Mender Blog

An Overview of EU Cyber Resilience Act (CRA) Compliance

Written by Editorial Team | Nov 21, 2024 11:00:00 AM

To address the growing concern over insufficient cybersecurity measures and the general public's lack of cyber awareness, the European Parliament officially enacted the Cyber Resilience Act (CRA). This groundbreaking legislation introduces stringent requirements to bolster hardware and software security within products available in the European Union (EU). By targeting “products with digital elements” (PDEs) — a broad category comprising both software and hardware linked to connected devices — the CRA seeks to ensure that these commercial products meet robust cybersecurity standards. Noncompliance with the CRA could result in severe penalties, including fines of up to €15 million or 2.5% of global turnover and the potential loss of the CE mark, mandatory for selling products within the EU market.

For manufacturers, achieving compliance with the CRA is a legal obligation and a significant challenge that requires careful navigation. The Cyber Resilience Act takes a fully horizontal approach to securing PDEs, including requirements to:

Available reset functionality: All PDEs must be manufactured in a secure-by-default state. If a vulnerability occurs, manufacturers must include functionality to roll back the device to its previously secure state.

Compile a software Bill of Materials (SBOM): Manufacturers must maintain and update a comprehensive, machine-readable SBOM. The documentation must detail all software components and how they fit into the PDEs supply chain.

Detect hardware and software vulnerabilities: The CRA requires regular security tests and audits to discover and remediate any security vulnerabilities throughout the device’s lifecycle.

Publicly disclose vulnerabilities: Manufacturers must uphold a policy to publicly disclose vulnerabilities if and when identified through ongoing security tests. Information must be released to the public through a simple point of contact, similar to ongoing common vulnerabilities and exposures (CVE) reports.

Provide secure software updates: Throughout the lifecycle of PDEs, manufacturers must provide secure software updates to remediate identified vulnerabilities. Updates must be available free of charge on an opt-in basis.

The comprehensive list of requirements in the CRA must be integrated into every step of a product’s lifecycle to maintain compliance – a heavy lift for manufacturers worldwide. Consequently, the substantial effort to comply requires over-the-air (OTA) infrastructure, tracking, documentation, and auditing. In turn, CRA compliance likely falls to in-house development and product management teams whose primary focus should remain on time to market and overall product improvement. From the breadth and depth of the regulation and product lifecycle management implications to the internal knowledge, available resources, and business ramifications of noncompliance, manufacturers must overcome significant challenges on the road to EU CRA compliance.

The Cyber Resilience Act aims to achieve the common goal of enforcing cybersecurity practices across all PDEs on the market within the European Union. The legislation pushes requirements across a widely defined range of products to reach this goal while emphasizing security and transparency throughout the PDE’s entire lifecycle. These requirements are all-encompassing and create specific challenges for manufacturers based on product type, OEM size, and overall market offering.

Essential requirements of the EU CRA

The essential requirements of the EU CRA address cybersecurity at every level of a PDE, summarized by the following categories: 

Secure by design: The CRA mandates that products be built with security at their core rather than as an afterthought. Manufacturers must incorporate security measures from the earliest stages of design, such as:

    • Ensuring robust encryption for data, both stored and in transit
    • Implementing secure boot processes verifying the integrity of software before execution
    • Designing products to minimize attack surfaces and resist tampering

Vulnerability management: Manufacturers are required to maintain a proactive vulnerability management program to address security weaknesses throughout the product lifecycle, including:

    • Performing regular vulnerability assessments and penetration testing
    • Deploying security-related patches and software updates to mitigate discovered threats in a timely manner
    • Continuously monitoring products in the field to identify new vulnerabilities

Lifecycle management: The CRA includes efforts to continually monitor and secure the PDE throughout its lifecycle, not just at the point of manufacturing or product delivery, such as: 

    • Securely distributing software and firmware updates and upgrades
    • Ensuring product robustness to be resilient against attacks and limit the impact on other devices if successfully attacked
    • Maintaining a comprehensive, machine-readable Software bill of materials (SBOM) 

The CRA takes its scope a step further by differentiating between different classes of PDEs based on their inherent risk.

Class I products: These PDEs are considered to be lower-risk products used in consumer settings or non-critical industrial operations. The full scope still applies, but the risk of non-compliance is generally lower.

Class II products: Products under this classification are typically higher risk, like firewalls and container runtime systems, requiring full quality assurance and intense auditing.

Aside from the class of product a manufacturer produces, the size of the OEM will create specific external challenges while attempting to comply with the CRA. While enterprises are generally more equipped than small and medium-sized businesses, both encounter roadblocks that must be overcome in the wake of the CRA.

Large enterprises: While larger companies often have dedicated security teams and budgets to address regulatory concerns, the complexity and scope of the CRA will still pose a significant challenge. Managing hundreds or even thousands of connected devices while ensuring updates are delivered securely and on time and maintaining an accurate SBOM will become overwhelming without the proper infrastructure or support in place.

Small and medium-sized OEMs: The CRA presents a challenge for smaller companies for different reasons. Limited resources and expertise make maintaining ongoing security measures and updating systems harder. Without a dedicated team, there is a greater risk of falling behind and spending resources on compliance that would be better used to get a product to market. 

While compliance is complex, noncompliance is out of the question for manufacturers that wish to continue to market their products in the European Union.

Learn more about complying with the Cyber Resilience Act and protect your digital products from cyber threats. https://mender.io/resources/reports-and-guides/role-of-over-the-air-ota-updates-in-eu-cra-compliance