EU Cyber Resilience Act (CRA) – Supply Chain Security Requirements

Summary

The EU Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products with digital elements by setting essential cybersecurity requirements and obligations for economic operators. It also addresses supply chain security by considering non-technical risk factors and allowing Member States to impose additional requirements for the procurement or use of such products by essential entities.

Relevant CRA Provisions

Recitals: (58), (52), (125), (13), (55)

Articles: 5, 8, 1

Detailed Explanation

The CRA emphasizes the need to maximize the benefits of economic openness while minimizing the risks from dependencies on high-risk vendors. It requires the consideration of non-technical risk factors, such as undue influence by third countries, when assessing cybersecurity risks. The CRA sets essential cybersecurity requirements for products with digital elements and allows Member States to impose additional requirements for procurement or use by essential entities, provided they are consistent with Union law and necessary and proportionate.

Obligations for Stakeholders

Manufacturers, Distributors, Importers, and Open Source Software Stewards: These stakeholders must comply with the essential cybersecurity requirements for the design, development, and production of products with digital elements. They are also required to establish vulnerability handling processes to ensure cybersecurity during the product’s expected use. Additionally, manufacturers must provide clear justifications in the technical documentation if certain essential cybersecurity requirements are not applicable to their products.

Member States: While the CRA harmonizes cybersecurity requirements for the making available on the market of products with digital elements, Member States can impose additional requirements for the procurement or use of such products by essential entities. These additional requirements must be consistent with Union law and necessary and proportionate for specific purposes, including national security or defence.