Blog Article DOT Cyber Resilience Act CRA

The Cyber Resilience Act (CRA) aims to strengthen the protection of consumers and businesses who buy or use products or software incorporating digital components. Adopted in early 2024, this European regulation imposes mandatory cybersecurity requirements to protect consumers and businesses against increasing cyberattacks.

This text explores the main obligations of the CRA, the fines that may apply in the event of non-compliance, and its impact on the open-source community.

1. What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is a proposed European Union law intended to enhance the security of digital products such as computer hardware and software. This proposed regulation was adopted in early 2024 by the European Commission. The CRA imposes mandatory cybersecurity requirements on manufacturers and retailers to protect consumers and businesses against cyberattacks. Indeed, hardware and software products are increasingly subject to cyber-attacks. According to the European Commission, the annual cost of these attacks has been estimated at almost 5.5 trillion euros by 2020.

Manufacturers will have 3 years to adapt to the new standards after the law comes into force, and they will have to report incidents and vulnerabilities no later than 21 months after the law is passed. The CRA aims to promote the safe use of digital products by encouraging a proactive approach to security throughout their lifecycle.

2. Who is affected by this European regulation?

The Cyber Resilience Act (CRA) has been established to reinforce the security of digital products sold on the European single market. Unlike the NIS2 directive, which concerns a wide range of entities such as cloud providers and healthcare hosts, the CRA specifically targets digital products. This includes any hardware or software product with digital elements, such as computers, phones, household appliances, cars, connected toys, as well as systems such as VPNs, antivirus and password managers.

The CRA defines three classes of digital products to regulate their cybersecurity. The default category, covering 90% of digital solutions, requires only self-assessment. The other two categories, comprising 10% of solutions, require higher levels of assessment, ranging from the application of security standards to evaluations carried out by external third parties. This classification is based on the specific functionality and intended use of the product.

3. What are the objectives of the Cyber Resilience Act?

Manufacturers of the products listed above will be required to comply with harmonized cybersecurity rules throughout the product lifecycle, including planning, design, development and maintenance obligations to ensure cybersecurity. The CRA aims to:

  • Reduce product vulnerabilities
  • Guarantee regular security updates
  • Improve transparency on product security
  • Introduce CE marking to indicate compliance with cybersecurity standards.

In addition, the Cyber Resilience Act establishes a universal cybersecurity basis for all digital products sold in the EU, with product categorization and differentiated security assessments based on their level of risk. It clearly assigns responsibility for security to manufacturers and ensures that consumers receive timely security updates after purchase.

Guide – Data Anonymization Keys to a Successful Cross-functional Project

4. What are the fines for non-compliance with the CRA?

Not complying with the Cyber Resilience Act (CRA) carries considerable fines for companies operating in the European Union. Penalties of up to €15 million or 2.5% of worldwide sales can be imposed.

To ensure compliance with the CRA, each Member State will appoint market surveillance authorities responsible for enforcing the law. In the event of non-compliance, these authorities have the power to require corrections, restrict the availability of non-compliant products or withdraw them from the market.

5. What about concern in the open-source world?

The Cyber Resilience Act (CRA) raised concerns in the open-source community about its impact on the development of open-source software. In the end, the final version of the CRA clearly distinguishes between the development and supply phases of software products based on open code, thus preventing open-source players from being held responsible for any security problems for software products using open code components. Although concerns remain, efforts have been made to integrate the concerns of the open-source community into the CRA and clarify its impact on open-source software development.

6. How can DOT Anonymizer, an anonymization solution, help comply with the Cyber Resilience Act (CRA)?

DOT Anonymizer offers a solution to help comply with the CRA, which requires digital products to guarantee the confidentiality and security of user data. It anonymizes personally identifying data, reducing vulnerabilities and helping manufacturers meet security requirements. Its integration into digital products can help boost customer confidence and ensure better cybersecurity throughout the European Union.

7. Conclusion

The European Union's Cyber Resilience Act (CRA) represents a major step forward in protecting consumers and businesses against cyber threats.

By imposing strict cybersecurity standards on manufacturers and retailers of digital products, the CRA aims to reduce vulnerabilities, ensure regular security updates, and improve transparency on product security. The fines incurred for non-compliance underline the crucial importance attached to digital security in the European Union. Concerns about the impact on the development of open-source software have been addressed, with efforts to clarify the implications of the CRA.

Overall, the Cyber Resilience Act plays an essential role in creating a more secure and resilient digital environment in Europe.

[Webinar] Protection of personal data: How and when should you anonymize?