79, Recital 83, Recital 84, Recital 87
Detailed Explanation
The CRA introduces a robust framework for cybersecurity that aligns with and builds upon international standards like ISO/IEC 27001. Recital (79) emphasizes the presumption of conformity for products adhering to harmonized standards, which translates the CRA’s essential cybersecurity requirements into detailed technical specifications. This approach ensures that products meeting these standards are presumed to comply with the CRA’s requirements.
Recital (83) outlines the European standardisation framework, which is based on the New Approach principles. It highlights the importance of market-driven, consensus-based standards that consider public interest and policy objectives. In cases where harmonized standards are absent or delayed, the Commission can adopt common specifications as an exceptional fallback solution, as per Article 27(2).
Recital (84) stresses the need for stakeholder involvement in establishing common specifications, ensuring a balanced representation of interests. Recital (87) encourages manufacturers to apply harmonized standards, common specifications, or European cybersecurity certification schemes to facilitate conformity assessment.
Article 27(1) provides a presumption of conformity for products and processes that comply with published harmonized standards. The Commission is tasked with requesting European standardization organizations to draft these standards, taking into account existing European and international standards to simplify their development. Article 27(2) allows the Commission to establish common specifications under specific conditions, such as when harmonized standards are not available or do not comply with the request.
Obligations for Stakeholders
Manufacturers: Must ensure that their products with digital elements comply with the essential cybersecurity requirements. They can demonstrate conformity by adhering to harmonized standards, common specifications, or European cybersecurity certification schemes.
Distributors, Importers, and Other Economic Operators: Must ensure that products they make available on the market comply with the CRA’s requirements. They should verify that manufacturers have applied relevant standards or specifications.
Open-Source Software Stewards: Must support the development and viability of free and open-source software products, ensuring they meet the CRA’s cybersecurity requirements.
Commission: Responsible for requesting the development of harmonized standards, establishing common specifications where necessary, and involving stakeholders in the standardisation process.
Leave a Reply