Summary

The EU Cyber Resilience Act (CRA) mandates essential cybersecurity requirements for products with digital elements to ensure they are secure both at the time of placing on the market and during their expected use period. The Act emphasizes interoperability to enhance security and functionality across diverse products and services in the digital ecosystem.

Relevant CRA Provisions

• Recital (8)
• Recital (24)
• Recital (79)
• Recital (86)
• Recital (2)
• Recital (45)
• Recital (54)
• Article 6
• ANNEX I

Detailed Explanation

The CRA introduces objective-oriented and technology-neutral essential cybersecurity requirements for products with digital elements. These requirements apply horizontally across all such products to increase the overall level of cybersecurity in the internal market. The Act ensures that products necessary for digital infrastructure providers are developed securely and comply with well-established internet security standards. It also facilitates the assessment of conformity with these requirements through presumptions of conformity for products that meet harmonised standards or common specifications. The essential cybersecurity requirements cover both the properties of products with digital elements and the processes for handling vulnerabilities, ensuring that products are secure throughout their lifecycle.

Obligations for Stakeholders

Manufacturers: Must ensure that products with digital elements meet the essential cybersecurity requirements, including designing and producing products to ensure an appropriate level of cybersecurity based on the risks. They must also handle vulnerabilities effectively by identifying, documenting, and remediating them without delay, and by providing security updates. Manufacturers are required to apply regular tests and reviews, disclose information about fixed vulnerabilities, and enforce a policy on coordinated vulnerability disclosure. They must also facilitate the sharing of information about potential vulnerabilities and ensure secure distribution of updates.

Distributors, Importers, and Open Source Software Stewards: While the primary obligations fall on manufacturers, distributors, importers, and open source software stewards must ensure that the products they place on the market comply with the CRA’s requirements. They should verify that manufacturers have adhered to the essential cybersecurity requirements and that products are secure and up-to-date.