{"id":9087,"date":"2024-04-22T09:50:26","date_gmt":"2024-04-22T07:50:26","guid":{"rendered":"https:\/\/www.arcadsoftware.com\/dot\/?p=9087"},"modified":"2025-02-26T16:11:50","modified_gmt":"2025-02-26T15:11:50","slug":"cyber-resilience-act-cra","status":"publish","type":"post","link":"https:\/\/www.arcadsoftware.com\/dot\/resources\/cyber-resilience-act-cra\/","title":{"rendered":"Cyber Resilience Act (CRA)"},"content":{"rendered":"

\"Blog<\/span><\/div><\/div><\/div><\/div><\/div>

The Cyber Resilience Act (CRA) aims to strengthen the protection of consumers and businesses who buy or use products or software incorporating digital components. Adopted in early 2024, this European regulation imposes mandatory cybersecurity requirements to protect consumers and businesses against increasing cyberattacks.<\/p>\n

This text explores the main obligations of the CRA, the fines that may apply in the event of non-compliance, and its impact on the open-source community.<\/p>\n<\/div><\/div><\/div>

Summary<\/b><\/p>\n

    \n
  1. What is the Cyber Resilience Act (CRA)?<\/a><\/li>\n
  2. Who is affected by this European regulation?<\/a><\/li>\n
  3. What are the objectives of the Cyber Resilience Act?<\/a><\/li>\n
  4. What are the fines for non-compliance with the CRA?<\/a><\/li>\n
  5. What about concern in the open-source world?<\/a><\/li>\n
  6. How can DOT Anonymizer, an anonymization solution, help comply with the Cyber Resilience Act (CRA)?<\/a><\/li>\n
  7. Conclusion<\/a><\/li>\n<\/ol>\n<\/div><\/div><\/div>
    <\/div>

    1. What is the Cyber Resilience Act (CRA)?<\/h2><\/div>

    The Cyber Resilience Act (CRA) is a proposed European Union law intended to enhance the security of digital products such as computer hardware and software.<\/b> This proposed regulation was adopted in early 2024 by the European Commission. The CRA imposes mandatory cybersecurity requirements on manufacturers and retailers to protect consumers and businesses against cyberattacks.<\/b> Indeed, hardware and software products are increasingly subject to cyber-attacks. According to the European Commission, the annual cost of these attacks has been estimated at almost 5.5 trillion euros by 2020.<\/p>\n

    Manufacturers will have 3 years to adapt to the new standards<\/b> after the law comes into force, and they will have to report incidents and vulnerabilities no later than 21 months<\/b> after the law is passed. The CRA aims to promote the safe use of digital products by encouraging a proactive approach to security throughout their lifecycle.<\/p>\n<\/div>

    <\/div>

    2. Who is affected by this European regulation?<\/h2><\/div>

    The Cyber Resilience Act (CRA) has been established to reinforce the security of digital products sold on the European single market.<\/b> Unlike the NIS2 directive<\/b><\/a>, which concerns a wide range of entities such as cloud providers and healthcare hosts, the CRA specifically targets digital products.<\/b> This includes any hardware or software product with digital elements, such as computers, phones, household appliances, cars, connected toys, as well as systems such as VPNs, antivirus and password managers.<\/p>\n

    The CRA defines three classes of digital products to regulate their cybersecurity. <\/b>The default category, covering 90% of digital solutions, requires only self-assessment. The other two categories, comprising 10% of solutions, require higher levels of assessment, ranging from the application of security standards to evaluations carried out by external third parties. This classification is based on the specific functionality and intended use of the product.<\/p>\n<\/div>

    <\/div>

    3. What are the objectives of the Cyber Resilience Act?<\/h2><\/div>

    Manufacturers of the products listed above will be required to comply with harmonized cybersecurity rules throughout the product lifecycle, including planning, design, development and maintenance obligations to ensure cybersecurity. <\/b>The CRA aims to:<\/p>\n