Skip to main content

CRA - Cyber Resillience Act

Access and information

Full text

CRA - Current consolidated version

General explanation at EU website

🇪🇺 Cyber Resilience Act | Shaping Europe’s digital future

EU Expert Group

Expert Group on Cybersecurity of Products with Digital Elements (E03967)

The page contains detailed minutes of meetings in which the expert group discussed current fields of open questions, providing valuable insights.

OCCTET project

About the OCCTET Project

The OCCTET project aims to help SMEs and open-source developers by using free and open-source tools to support implementation of the CRA.

Scope

Who is affected?

  • Manufacturers of any size of products with digital elements
    • any software or hardware product
    • its remote data processing solutions (e.g. cloud service)
    • regardless of the manufacturer's location
      • the relevant criterion is placing the product on the EU market → manufacturers from any country worldwide must comply with the CRA, if they want to place their product with digital elements on the EU market.
      • see: Article 1 and BSI

Article 2
Scope

  1. This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.

CRA - Current consolidated version (highlighted by me)

(1) ‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;

CRA - Current consolidated version Article 3 (highlighted by me)

  • Importers
  • Distributors of products with digital elements
    • No differentiation between B2B and B2C

Who is not affected?

  • Article 69 (2) Products placed on market before 11.12.2027

    • When significant modifications are done on such products: CRA will apply
    • But: Article 14 Reporting Obligations of manufacturers applies also if product is placed on market before 11.12.2027

  • Software provided as part of a service but not as a part of a product with digital elements (see: Cyber Resilience Act - Questions and Answers)

  • Non-commercial projects including open source

    • Commercial vendors including open source software in their products need to make sure, that the OSS complies to their security requirements

  • Products covered by these other certifications avoiding double certification) Article 2:

    • Medical devices (Regulation (EU) 2017/745)
    • In vitro diagnostic medical devices (Regulation (EU) 2017/746)
    • Motor vehicles (Regulation (EU) 2019/2144
    • Civil aviation (Regulation (EU) 2018/1139)
    • Maritime equipment (Directive 2014/90/EU)

  • Article 2 Products covered by other Union rules addressing all or some risks of the essential cybersecurity requirements of CRA → application of CRA will be limited or excluded

  • Article 2 Spare parts replacing identical components

  • Article 2 Products developed for national security or military purposes or to process classified information

SMEs Article 33

Definition of SMEs

(19) ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;

Article 3

Support for SMEs

Member states:

  • shall organize activities to raise awareness and provide training
  • shall organize specific channels for communication with microenterprises and small enterprises regarding implementation of the CRA
  • shall support the conformity assessment activities as well as the testing
  • may establish regulatory sandboxes:
    • for innovative products
    • controlled testing environments
    • limited time
    • The regulatory sandboxes are used before the product is placed on the market with the purpose to comply with the CRA
    • market surveillance authorities provide direct supervision and guidance

The Commission shall also provide guidance for SME for implementing the CRA requirements.

Simplified format for documentation provided by SMEs

  • applies to all technical documentation as specified in Annex VII
  • Commission shall specify the details of the simplified technical documentation
    • The form specified by the Commission shall be used by the SMEs.

Definitions

Vulnerability

(40) ‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;

(41) ‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;

(42) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner

Article 3

Cyber threat

(46) ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;

Article 3

The definition refers to the EU Cyber Security Act:

(8) ‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;

Article 2 Cyber Security Act (Regulation (EU) 2019/881)

Product categories

  • Products with Digital Elements (90% of affected products, default category if not mentioned in other categories)
    • e.g. digital clock with an online function
    • surprising: PLCs, robots, IIot and microcontroller are considered as “default category”
      • most industrial devices have been changed in the final version to “default category”
  • Important products with Digital Elements Annex III
    • Class I
      • e.g. Webbrowser, IAM, PKI, Operating systems, Microcontrollers with security-related functions, …
    • Class II
      • e.g. Hypervisors, Firewalls, IDS, …
  • Critical Products with Digital Elements Annex IV
    • Very limited set of products
    • e.g. Smartcards, smart meter gateways

Penalties

  • Non-compliance to essential cybersecurity requirements (Annex I) and the obligations set out in Article 10 (Obligations of manufacturers) and Article 11 (Reporting obligations of manufacturers):
    • up to 15 Mio. € or up to 2.5% of total worldwide annual turnover (whichever is higher)
  • Non-compliance to other obligations:
    • up to 10 Mio. € or up to 2% of total worldwide annual turnover (whichever is higher)
  • Supply of incorrect, incomplete or misleading information to notified bodies and market surveillance:
    • up to 5 Mio. € or up to 1% of total worldwide annual turnover (whichever is higher)
  • Article 57 In case of significant cybersecurity risk, the market surveillance authorities are able to enforce a withdrawal or recall of the product from the market

NIS 2 ←→ CRA

  • NIS 2: Operators of critical infrastructure
  • CRA: Manufacturers/Importers/Vendors of products with digital elements
  • eco e.V. sees danger, that certain aspects are regulated in both NIS 2 and CRA.

