Summary

The EU Cyber Resilience Act (CRA) mandates supply chain security measures to enhance the overall cybersecurity resilience of products with digital elements. It requires manufacturers and suppliers to implement specific measures to ensure the security of these products throughout the supply chain.

Relevant CRA Provisions

• Recital (58)
• Recital (52)
• Recital (125)
• Recital (3)
• Recital (114)
• Recital (77)
• Recital (13)
• Recital (48)
• Article 8

Detailed Explanation

The CRA aims to maximize the benefits of economic openness while minimizing the risks associated with dependencies on high-risk vendors. It emphasizes the need for a common strategic framework for Union economic security, particularly for products with digital elements intended for use by essential entities. The regulation mandates essential cybersecurity requirements for these products, without prejudice to additional Union-level coordinated security risk assessments and Member States’ prerogative to impose additional requirements based on non-technical factors.

The CRA also requires periodic evaluations and reviews to adapt to changing societal, political, technological, and market conditions. It empowers the Commission to adopt delegated acts to determine which products with digital elements must obtain a European cybersecurity certificate, taking into account the level of cybersecurity risk and critical dependencies. Manufacturers must identify and document components in their products, including through an SBOM, to facilitate vulnerability analysis. Member States are prohibited from imposing additional cybersecurity requirements for the market availability of compliant products, though they can establish stricter requirements for procurement or use by specific entities.

Obligations for Stakeholders

• Manufacturers: Must ensure products with digital elements comply with essential cybersecurity requirements, obtain necessary European cybersecurity certificates, and document components via an SBOM. They should also consider non-technical risk factors and be prepared for periodic reviews and updates to the regulation.
• Suppliers: Must adhere to the supply chain security measures mandated by the CRA, ensuring that products they provide meet the required cybersecurity standards and are free from vulnerable components.
• Market Surveillance Authorities: Should conduct simultaneous coordinated control actions (sweeps) where indicated by market trends, consumer complaints, or other factors suggesting cybersecurity risks, taking into account both technical and non-technical risk factors.
• Member States: Cannot impose additional cybersecurity requirements for the market availability of compliant products but can establish stricter requirements for procurement or use by specific entities, ensuring these are consistent with Union law.