The Cost of Cyber Negligence | Why CRA Compliance Is a Boardroom Priority?

In this era of rapid transformation across industries, the swift implementation of innovations is often accompanied by equally fast-evolving regulatory landscapes, including new compliance requirements designed to address emerging risks and vulnerabilities.

The European Commission has proposed a new regulation - the Cyber Resilience Act (CRA), which is setting a wider cyber security landscape for digital products within the EU Market. Notably, the CRA applies not only to products manufactured within the European Union but also to those produced in other regions, such as the United States, if a theory is intended for sale in the EU. This act is setting a new “Gold Standard” for the industries, therefore it is imperative to comprehend what it does, what companies/products align under this compliance, and how to implement it correctly.

What is the Cyber Resilience Act (CRA) and What Does It Establish?

The Cyber Resilience Act (CRA), officially known as Regulation (EU) 2022/0272, is a European Union regulation that governs the cybersecurity requirements for products with digital components distributed within its territory. This legislation plays an important role in strengthening European digital resilience, working in tandem with other key regulations like the AI Act and the NIS2 Directive.

It is compulsory to understand that, unlike DORA or NIS2, the CRA regulates products, not entities. Therefore, the CRA marks a significant shift by officially holding manufacturers, and in some cases importers and distributors, accountable for the digital security of the products they bring to market.

The main goal of the Cyber Resilience Act is to strengthen the Union’s level of resilience and protect consumers. To achieve this, the Cyber Resilience Act specifies:

• Rules for making products with digital elements available on the market, ensuring their cybersecurity.

• Essential requirements for the design, development, and production of these products.

• Essential requirements for vulnerability management processes implemented by manufacturers.

• Rules and provisions for marketing surveillance and enforcement.

Penalties and Fines for Non-Compliance with the Cyber Resilience Act

Timeline of the CRA Enforcements and Penalties:

The Cyber Resilience Act will come into force 3 years (36 months) after its publication in the Official Journal of the EU. Even though the start of adoption of the CRA compliance is expected to be in 2024, the compliance deadline for regulated products is 2027. Moreover, CRA is a European Union regulation, so it stands in all member states, while such compliances as NIS2, must be transposed into the national law of each country. After 18 months of the CRA's official publication, there will be a rule for certain standards of notification about incidents and exploited vulnerabilities to authorities. However, the application date is set at 21 months for the obligations to be enforced, regarding the incidents and vulnerabilities.

When discussing penalties and fines under the Cyber Resilience Act, the final fee depends on two key factors:

1. The organization at fault;

2. The nature of non-compliance.

Organizations in violation could face restrictive measures, product withdrawals, and financial penalties, following the same approach as GDPR.

Fines up to €15 million or 2.5% of the total annual revenue could face organizations that failed to meet regulation requirements, including incident and vulnerability reporting. T

Those authorized representatives, importers, distributors, assessment bodies, or subcontractors who breach their obligations would be obligated to pay a fine of €10 million or 2% of their total annual turnover.

Finally, the provision of inaccurate, incomplete, or misleading information to market surveillance authorities and notified bodies, might result in a fine of up to €5 million or 1% of total worldwide annual turnover.

Scope of Products and Their Categories

“This Regulation applies to products with digital elements made available on the market, the

intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or

physical data connection to a device or network.” – CRA, Article 2.1

Categories of the Products:

The organization of the products will help to adapt specific security solutions and measures since each category has its level of risk. Overall, four product categories fall under the Cyber Resilience Act Regulation:

1. The Default Category - which includes around 90% of products, they have the lowest risk profile compared to other categories.

2. Critical Products - is the highest of all those established by the CRA. A critical product - is considered so, when it poses a risk to entities vital to the proper functioning of the Union or is likely to put into risk the most important supply chains.

3. Important Products of Class 1 are:

• Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers.

• Products with digital elements with the function of a virtual private network (VPN)

• Security information and event management (SIEM) systems

• Public key infrastructure and digital certificate issuance software

• Operating systems

• Routers, modems intended for the connection to the internet, and switches

• Microprocessors with security-related functionalities

• Microcontrollers with security-related functionalities

• Application-specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities

• Smart home general-purpose virtual assistants

• Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems, and alarm systems;

4. Important Products of Class 2 are:

• Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments

• Firewalls, intrusion detection and prevention systems

• Tamper-resistant microprocessors

• Tamper-resistant microcontrollers

The List of Exceptions:

1. Professional medical devices covered by regulations (EU) 2017/745 and (EU) 2017/746;

2. Motor vehicles and their trailers, and their systems, components, and separate technical units, covered by regulation (EU) 2019/2144;

3. Civil aviation systems and marine equipment, respectively governed by regulations (EU) 2018/1139 and 2014/90/EU;

4. Products for security or national defense purposes, since their cybersecurity is governed by the laws of each EU member state.

Steps for Implementing the CRA Compliance

It is most likely that the majority of businesses and companies involved in the distribution and production of software or hardware products on the European market will be affected by the CRA in some way. Although most of the obligations imposed by the CRA will not come into full effect until 11th December of 2027, it is highly recommended for companies to commence Cyber Resilience Act compliance projects as soon as possible. To ensure CRA compliance, companies could take the following practical steps:

1. Cybersecurity Assessment: The manufacturers need to identify and analyze possible cybersecurity risks based on the digital product.

2. Product Classification: Categorizing each product as non-critical, important, or critical based on its characteristics.

3. Gap Analysis: Assess applicable CRA obligations for each product to identify any compliance gaps.

4. Action Plan: Based on the gap analysis, develop a list of necessary actions for compliance, such as establishing a Business Continuity Plan (BCP) or implementing Secure Systems Development LifeCycle (SSDLC) practice, and allocate the required resources (employees, technologies, finances).

5. Compliance Implementation: With a team of experts, such as at Cytopus, develop a project plan to implement the identifies compliance measures, integrating them into the product design and development process where possible.

How Cytopus Can Help?

• Review Your Digital Products: Conduct a thorough assessment of your product inventory to identify any potential compliance gaps with the CRA, ensuring all relevant products meet the required cybersecurity standards.

• Compliance Gap Analysis: Identify areas where your products may fall short of CRA requirements and propose practical solutions to mitigate these gaps.

• Develop and Test Incident Response Plans: Help you build and regularly test comprehensive incident response plans to prepare for and mitigate the impact of cybersecurity incidents.

• Cybersecurity Training: Provide specialized cybersecurity training for your employees to ensure they are fully aware of the CRA's implications and best practices for securing your products.

• Compliance Audits: Conduct regular audits to ensure your products remain compliant with the CRA and other relevant regulations, such as DORA and the AI Act