EU Cyber Resilience Act (CRA): Essential Cybersecurity Requirements

The Cyber Resilience Act (CRA) divides manufacturers' cybersecurity obligations into security requirements relating to digital products' properties and vulnerability handling requirements. In this post, we focus on these essential security requirements.

The doctoral thesis “Transparent and tool-driven security assessment for sustainable IoT cybersecurity” (Kaksonen, 2024) presents common IoT security requirement categories.

If we compare CRA requirements to these requirements, we notice that CRA covers the common categories:

1. Security design,

2. Interface security,

3. Authentication,

4. Data protection, and

5. System updates.

Further, CRA requires that products are secure by default and without known vulnerabilities. The requirements for personal data match GDPR requirements. CRA also states that the product should try to maintain its essential function in abnormal situations without disturbing other network functions. The impact of an incident should be minimised for defence in depth. Finally, CRA expects security monitoring and an audit log of security-related events. Altogether, CRA provides a compact set of requirements that cover the critical security requirements well, although at a relatively high level.

The CRA essential requirements are the following: 

1. Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity.

2. On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall

1. Be made available on the market without known exploitable vulnerabilities

2. Be made available on the market with a secure by default configuration

3. Ensure that vulnerabilities can be addressed through security updates

4. Ensure protection from unauthorised access by appropriate control mechanisms

5. Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit

6. Protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user

7. Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation)

8. Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks

9. Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks

10. Be designed, developed and produced to limit attack surfaces, including external interfaces

11. Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques

12. Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;

13. Provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner

Considering the scope of the CRA, remote data processing solutions linked to products, like mobile apps or cloud back-ends, need also comply with the essential requirements.

When integrating components sourced from third parties into products, manufacturers are responsible to ensure that all components comply with the essential cybersecurity requirements.

Test of Things can help you to build an automated testing for EU CRA essential requirements and manage the compliance throughout the product lifecycle. Get a free consultancy call with us today by contacting us.