What is the EU’s Cyber Resilience Act (CRA)?

A CGI render of the EU flag shown as 12 gold stars hovering and creating a ripple effect in a wave of blue data
(Image credit: Getty Images)

The Cyber Resilience Act (CRA) continues to make headlines after it was approved by EU regulators in July. First unveiled in September 2022, the regulation intends to boost cyber security and protect digital products such as Internet of Things (IoT) devices via minimum standards and ongoing updates. But it's alsocome under fire, particularly from the open source community.

In April, multiple industry bodies slammed the CRA, saying the proposed Act would harm the open source community across Europe. Proposals such as making developers liable for vulnerabilities in software would have a “chilling effect”, said the Linux Foundation Europe, the Open Source Initiative, and the Eclipse Foundation.

Open source advocates were still voicing their concerns ahead of a crunch vote in the European Parliament in July, saying the CRA represents a “death knell” for open source in Europe. But their protests have so far had little impact, with MEPs voting almost unanimously to back the draft bill.

So what exactly does the draft CRA say, what are the key conflicts at the heart of it, and what do businesses need to do to prepare? Here's everything you need to know about the impending regulations.

What is the Cyber Resilience Act?

All too often, connected devices are pushed out to market without considering the security implications. It is with this in mind that the CRA was proposed by the European Commission (EC) last year. 

Part of the 2020 EU Cybersecurity Strategy, the CRA means to complement existing EU rules including the EU Cybersecurity Act and NIS2 Directive.

Targeting products including IoT devices, desktop computers, and smartphones, the CRA adds requirements for manufacturers and distributors when disclosing vulnerabilities and introduces new liability rules for security incidents.

It has two overarching aims, says David Varney, a partner in the technology team at UK law firm Burges Salmon. The first is ensuring “a high level of security” throughout the lifecycle of hardware and software. Secondly, he says, it aims to allow consumers to factor in cyber security when choosing products by requiring companies to be transparent about their security features.

As of 26 July, the rules were approved with overwhelming support from MEPs. Negotiations between the European Parliament, Council of Europe, and EC are due to commence in September 2023 with the goal of producing the final version of the Act.

Why is the open source community against the Cyber Resilience Act?

The most vocal opponents of the CRA are open source advocates, who complain the proposed regulation stifles innovation and threatens the community. “The main concern is that rules requiring all developers to testify their software is compliant could stifle open source development,” says Varney.

READ MORE

Blue futuristic Europe vector with hexagonal grids and light beams

(Image credit: Getty Images)

What's the EU's problem with open source?

Another issue for the open source community is the vague wording of the draft CRA. For example, it stipulates that open source software developed or supplied “outside the course of a commercial activity” does not come within the regulation’s scope. “The task of defining ‘non-commercial’ is not always straightforward, as many developers will take on projects with the backing of a number of sources including non-profit organizations as well as corporate,” says Varney.

At a top level, the CRA will essentially require all open source projects to conform to a set of requirements meant for commercial products, says Joe Brockmeier, head of community at Percona. This includes reporting, documentation, risk assessments, and post-release security requirements that are “absolutely impractical and unreasonable to inflict on open source projects”.

He cites the example of security reporting and response requirements that are “at odds” with best practices. “Even if you agree that open source projects provided freely and without warranty should be subject to this kind of legislation, the specific timelines for response and reporting to an EU institution is hostile to global projects and security best practices.”

Adding to this, small manufacturers are concerned that imposing additional regulatory burdens will give larger firms with the deepest pockets an unfair advantage, says Will Richmond-Coggan, a partner at law firm Freeths. “The latest draft of the legislation has addressed some of these concerns, but it is not clear that all of them will be taken into account before the Act is made law.”

What are the benefits of the Cyber Resilience Act?

Despite opposition, there are clear benefits to the CRA. The obvious merit is a higher standard of security, says David Dumont, partner at law firm Hunton Andrews Kurth. “We expect many manufacturers to apply the higher EU security standard even when doing business in other parts of the world. As such, the CRA can have a positive impact even outside of the EU’s borders.”

