The digital world is increasingly connected as the prominence of IoT devices continues to grow exponentially. Everything from smart home devices to critical infrastructure is online, making cybersecurity a global priority for the safety and security of people and international infrastructure. The growing number of connected devices comes with a skyrocketing cost of cybercrime. Current estimates predict the cost of cybercrime will exceed 20 trillion USD by 2026, 150% larger than the 2022 figure.1 To combat today’s cyber threats, the European Union (EU) has introduced the Cyber Resilience Act (CRA) – an extensive piece of legislation aimed at strengthening the cybersecurity of products with digital elements (PDEs) sold within the EU.
The Cyber Resilience Act covers a diverse range of PDEs with multifaceted compliance requirements and extensive penalties, both legal and financial. Ensuring compliance will be crucial for the success of manufacturers worldwide as the CRA begins to take effect.
What is the Cyber Resilience Act (CRA)?
The European Parliament approved the Cyber Resilience Act in March 2024, which was enacted October 2024, immediately implementing reporting mandates. By 2027, after 36 months of mandated reporting, the CRA will be in full effect across the European Union. The CRA is designed to establish consistent cybersecurity requirements for PDEs, including both hardware-software and software-only products, to ensure security throughout the product lifecycle.
The scope of the CRA is broad, impacting all digital products marketed in the EU—whether free or paid– with exceptions for certain sectors like medical devices, military hardware, automotive vehicles, aviation, and maritime technology, which are already governed by separate regulations.
The key objectives of the CRA are to reduce vulnerabilities in digital products, minimize the risk of cyberattacks, and ensure a high level of cybersecurity for all products on the market. Failure to comply with the CRA could lead to significant penalties of up to €15 million or 2.5% of a company’s global turnover (revenue), whichever is higher. Alongside the potential loss of the requisite CE mark, the CRA effectively bans non-compliant products from being sold in the EU.
Why does the Cyber Resilience Act matter?
The CRA directly responds to the EU’s growing concern over cybersecurity. The increasing number of connected devices—ranging from consumer gadgets to industrial control systems—has made the landscape more vulnerable to cyberattacks. The CRA aims to fill gaps in current cybersecurity frameworks and practices by ensuring that products are secure by design, fully disclose software dependencies, and can be reset to secure default configuration as needed.
The importance of the Cyber Resilience Act lies in its horizontal approach, covering a wide range of products and industries throughout the supply chain, to ensure security is no longer an afterthought but a fundamental part of the development and production process. By enforcing stricter standards and expanding accountability, the EU is proactively protecting citizens, businesses, and critical infrastructure from the ever-evolving cyber threat landscape.
Does the CRA apply to you?
If your company develops, manufactures, or distributes products with digital elements within the European Union, there’s a high chance the CRA applies to you. The CRA applies to any new products with digital elements (PDE) that connects directly or indirectly to a device or network including:
- Smart home devices (e.g., security cameras, smart door locks, appliances)
- VPN software
- Antivirus programs
- Operating systems
- Firewalls and intrusion prevention systems
In addition to generic PDEs, the CRA categorizes “cybersecurity and network management products” into Class I and Class II, facing stricter requirements. If your products serve essential cybersecurity functions, you are likely in one of these classes and must adhere to enhanced compliance measures.
Software-only products under the CRA
The Cyber Resilience act additionally categorizes software-only offerings under the umbrella of PDEs meaning these products will fall under the full scope of regulation. Depending on purpose, many commercial software products, especially those related to data processing will be categorized as either class I or class II including:
Operating Systems: Platforms like Linux, which manage hardware and system resources, are required to incorporate strong security measures under CRA regulations.
Antivirus and Security Tools: As critical defenses against malware and other threats, antivirus software must meet stringent CRA standards to ensure they effectively safeguard digital environments.
VPNs: Virtual Private Networks (VPNs) that encrypt connections and protect user data are fully covered under the CRA, ensuring these tools maintain the highest security standards.
What about free and open source software (FOSS)?
