With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity


On 30 November 2023, the EU took a decisive step towards bolstering cybersecurity in the Internet of Things (IoT) supply chain by reaching a political agreement over the Cyber Resilience Act (CRA).  The CRA will impose a range of cybersecurity obligations on manufacturers, importers and distributors of "products with digital elements", including baby monitors, smartwatches, computer games, firewalls, routers, and many more.

Product classification: a granular approach to risk assessment

The CRA introduces a product classification system that divides products with digital elements into criticality classes based on their potential impact on cybersecurity:

  • Criticality Class I: This class encompasses products that pose potential to cause significant harm to individuals, property, or the environment if compromised. Examples include operating systems, boot managers, microprocessors, identity management systems, microcontrollers with safety-relevant functions and application-specific circuits, network management systems, network devices, password managers, routers, software for issuing digital certificates, malware detection software, systems for managing security information and events, consumer products, and virtual private networks (VPNs).
  • Criticality Class II: This class is made up of products that pose even higher cybersecurity risks due to their cybersecurity-related functionality and intended use in sensitive environments such as industrial settings. Examples include container runtime systems, firewalls, hypervisors, and tamper-evident microprocessors and controllers.
  • Criticality Class III: Highly critical products falling under this class can be defined by the European Commission by way of delegated acts. This class is meant to cover products used by essential entities under the NIS2 Directive 2022/2555 or products with high relevance for the resilience of the overall supply chain of products with digital elements against disruptive events. The classification system will ensure that products with higher potential risks undergo more stringent measures, particularly when it comes to demonstrating the conformity of the products with the essential security requirements of the CRA.

Whereas conformity with the essential security requirements of the CRA can principally be assessed by manufacturers (based on the internal production control procedure), such self-certification may only be applied to products falling into Criticality Class I if harmonised standards, common specifications or European cybersecurity certification schemes will be fully available and applied. If this is not the case, a notified body must be involved in the conformity assessment procedure. Such third-party involvement will in any case be mandatory for products of Criticality Class II. Finally, for highly critical products, manufacturers will be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme.

Essential security requirements

The CRA establishes a set of essential security requirements that manufacturers must adhere to for their digital products. These requirements are designed to minimise cybersecurity risks by addressing key security vulnerabilities from the outset. The essential security requirements include:

  • Secure-by-default configuration: Products must come with a secure-by-default configuration, allowing users to easily reset them to their original state if necessary.
  • Protection against unauthorised access: Appropriate control mechanisms, including authentication, identity or access management systems must be in place.
  • Confidentiality: Data stored, transmitted, or processed by the product must be protected through encryption, both when at rest and in transit, to safeguard its confidentiality.
  • Integrity: Data stored, transmitted, or processed by the product as well as commands, programmes and configuration must be protected against manipulation or modification not authorised by the user.
  • Data minimisation: Products should only collect and process data that is strictly necessary for their intended use, minimising the amount of personal or other data that is handled.
  • Availability: Essential functions must be resilient against denial-of-service attacks.
  • Attack surface limitation: Products should be designed with a limited attack surface, minimising the potential entry points for cyberattacks.
  • Vulnerability management: Mechanisms must be in place to enable timely and effective patching of vulnerabilities to address emerging cybersecurity threats.

Security by design: embedding cybersecurity throughout the product lifecycle

The CRA emphasises the principle of "security by design", requiring manufacturers to incorporate cybersecurity considerations into every stage of the product lifecycle, from planning and design to development, production, delivery, and maintenance. This holistic approach aims to prevent vulnerabilities from being embedded in products in the first place, reducing the overall cybersecurity risk.

Furthermore, manufacturers will be obliged to continuously and systematically identify and document relevant cybersecurity aspects. Vulnerabilities must be effectively handled over the entire lifecycle of the product, which includes a risk-related obligation to remedy security vulnerabilities without delay (specifically, by providing updates). To ensure this, the CRA will require manufacturers to implement appropriate internal processes for handling and remedying potential vulnerabilities, including the establishment of a contact point.

Reporting obligations: promoting transparency and timely response

To enhance transparency and facilitate timely responses to cybersecurity threats, the CRA introduces reporting obligations for manufacturers. Manufacturers are required to report actively exploited vulnerabilities to the respective national authority and the European Union Agency for Cybersecurity (ENISA). This reporting mechanism is intended to enable rapid coordination and response to critical vulnerabilities, minimising potential harm to users.

Open-source software: tailored requirements for enhanced security

Recognising the complexities and diverse developmental models of open-source software, the CRA has adopted a differentiated approach to addressing cybersecurity concerns. Open-source software developed under the umbrella of a supporting organisation, such as the Linux Foundation or the Apache Software Foundation, will be subject to simplified requirements, including streamlined conformity assessment procedures and a mitigated sanctions regime.

To distinguish between open-source software developed under the umbrella of a supporting organisation and other open-source software, the CRA introduces the concept of "jointly developed under the umbrella of a supporting organisation". This term applies to open-source software that meets the following criteria:

  • The software is developed by a group of individuals or organisations that collaborate on the project.
  • The software is released under a free open-source licence.
  • The supporting organisation provides resources and support for the development of the software.

Open-source software that does not meet these criteria will be subject to the same requirements as other products with digital elements. This distinction aims to strike a balance between security and fostering a supportive environment for open-source development.

Timeline and implementation: standardisation and adapting to the new landscape

The finalisation of the CRA text should pave the way for the CRA to be adopted and published in the Official Journal of the European Union before the European Parliament elections in June 2024. Once in force, manufacturers, importers, and distributors will have three years to adapt to the new requirements. A shorter 21-month transition period applies to the reporting obligation for incidents and vulnerabilities.

It is hoped that guidance documents and, above all, harmonised standards for the product categories covered will be available with sufficient lead time before the new requirements become applicable. This is even more important since harmonised standards are a prerequisite for the self-certification of products listed in Criticality Class I.

In view of the broad scope of application of the CRA, a standardisation marathon is likely to be on the cards, within which the current standardisation efforts under Delegated Regulation 2022/30 to the Radio Equipment Directive can be leveraged, at least in part.

For more information on the CRA and how it could affect your EU-based business, contact your CMS client partner or these CMS experts.