The EU Cyber Resilience Act: A Complete Guide
Safeguarding against cyber threats has become paramount for all businesses today, especially software development companies. According to our 2024 State of Software Quality survey, 84% of software developers polled said their companies conduct regular security audits, and 88% say they have a dedicated security team or person.
Recognizing the critical need to fortify Europe's digital defenses, the European Union (EU) has enacted the Cyber Resilience Act (CRA)—a comprehensive legislative framework designed to bolster cybersecurity across the continent.
At its core, the EU Cyber Resilience Act represents a proactive approach to confronting the evolving landscape of cyber threats. It aims to enhance the resilience of EU institutions, businesses, and citizens against cyberattacks. This landmark legislation mandates robust cybersecurity measures and fosters a culture of preparedness and collaboration among stakeholders.
The implications of the Cyber Resilience Act will be profound for many software developers. As architects of the digital ecosystem, developers are responsible for their software systems' security and integrity. Understanding and adhering to this legislation's recommendations is both a legal obligation and moral imperative in safeguarding the European digital infrastructure.
Let’s explore the intricacies of the EU Cyber Resilience Act, unpacking its key provisions, compliance requirements, implications for software developers, and more.
What is the European Cyber Resilience Act?
Emerging from the ambitious 2020 EU Cybersecurity Strategy, the CRA stands as a groundbreaking legislative initiative poised to usher in unprecedented cybersecurity safeguards within the EU.
The CRA is the inaugural legislation of its kind globally. It is designed to harmonize cybersecurity policies and standards across the EU's single market. At its core, the legislation seeks to fortify collaboration and collective preparation in the face of cyber threats by instituting rigorous regulatory measures to enhance software and hardware safety for end-users.
Why Is the CRA Important?
The CRA’s primary objective is shielding EU citizens and entities from the perils of cybersecurity vulnerabilities inherent in network-connected devices and infrastructure. One of the legislation's focuses is Internet of Things (IoT) devices, physical objects embedded with sensors and connected to the Internet, collecting and exchanging data with other devices and systems, enabling functions like monitoring and automation.
According to SonicWall’s mid-year 2023 Cyber Threat Report, IoT malware was up by 37% globally in the first half of 2023, resulting in almost 78 million attacks—an increase of more than 20 million attacks compared to the same period in 2022.
The CRA hopes to ensure that all devices and software introduced to the market by EU-operating companies uphold stringent security standards.
What Does the EU Want to Achieve With This Legislation?
The Cyber Resilience Act reinforces the NIS2 Directive, a European Commission (EC) legislative proposal aimed at updating and strengthening the existing Network and Information Security (NIS) Directive.
The NIS2 Directive proposed stricter obligations for operators of essential services (OES) and digital service providers (DSPs), including incident reporting requirements, risk management measures, and cybersecurity certification schemes.
However, the EU has no consistent cybersecurity requirements for information and communications technologies (ICT) companies, leaving many digital systems vulnerable and exposed. The CRA was created to address the following:
- Devices and software produced freely with inadequate cybersecurity measures built into them.
- Lack of public education regarding cybersecurity, cyber risks, and how to reduce the risk of exposure.
The CRA outlines four specific objectives aimed at addressing the systemic challenges identified previously:
- Enhanced security throughout the lifecycle: Upon enactment, the CRA will mandate security enhancements for products incorporating digital components, from their initial design phase through development to maintenance.
- Promoting compliance: By establishing a cohesive cybersecurity framework, the CRA will streamline compliance efforts for hardware and software manufacturers, with clear repercussions for non-compliance.
- Enhanced transparency: By introducing new regulations and standards to improve communication about cybersecurity features of digital products, the CRA aims to make such information more accessible to users, empowering them to make well-informed decisions.
- Facilitating secure usage: The CRA outlines comprehensive measures to help organizations and consumers use digital products securely, minimizing their exposure to potential risks.
Understanding the Scope of the CRA
The CRA will apply to the EU's private and public sectors. This far-reaching legislation will impact public institutions in the energy, healthcare, finance, and transportation industries that rely on network-connected infrastructures.
Companies in the EU that sell computer hardware and software or IoT-connected devices and infrastructure will also be impacted. It will also affect manufacturers and suppliers that sell these network-connected digital products.
Once the CRA has been adopted, only digital products that meet specific cybersecurity requirements can be made available. All manufacturers that want to sell digital and IoT devices and other products must consider cybersecurity from the beginning of their design and development processes.
The act will also require organizations to be very transparent about the cybersecurity considerations that customers need to be aware of when providing information about products and instructing them on how to use them.
A vital aspect of the CRA is that the legislation plans to regulate the entire product lifecycle and supply chain by defining the obligations of manufacturers, developers, distributors, and importers to designate a support period and help customers understand how long they can expect to use the product safely. Organizations will also be responsible for providing security updates and continued education to consumers during this time.
But what would the assessment process look like? Depending on the risk associated with their product, companies must perform either a self-assessment or a third-party assessment.
Once the assessments are passed, the products will receive an EU declaration of conformity that confirms compliance with all CRA requirements.
What Are the Benefits of the CRA?
