Summary

The Cyber Resilience Act (CRA) mandates specific security requirements for connected devices to enhance their protection against cyber threats and ensure compliance with the CRA’s standards. These requirements aim to ensure that all products with digital elements are designed, developed, and produced with an appropriate level of cybersecurity, taking into account the risks associated with their use.

Relevant CRA Provisions

• Recitals: Recital 8, Recital 9, Recital 10, Recital 11, Recital 24, Recital 52, Recital 54
• Articles: Article 6

Detailed Explanation

The CRA introduces objective-oriented and technology-neutral essential cybersecurity requirements for all products with digital elements placed on the internal market. These requirements apply horizontally to ensure that products are adequately secured throughout their lifecycle. Connected devices, which can serve as attack vectors for malicious actors, must be designed and developed in accordance with these essential cybersecurity requirements. This includes both physically and logically connected products, such as those connected via network sockets, application programming interfaces, or other software interfaces.

Manufacturers must ensure that products with digital elements are made available on the market without known exploitable vulnerabilities, with a secure by default configuration, and with mechanisms to address vulnerabilities through security updates. Additionally, products must protect against unauthorised access, ensure the confidentiality and integrity of data, and maintain the availability of essential functions. Manufacturers are also required to identify and document vulnerabilities, apply regular security tests, and facilitate the coordinated disclosure of vulnerabilities.

Obligations for Stakeholders

Manufacturers: Must ensure that products with digital elements meet the essential cybersecurity requirements, including designing and developing products to limit attack surfaces and reduce the impact of incidents. They must also handle vulnerabilities effectively, provide security updates, and facilitate the disclosure of vulnerabilities.

Distributors and Importers: Must ensure that products they place on the market comply with the CRA’s requirements. They should verify that manufacturers have adhered to the essential cybersecurity requirements before distributing or importing products.

Open Source Software Stewards: Must ensure that open source components included in products with digital elements comply with the CRA’s essential cybersecurity requirements. This includes documenting vulnerabilities and facilitating the disclosure and remediation of these vulnerabilities.