The Cyber Resilience Act

Cyber Resilience Act
  • Publication
  • April 18, 2024

What is the Cyber Resilience Act?

With cyber security being at the forefront of this rapidly evolving digital landscape, the EU has emphasised the importance of improving overall cyber security to safeguard products with digital elements (both hardware and physical) against cyber threats. As a result, the European Commission has published a draft of the Cyber Resilience Act (CRA) which is the first ever EU-wide legislation introducing unified cyber security requirements for manufacturers and developers of products with digital elements, covering both hardware and software.

To ensure the goal of the legislation is met, compliance with cyber security requirements and practices will be required for in-scope products with digital elements. This legislation aims to enhance cyber security maturity across the entire product lifecycle, from development to decommissioning, by enforcing obligations on companies to conduct risk and vulnerability assessments and ensure continuous deployment of security updates for their digital products falling within the legislation's scope.

Cyber security

Who will be impacted by the Cyber Resilience Act?


Both EU and non-EU companies manufacturing or selling products with digital elements in the European market will be affected by the CRA, which mandates enhanced cyber security measures throughout the entire lifecycle of their products.

Which products are affected by the EU Cyber Resilience Act?

The scope of the CRA includes “products with digital elements whose intended or reasonably foreseeable use involves direct or indirect logical or physical data connection to a device or network”.  Here are some examples of products with digital elements:

Hardware

Software

 

Smartphones

Operating Systems

 

Laptops

Password Managers

 

CPUs

Photo Editing 

 

Routers

Audio and Video Editing

 

Switches

Word Processing

 

Firewalls

Anti-virus / Anti-Malware

 

Hard Drives

Endpoint Protection

 

Microcontrollers 

Games

 
Digital elements

What are the categories of products affected by the EU Cyber Resilience Act?


Critical Class “I”

Products that provide functions critical to the cyber security of other products or provide functions significantly affecting a large number of other products belong in this category. Examples of products belonging to this category cited in Annex III of the CRA are:

  • Standalone and embedded browsers;

  • Password managers;

  • Mobile device management software;

  • Physical network interfaces.

Critical Class “II”

Products that provide both a critical cyber security function and significantly affect a larger number of products that belong in this category.  Examples of products belonging to this category cited in Annex III of the CRA are:

  • Operating systems for servers, desktops, and mobile devices;

  • Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;

  • Public key infrastructure and digital certificate issuers;

  • Firewalls, intrusion detection and/or prevention systems intended for industrial use.

Default Category

It comprises 90% of the products covered by the legislation, these items with digital elements hold basic security relevance, encompassing common consumer electronics like smartphones or laptops. Products not classified as Critical Class I or Class II are included in this category.

What products are exempted from the EU Cyber Resilience Act?

Products that are required to comply with current EU cyber security regulations are exempt from the EU Cyber Resilience Act. Here are a few examples of the existing EU cyber security regulations that fall under this exemption:

  • (EU) 2017/745 for Medical Devices;

  • (EU) 2019/2144 for Motor Vehicles;

  • (EU) 2018/1139 for Products affected by Aviation Rules;

  • Directive 2014/90 EU for Marine Products.

Cyber security regulations


When will the CRA be released and enforced?


Scheduled for official release this 2024, this act will undergo phased implementation starting in 2025, culminating in full applicability by 2026. Oversight and enforcement will be conducted by authorities within EU member states and by the European Union Agency for Cybersecurity (ENISA).

What are some key obligations that Companies should prepare for under the EU Cyber Resilience Act?

Manufacturers and developers of products with digital elements, covering both hardware and software, will be required to comply with the legislation by following certain cyber security requirements which aim to improve the overall cyber security to safeguard products with digital elements against emerging cyber threats. Here are some of the key obligations that companies can expect under the CRA, including but not limited to the following:

Throughout the product development process and its lifecycle, there will be a mandatory requirement to conduct comprehensive risk assessments. This would include evaluating and mitigating cyber security risks associated with the product across its entire lifecycle.

Companies are expected to deliver products that are secure from known vulnerabilities. This requires implementing vulnerability management practices to promptly identify and address security weaknesses.

It is required to provide free security updates following the product's release, meeting customer expectations. This will be crucial for ensuring that products remain resilient against emerging threats.

Adhering to the act may require meeting standardised requirements, such as those outlined in IEC 62443, or engaging external auditing authorities, depending on the product's risk classification.

< Back

< Back
[+] Read More

Given the global significance of the European market, it is anticipated that the CRA will influence the cyber security of products worldwide. As products with digital elements become subject to the CRA in the European market, growth in overall cyber security maturity across the product life cycle is expected which is aimed at benefiting both companies and customers.

How can we help?

At PwC Malta, Our Cyber Security team is made up of a pool of resources with local and international experience in Cyber Security Governance, Risk and Compliance (GRC), Cyber Strategy and Technology Consulting, Threat and Vulnerability Management, Penetration Testing and Red Teaming, and Threat Intelligence. Our team is knowledgeable in the best practices in these domains, has experience working in both public and private sectors, and is supported by specialists with digital, audit and business skills and experience.

For more information visit our webpage or reach out to our Cyber Security team leaders below.

Contact us

Michel Ganado

Michel Ganado

Digital Services Leader, PwC Malta

Tel: +356 2564 7091

Andrew Schembri

Andrew Schembri

Digital Services Partner, PwC Malta

Tel: +356 79211355

Kirsten  Cremona

Kirsten Cremona

Senior Manager, Digital Services, PwC Malta

Tel: +356 7975 6911

John  Napier

John Napier

Lead Offensive Security Consultant, Advisory, PwC Malta

Tel: +356 2564 4219

Follow us