One common question concerns free and open source software (FOSS). By nature FOSS does not fall under CRA regulations unless it is part of a commercial activity. For example, if open-source software is used in a for-profit or monetized product, it is subject to the CRA. Even if the software is freely available, integrating it into a commercial product puts it under the act’s purview.
CRA: Key compliance requirements
The Cyber Resilience Act enforces rigorous standards to ensure cybersecurity from a product’s development to end-of-life stages. To comply with standards, a PDE must consider cybersecurity throughout the entire lifecycle, and the manufacturer must take multiple considerations. The requirements stand to bolster security and are heavily penalized to ensure compliance.
- Secure by design: Products must be developed with security as a primary concern, including configurations that minimize vulnerabilities.
- Software Bill of Materials (SBOM): Manufacturers must maintain an SBOM, a detailed list of the software components used in a product, to facilitate identifying and addressing vulnerabilities.
- Vulnerability management: Manufacturers must continually test and assess their products for vulnerabilities. Once discovered, vulnerabilities must be remediated promptly, and manufacturers must provide secure updates, ideally through automatic mechanisms that allow users to opt in.
- Transparency and disclosure: If a vulnerability is identified and fixed, manufacturers must disclose this information to the public, ensuring that users are informed and can take appropriate action.
- Penalties for noncompliance: Manufacturers that fail to comply with CRA requirements face hefty fines and the potential loss of their CE certification, meaning their products can no longer be sold in the EU.
How to prepare for CRA compliance
Given the scope and implications of the CRA, manufacturers must take steps now to ensure compliance before the act takes full effect. There are comprehensive steps and considerations that must be navigated throughout the legislation, but the main preparations are:
- Conduct a risk assessment: Evaluate your current products to understand if and how the CRA applies. Consider their risk level, especially if they fall under Class I or II.
- Build security into the development process: Adopt a security-by-design approach, where security considerations are embedded from the outset rather than being added later.
- Maintain an SBOM: Create and update a detailed list of your product's software components. Ensure that this information is machine-readable, easy to locate, and ready to share with stakeholders if necessary.
- Vulnerability management plan: Develop a robust process for identifying, remediating, and disclosing vulnerabilities in your product. The process should include plans for quickly and efficiently issuing secure software updates with user communications or control (acceptance).
- Enable comprehensive OTA capabilities: Integrate a robust system to deploy over-the-air updates, ensuring patches remain consistent and timely for ongoing compliance.
- Collaborate with experts: The CRA introduces complex technical and legal requirements, so it’s essential to work with experts in cybersecurity, legal, regulatory compliance, and the CE certification process to navigate these challenges effectively.
The Cyber Resilience Act introduces comprehensive legislation for connected products with digital elements (PDEs) to ensure ongoing security amid the rising threat of cyberattacks. By requiring manufacturers to prioritize security throughout their product lifecycle, the EU aims to protect consumers as the number of connected devices grows.
For companies that produce or sell products in the EU, preparing for CRA compliance is not just a legal obligation—it’s a necessity for staying competitive in an increasingly regulated market. The CRA has some of the largest monetary penalties and scope of all security regulations, and all data collected will be fully subject to review by 2027. Manufacturers must act now to ensure products meet CRA standards and avoid the costly consequences of noncompliance.
By embedding cybersecurity into the fabric of your development process and ensuring compliance with the CRA, you can mitigate risks while gaining a competitive edge in the market by offering more secure, resilient products.
Check out our white paper for more information on the Cyber Resilience Act (CRA) and the role of OTA updates in compliance - https://mender.io/resources/reports-and-guides/role-of-over-the-air-ota-updates-in-eu-cra-compliance
Resources
- https://www.statista.com/forecasts/1280009/cost-cybercrime-worldwide
Recent articles
Driving secure innovation: ISO/SAE 21434 & UNECE compliance
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server
CVE-2024-46948 - Missing filtering based on RBAC device groups
Learn why leading companies choose Mender
Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.