Timeline (Dec 13, 2024)

Graphical representation of timeline available at: BSI - Cyber Resilience Act

  • 15/09/2022: Publication of draft
  • 11/2022: Committee referral announced
  • 07/2023: Vote in comitteee & comittee report for plenary
  • 2023/09 - 2023/11: Co-legislators in trilogue & reach provisional agreement
  • 2023/12: EU Council agreed on compromise text
  • 2024/03/12: EU Parliament approves CRA
    • Text is finalized
  • 20.11.2024: Publication in EUR-Lex (Regulation (EU) 2024/2847)
  • 11.12.2024: EIF
  • 11.09.2026: Activation of reporting obligations
  • 11.12.2027: Manufacturers must fulfill the requirements of the CRA.
  • Currently: After that, the member states have to transfer it into certain local laws (e.g. Germany has to decide regarding the regulating authority)
  • EU CRA will be applicable law after acceptance (without being transferred to local law) but with a grace period
  • There will be delegated acts for the different product categories, which clarify requirements for each category

Transition period

Transitional and final provisions (Chapter VIII)

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable [24 months] after its entry into force, except for the reporting obligation on manufacturers, which would apply from [12 months] after the date of entry into force.

CRA full text Chapter 5

Controversial subjects during legislation process

  • Setup of conformity assessment system
    • Avoid “Dellaware-effect”, where it is easier in certain countries to get a certification
  • Reporting obligations
    • Taken from NIS 2 regulation
  • How to deal with OSS?
    • Can (volunteer) programmers be forced to do security risk assessments?
    • Lead to 3 new articles and the introduction of so-called Open-Source-Stewards

Obligations

Obligations are documented as high level requirements in the annex.

Manufacturers

  • Estimation: If you are IEC 62443-4-1 compliant, you fulfill around 80% of the CRA obligations.
  • Cyber Security is considered in design, development and production
    • Goal: achieve appropriate level of security risk
  • Article 13 (2) Security risk assessment
    • Article 13 (3) What are the threats taking into account:
      • forseeable use
      • intended purpose
      • conditions of use (e.g. operational environment)
      • expected lifetime
    • Article 13 (3) Goal of risk assessment: Determine which countermeasures from Annex I are to be applied and how they are implemented
    • including all supplier components
    • No explicit method specified
    • Article 13 (4) Risk assessment needs to be part of the technical documentation
    • Risk assessment needs to be updated during the support period of the product:

The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. […]

– Article 13 (3)

The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product.

Article 10 (5)

  • Labeling of product (to identify product)
  • Easy-to-understand instructions
  • Provide a contact for security
  • Security by design
  • Products must not be made available on the market with known exploitable vulnerabilities. ANNEX I Part 1 (2a)
    • see definition of "exploitable vulnerability" in Article 3 of CRA
    • decision must be based on the risk assessment, see ANNEX I Part 1 (2)
  • Vulnerabilities known to the manufacturer must be mitigated
    • Identify and document vulnerabilities
    • Address and remediate vulnerabilities
    • Provide mechanisms to securely distribute updates
    • Provide security patches without delay and free of charge (discussions regarding charging for them in B2B context)
    • Publish security advisories after security updates
    • Perform regular tests to review security of the product
    • machine-readable SBOM
    • documentation of vulnerability management process
  • Updates for products placed on the market for the following timespan (the larger of the two values is mandatory):
    • Minimum 10 years - or -
      • time limit might be canceled
    • lifecycle of the product
    • product must not be sold anymore after expected lifetime (= trick with a short lifetime does not work)
  1. When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.

CRA full text (retrieved 16.07.2024)

  • Reporting obligation:
    • Known, actively exploited vulnerabilities: asap
    • Vulnerabilities: within 24 h
    • to customers and national CSIRT and ENISA
  • When using OSS:
    • Provide evidence, that topics of the CRA were dealt with
    • Commercial producer/distributor ("Inverkehrbringer") is responsible for OSS software in a product - not the programmer of the OSS software
  • In case of violation of CRA, products can be recalled and taken off the market
  • Article 13 (12) Create “EU declaration of conformityArticle 28 and add CE label Article 30 to product
    • declares, that the product is conform to the essential cybersecurity requirements from Annex I
    • technical documentation of the product must contain all information necessary for conformity with the essential requirements
    • 4 levels of assurance Article 32 :
      • Self-assessment Self-assessment of the manufacturer
      • NoBo Technical EU-type examination by Notified Body followed by conformity to EU-type based on internal production control (= evidence that products manufactured equal the assessed product)
      • NoBo QA Conformity assessment based on full quality assurance (= a NoBo evaluates the quality assurance of the manufacturer)
      • Certification European cybersecurity certification according to Article 27 (9)
        • Certification scheme can be established via delegated act (= there is not yet a certification scheme) by the European Commission.
    • Depending on the type of product, the manufacturer can choose the level of assurance:
      • Products with digital elements:
        • self-assessment , NoBo Technical , NoBo QA or Certification
      • Important products with digital elements Class I:
        • can be evaluated in future by harmonized European standards → currently under development, see BSI - Cyber Resilience Act
        • until then: NoBo Technical or NoBo QA
      • Important products with digital elements Class II:
        • NoBo Technical , NoBo QA or Certification
      • Critical products with digital elements:
        • Certification
        • or NoBo Technical, NoBo QA or Certification if due to a delegated act, the certification is not required (see Article 8 (1))

Importers / Distributors

  • Ensure sufficient labeling of products
  • Reporting obligation for vulnerabilities (when they become known to the importer or vendor)

Open Source Software

Security: Wie sich der Cyber Resilience Act auf Open-Source-Projekte auswirkt | heise online

Conformity assessment bodies

  • National systems for conformity assessment are introduced
  • Independent assessment bodies will be working under national regulating authority and are contracted by manufacturers / importers / vendors
  • Each product will be marked with a CE label