The CRA will also benefit consumers. “Consumers can be assured that physical and digital products will provide improved security and safeguard their information,” says David Dunn, senior managing director and head of EMEA cyber security at FTI Consulting.

At the same time, the CRA's emphasis on risk assessment and security by design helps organizations proactively identify and address potential vulnerabilities. “Certain obligations, such as internal activity monitoring, security updates implementation, and attack surface limitation can help boost digital resilience,” Dunn adds.

Yet while most accept the plus points, experts say the negative aspects of the CRA are impossible to ignore. The requirement to force manufacturers to report actively exploited unpatched vulnerabilities to regulators could actually make products less secure, says privacy organization, the Electronic Frontier Foundation (EFF).

“This requirement risks exposing the knowledge and exploitation of those vulnerabilities to a larger audience, furthering the harms this legislation is intended to mitigate,” the EFF warns.

There is also a huge challenge in applying cyber security requirements across all the different product types in the scope of the regulation, says Natalia Oropeza, global chief cyber security officer at Siemens and chair of the Charter of Trust, an initiative of companies including Siemens, Bosch, Dell, Microsoft and Mitsubishi. “It’s clear that different products involve distinct technical and operational aspects in their respective supply chains. Failing to acknowledge those differences can create the opposite of the intended effect – and a false sense of security.”

It’s a major challenge to strike a balance between stringent cyber security requirements and practical implementation for manufacturers and retailers, says Dunn. “Meeting obligations such as conducting cyber security risk assessments and adhering to security by design principles will require careful monitoring, planning and allocation of resources.”

Who will the Cyber Resilience Act affect?

The CRA aims to regulate products connected to another device or network. This covers manufacturers, importers, distributors, and software providers, Varney says. 

RELATED RESOURCE

Whitepaper cover with red and white title over a black and white image of a businessman stood looking out of an office window

(Image credit: Mimecast)

This report explores the business and personal implications of ransomware, as well as how organizations are defending against attacks today.

DOWNLOAD FOR FREE

While it is an EU regulation, the CRA will be relevant for businesses outside of the bloc operating in Europe as it applies to products “made available” in the market, says Varney. 

This includes the UK, even though the country is due to introduce its own IoT regulation in 2024, the Product Security and Telecommunications Infrastructure Bill. It’ll also affect the US if these companies operate in the EU.  “Crucially, UK businesses may need to conform with the CRA, as the UK-EU trade agreement does not currently recognize UK conformity assessment procedures in the EU,” Varney explains.

Will there be fines for non-compliance?

Like the EU update to the General Data protection Regulation (GDPR) before it, the consequences of not complying with the CRA are severe. Under the current proposals, penalties include administrative fines of up to €15 million, or 2.5% of total worldwide annual turnover, Dumont warns. 

Market surveillance authorities could order companies to make products that fall foul of the regulation compliant, withdraw devices from the market, or recall them from users, says Dumont. In addition to hefty fines, any organization that fails to comply with the CRA could face “significant reputational damage”, he warns.

How to prepare for the Cyber Resilience Act

While the proposals aren’t set in stone, the CRA is coming, so it’s important that anyone affected by the Act starts to prepare. First and foremost, understand the CRA “from cover to cover”, says Paul Baird, chief technical security officer UK at Qualys. “The timeline is extremely important and anybody affected needs to have all their ducks in a row. Don’t just assume it does not apply to you: Learn from the rollout of your GDPR programs, as this has the same potential ramifications if you get it wrong.”

He recommends assuming the CRA does apply to you and implementing ways to demonstrate you are following security best practices for your software or products. 

It’s a good idea to focus on cyber resilience to fuel compliance efforts, says Dunn. He advises conducting a “comprehensive cyber security program assessment” to identify potential threats and vulnerabilities specific to your organization. “This analysis will help prioritize and focus on the most critical areas.”

Dunn also advises creating a detailed incident response plan. “This should include a robust reporting element, since impacted organizations will be required to inform European authorities of cyber security incidents.”

Businesses should also take advantage of the two-year grace period once it comes into effect, says Richmond-Coggan. “It’s often tempting to leave compliance matters to the last minute, but as someone who advised a lot of businesses on GDPR compliance in May 2018, that two years runs out very quickly.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.