Summary

The EU Cyber Resilience Act (CRA) aims to address the growing cybersecurity challenges posed by the increasing number of connected devices, particularly within IoT ecosystems. It introduces a uniform legal framework to ensure the cybersecurity of products with digital elements, thereby enhancing consumer safety, economic stability, and democratic processes within the Union.

Relevant CRA Provisions

• Recitals (1), (4), (9), (13), (24), (52), (55)
• Articles 1, 12

Detailed Explanation

The CRA identifies two major problems within IoT ecosystems: a low level of cybersecurity in products with digital elements and insufficient user understanding and access to information. These issues lead to widespread vulnerabilities and inconsistent security updates, creating a fragmented regulatory landscape and increasing legal uncertainty for manufacturers and users. To address these challenges, the CRA introduces horizontal cybersecurity requirements for all products with digital elements, ensuring a harmonized regulatory framework across the Union. It mandates that manufacturers design and develop products in accordance with essential cybersecurity requirements, covering both direct and indirect connections to other devices or networks. The CRA also ensures that products necessary for digital infrastructure providers are developed securely and comply with internet security standards, facilitating compliance with supply chain requirements under Directive (EU) 2022/2555. Additionally, the CRA allows for additional national measures that consider non-technical factors, provided they comply with Union law.

Obligations for Stakeholders

Manufacturers: Must ensure that products with digital elements are designed and developed in accordance with essential cybersecurity requirements. They must also justify any non-applicability of these requirements and take measures to address associated risks.

Distributors and Importers: Must ensure that products they make available on the market comply with the CRA’s requirements.

Open Source Software Stewards: Must adhere to the essential cybersecurity requirements where applicable, ensuring that their contributions to products with digital elements meet the necessary security standards.

Member States: Cannot impose additional cybersecurity requirements for products that comply with the CRA but can establish stricter requirements for specific uses or procurements, provided they are consistent with Union law.