The Cyber Resilience Act: Deadline, application and measures

What is the Cyber Resilience Act?

The CRA is an EU regulation focusing on the cybersecurity of networked products. It applies to hardware and software containing digital components, requiring manufacturers to minimise cyber security risks throughout the product's entire life cycle.

Who is affected by the CRA?

All manufacturers and importers who develop or sell products with digital, communication-capable elements for the EU market are affected by the CRA. This applies to both software products and networked devices. For example, a manufacturer of networked industrial equipment must in future assess relevant cyber security risks during the development phase and determine and implement appropriate protective measures. Only products that fulfil the security requirements stipulated by the CRA may bear the CE mark and thus be sold on the EU internal market.

What does the Cyber Resilience Act provide for?

The CRA is calling for a ‘security by design’ strategy, whereby security measures are embedded in the development of products from the outset. The centrepiece of this strategy is likely to be the introduction of a secure software development lifecycle at most companies. Additionally, manufacturers must report security incidents immediately; failure to do so could result in sales bans and penalties. In detail:

• Risk assessment and continuous analysis: Security risks must be regularly reviewed and products adapted accordingly.
• Security updates: Free security updates must be provided throughout the entire product life cycle.
• Rapid reporting of security incidents: Manufacturers must report cybersecurity incidents to the European Cybersecurity Agency (ENISA) within 24 hours.

What is the deadline for implementing the new requirements?

The CRA requirements will apply from November 2027, meaning that companies will have a relatively short lead time to implement them. It must be noted that the CRA sometimes requires significant changes to existing planning and production processes, which can be time-consuming. However, certain obligations, such as the immediate reporting of security vulnerabilities, will come into force in June 2026.

What challenges does the CRA pose for companies?

Companies face the challenge of firmly integrating cyber security into their product development processes and of establishing efficient information security management systems. Regular risk analyses and security update management are particularly complex. Failure to fulfil these requirements could result in high fines and potentially a sales ban in the EU.

What measures does the Cyber Resilience Act require?

Companies must take a number of measures.

1. The establishment of a Product Security Incident Response Team (PSIRT): This team ensures that vulnerabilities are reported and rectified promptly.
2. Regular threat and risk analyses must be carried out: Security reviews must be regularly incorporated into the development process.
3. Determining the current status: An early assessment of the current security situation helps define CRA implementation measures.

How can ISiCO support the implementation of the Cyber Resilience Act?

ISiCO supports companies in successfully implementing the CRA. The consultation includes:

• Analysing the current status: i.e. determining the security level of products and processes in relation to CRA requirements.
• Implementing security strategies: Support in setting up 'security by design' processes, particularly the introduction of a secure software development lifecycle and efficient software update management.
• Security management and employee training: ISiCO helps build internal capacity and security awareness, enabling companies to meet CRA requirements in the long term.

With ISiCO's professional support, companies can efficiently and practically implement CRA requirements, thereby strengthening their security standards and trust with customers.