EU Cyber Resilience Act (CRA): Vulnerability handling requirements

Written By Marko Kaasila

Obligations

Tackling vulnerabilities is at the top of the CRA’s priority list. Device manufacturers and developers will need to offer customers support for the expected product lifetime or five years, whichever is shorter. During that period manufacturers are obliged to address and correct security flaws promptly. This includes:

  • Issuing free security updates.

  • Providing clear and informative messages to users:

    • Explaining the nature of the vulnerability.

    • Guiding users on necessary actions to mitigate risks.

  • Publicly disclosing vulnerability details after a security update is released:

    • Describing the vulnerabilities in detail.

    • Identifying the affected products with digital elements.

    • Assessing the severity and impact of the vulnerabilities.

    • Providing clear instructions on how to apply the necessary fixes.

  • Establishing and maintaining a transparent vulnerability disclosure policy.

  • Reporting requirements:

    • Manufacturers must report any actively exploited vulnerability or severe incidents that impact the security of the product to the European Union Agency for Cybersecurity (ENISA) without undue delay, and in any event within 24 hours becoming aware of them. 

    • Follow-up notices will be required as a general rule within 72 hours and 14 days.

As part of vulnerability handling, manufacturers are required to perform regular tests and reviews of their products' security after the product has been placed on the market.

Price to pay

The Cybersecurity Resilience Act (CRA) will have a two-tiered regulatory system:

  • EU-level oversight: The European Union Agency for Cybersecurity (ENISA) will oversee the CRA at the EU level.

  • National-level enforcement: Market surveillance authorities in each member state will enforce the regulations within their respective countries.

Significant Fines:

  • The CRA empowers regulators with substantial enforcement powers, mirroring other EU digital frameworks like NIS 2 and DORA.

  • Fines can reach up to €15 million or 2.5% of an organization's global annual turnover, whichever is higher.

  • The CRA introduces a unique provision: Fines of up to €5 million or 1% of global annual turnover can be imposed on organizations that provide inaccurate or incomplete information to market surveillance authorities, even if unintentional.

Considering the substantial monetary fines and the reputation risk of cybersecurity incidents, manufacturers should maintain robust cybersecurity practices and up-to-date records at all times, to avoid the risk of scrambling to gather the requested information under time pressure.

Marko Kaasila
Previous

IoT cybersecurity requirements: Same but different
Next

EU Cyber Resilience Act (CRA): Essential Cybersecurity Requirements