One of the CRA's most significant benefits is the introduction of uniformity for organizations that produce digital and network-connected products. The CRA will be the only set of cybersecurity rules they must comply with to go to market with their products.
Some of the other key benefits the CRA is expected to bring to both businesses and consumers include:
- Heightened security standards for products featuring digital components. This initiative aims to fortify defenses against cyber threats and shield digital assets from potential vulnerabilities.
- Easier and more uniform certification and accreditation. Under the CRA, an EU-wide cybersecurity certification framework is established. Manufacturers can obtain certification to demonstrate adherence to requisite cybersecurity benchmarks. Products meeting these standards will bear the CE marking, signaling compliance with cybersecurity protocols.
- Improved digital defenses for businesses. The proposal's specific stipulations, such as internal activity monitoring, timely security updates, and reducing attack surfaces, bolster companies' digital resilience and defense capabilities.
- Boosted consumer trust. Consumers can rest assured knowing that physical and digital offerings within the EU marketplace prioritize security, safeguarding their personal data and privacy while fostering a sense of trust. Customers will also be better informed about the products they buy and better educated on using them safely.
- Mitigation of cyberattack vulnerabilities. Through rigorous cybersecurity risk assessments and an emphasis on secure design principles, organizations can preemptively identify and rectify potential vulnerabilities. This proactive approach decreases the likelihood of successful cyber intrusions.
When Is the CRA Expected to Come Into Force?
The EC agreed upon the CRA agreement in December 2023, and the European Parliament (EP) formally approved it in March 2024. However, the EC still needs to formally adopt it before it can be enforced, and adoption is expected sometime in 2024.
Once it’s adopted and enacted, EU Member States and economic operators will have three years to adapt to the new requirements.
What Happens If Your Organization Violates the Act?
States will designate authorities for market surveillance to oversee adherence to the obligations outlined in the CRA. In instances of non-compliance, these authorities have the power to compel operators to rectify the situation, cease or limit the product's availability in the market, or mandate the withdrawal or recall of the product. Penalties, including fines, may be imposed on companies violating the regulations.
The CRA stipulates maximum fines for administrative penalties, which are to be integrated into national legislation for cases of non-compliance. According to a briefing from the EP, potential penalties for breaching the CRA are outlined as follows:
- Manufacturers who fail to meet the CRA's security requirements may face fines of €15 million or 2.5% of their total annual global turnover (whichever is greater).
- Manufacturers, importers, or distributors could be fined €10 million or 2% of their total annual global turnover (whichever is greater) for any other breaches of obligations outlined in the proposed regulation.
How Will It Affect Software Development Companies?
It’s important to note that the CRA does not affect software companies that develop Software as a Service (SaaS). The CRA only covers products with digital elements sold within the European market.
However, the NIS 2 Directive ensures that all systems provided as a service meet technical cybersecurity requirements. For example, electronic health record systems or similar financial systems that handle large amounts of personal data will need to adhere to the regulations of the CRA.
The CRA's primary focus is software development organizations that develop and commercialize non-embedded software. The CRA won't target free and open-source software or SaaS software unless it is used to process data generated by a hardware product.
To meet the prerequisites outlined in the Cyber Resilience Act, software developers must ensure a satisfactory level of cybersecurity. These requirements entail:
- Implementing security measures and following best practices throughout the software development lifecycle to guarantee cybersecurity.
- Delivering products with a default secure configuration and enabling users to reset them to their original secure state if needed.
- Incorporating control mechanisms to thwart unauthorized access.
- Processing only necessary and relevant data for the intended product use.
- Designing software to safeguard essential functions' availability and minimize adverse impacts on services provided by other devices or networks.
- Addressing vulnerabilities through timely security updates and notifying users of available updates to maintain software security.
Regarding documentation, software developers must maintain specific mandatory documents in accordance with the Cyber Resilience Act, including:
- Providing a Software Bill of Materials alongside the product if accessible.
- Making the EU Declaration of Conformity accessible to users, containing pertinent details about the product's compliance with the CRA, such as the declaration's internet address and the type of technical security support provided by the manufacturer.
In terms of reporting obligations under the Cyber Resilience Act, software developers are required to:
- Fully cooperate with surveillance authorities entities by furnishing necessary information, assisting in investigations, and ensuring adherence to regulatory standards.
- Provide market surveillance authorities with the data (name and address) of economic operators to whom products with digital elements have been given.
- Retain the information referenced above for ten years following product receipt and 10 years after supplying products with digital elements.
Keeping Software Secure Becomes Easier with the Right Tools
The introduction of the European Cyber Resilience Act signifies a significant step forward in safeguarding consumer interests in cyberspace. It sets higher benchmarks for manufacturers to integrate robust cybersecurity protocols into their offerings.
As Europe builds a more digitally resilient future, compliance experts are crucial in guiding organizations through the ever-changing regulatory terrain and guaranteeing strict compliance with demanding cybersecurity standards.
Through collective efforts, we can construct a safer digital realm where everyone can thrive. Codacy is a perfect solution for companies that will be affected by the CRA and need tools to help keep their code secure and safe for everyone.
Codacy Security is a toolbox of seven different scanning techniques that help you ensure the security and compliance of your code. Start a free 14-day trial today to test it out.