Table of contents
Links
General explanation at EU website
Full text
up-to-date-link (= link is updated by EU in case a new version is published):
Who is affected?
Manufacturers of any size of products with digital elements
any software or hardware product
its remote data processing solutions (e.g. cloud service)
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately
–
Importers
Distributors of products with digital elements
No differentiation between B2B and B2C
Who is not affected?
Products put on market before entry into force.
When significant changes happen on such products: CRA will apply
Non-commercial projects including open source
Commercial vendors including open source software in their products need to make sure, that the OSS complies to their security requirements
Services, e.g. SaaS → NIS 2
(9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. […]
[Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive.–
Products covered by these other certifications avoiding double certification):
Medical devices (Regulation (EU) 2017/745)
In vitro diagnostic medical devices (Regulation (EU) 2017/746)
Motor vehicles (Regulation (EU) 2019/2144
Civil aviation (Regulation (EU) 2018/1139)
Maritime equipment (Directive 2014/90/EU)
Products developed for national security or military purposes
Product categories
Default category: Products with Digital Elements (90% of affected products)
e.g. digital clock with an online function
surprising: PLCs, robots, IIot and microcontroller are considered as “default category”
most industrial devices have been changed in the final version to “default category”
Important products with Digital Elements
Smart Home Appliances
Operating systems
Network Manager, Boot Manager
Critical Products with Digital Elements
Very limited set of products
e.g. Smartcards
Penalties
Non-compliance to essential cybersecurity requirements (Annex I) and the obligations set out in Articles 10 (Obligations of manufacturers) and 11 (Reporting obligations of manufacturers):
up to 15 Mio. € or up to 2.5% of total worldwide annual turnover (whichever is higher)
Non-compliance to other obligations:
up to 10 Mio. € or up to 2% of total worldwide annual turnover (whichever is higher)
Supply of incorrect, incomplete or misleading information to notified bodies and market surveillance:
up to 5 Mio. € or up to 1% of total worldwide annual turnover (whichever is higher)
NIS 2 ←→ CRA
NIS 2: Operators of critical infrastructure
CRA: Manufacturers/Importers/Vendors of products with digital elements
eco e.V. sees danger, that certain aspects are regulated in both NIS 2 and CRA.
Timeline ()
15/09/2022: Publication of draft
11/2022: Committee referral announced
07/2023: Vote in comitteee & comittee report for plenary
2023/09 - 2023/11: Co-legislators in trilogue & reach provisional agreement
2023/12: EU Council agreed on compromise text
2024/03/12: EU Parliament approves CRA
Text is finalized
20.11.2024: Publication in EUR-Lex (Regulation (EU) 2024/2847)
11.12.2024: EIF
11.09.2026: Activation of reporting obligations
11.12.2027: Manufacturers must fulfill the fundamental requirements of the CRA.
Currently: After that, the member states have to transfer it into certain local laws (e.g. Germany has to decide regarding the regulating authority)
EU CRA will be applicable law after acceptance (without being transferred to local law) but with a grace period
There will be delegated acts for the different product categories, which clarify requirements for each category
Transition period
Transitional and final provisions (Chapter VIII)
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable [24 months] after its entry into force, except for the reporting obligation on manufacturers, which would apply from [12 months] after the date of entry into force.
–
Controversial subjects during legislation process
Setup of conformity assessment system
Avoid “Dellaware-effect”, where it is easier in certain countries to get a certification
Reporting obligations
Taken from NIS 2 regulation
How to deal with OSS?
Can (volunteer) programmers be forced to do security risk assessments?
Lead to 3 new articles and the introduction of so-called Open-Source-Stewards
Obligations
Obligations are documented as high level requirements in the annex.
Manufacturers
Estimation: If you are IEC 62443-4-1 compliant, you fulfill around 80% of the CRA obligations.
Provide security concept
Cyber Security is considered in (resources) plan, design, development, testing, production, delivery and operation/maintenance phase
Security risk assessment
What are the threats?
Which countermeasures are applied?
including all supplier components
No explicit method specified
Type of risk assessment depends on category:
Default category: Self-assessment
Important products with digital elements: standard or third party assessment
Critical products with digital elements: third party assessment
Risk assessment needs to be updated:
The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product.
– Article 10,5
Labeling of product (to identify product)
Easy-to-understand instructions
Provide a contact for security
Security by design
Products with known (exploitable?) vulnerabilities must not be put on the market → must be addressed in risk assessment
Vulnerabilities known to the manufacturer must be mitigated
Identify and document vulnerabilities
Address and remediate vulnerabilities
Provide mechanisms to securely distribute updates
Provide security patches without delay and free of charge (discussions regarding charging for them in B2B context)
Publish security advisories after security updates
Perform regular tests to review security of the product
machine-readable SBOM
documentation of vulnerability management process
Updates for products placed on the market for the following timespan (the larger of the two values is mandatory):
Minimum 10 years - or -
time limit might be canceled
lifecycle of the product
product must not be sold anymore after expected lifetime (= trick with a short lifetime does not work)
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
–
Reporting obligation:
Known, actively exploited vulnerabilities: asap
Vulnerabilities: within 24 h
to customers and national CSIRT and ENISA
When using OSS:
Provide evidence, that topics of the CRA were dealt with
Commercial producer/distributor ("Inverkehrbringer") is responsible for OSS software in a product - not the programmer of the OSS software
Introduction of ISMS (but it is not mandatory to be ISO 27001-certified)
In case of violation of CRA, products can be recalled and taken off the market
Create “EU declaration of conformity” and add CE label to product
declares, that the product is conform to the essential requirements from the annex
technical documentation of the product must contain all information necessary for conformity with the essential requirements
self-assessment for products with digital elements
third party conformity assessment for important products with digital elements (class 1 and class 2)
certification for critical products with digital elements
third party assessment of compliance to requirements only necessary when product is categorized as critical
Importers / Distributors
Ensure sufficient labeling of products
Reporting obligation for vulnerabilities (when they become known to the importer or vendor)
Conformity assessment bodies
National systems for conformity assessment are introduced
Independent assessment bodies will be working under national regulating authority and are contracted by manufacturers / importers / vendors
Each product will be marked with a CE label
Unclear yet how it will work on European level