The EU CRA will enter into force tomorrow, on December 10th, 2024. To shed more light into the legislation, we will be publishing a three part blog series on the matter with the following break down:

Part 1: Scope

Part 2: Essential Cybersecurity Requirements

Part 3: Vulnerability handling requirements

Part 1: Scope

The European Union (EU) Cyber Resilience Act (CRA) aims to ensure more secure hardware and software products for the EU market. CRA defines products with digital elements as 'any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately'. The regulation applies to 'products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.'

Simply put, CRA regulates the cybersecurity of a wide range of digital products, including:

• Connected devices: Consumer and industrial IoT devices

• Software: Operating systems, non-embedded software, and AI systems

• Cloud services: When they are integral to digital, connected devices.

The CRA’s scope is broad because “components” of products with digital elements and those products’ “remote data processing solutions” are also in scope. The latter means that the CRA catches any software designed and developed by a manufacturer or is under their responsibility, so long as the products cannot perform one of its functions without the software. For example, a mobile app (provided by a smart home device manufacturer) that lets users remotely control their devices would fall under the CRA as a remote data processing solution.

Device categories

The CRA divides digital products into two main categories based on their level of risk. 

• The first is non-critical products, i.e., hardware and software with a low level of criticality (e.g. hard drives, smart home assistants, connected toys, industrial IoT devices). 

For non-critical products, which represent 90 % of products on the market, manufacturers must conduct self-assessment and declare that their products comply with all the CRA security requirements. The results of the self-assessment must be presented to the authorities upon request.

• The second category is critical products, which are further divided into two sub-categories: Class I lower risk (e.g. virtual private networks, routers, switches and other network components) and Class II higher risk (e.g. hypervisors, containers and smart meters) reflecting criticality and intended use.

The process to demonstrate compliance differs for critical products based on the sub-category. For critical Class I products, the manufacturer may still carry out a self-assessment as long as their product has i) an existing cybersecurity standards compliance; or ii) if the manufacturer has not applied standards or schemes, the manufacturer would have to undertake a conformity assessment performed by a third party (Conformity Assessment Body, CAB). 

For Critical class II products, manufacturers would be subject a the third-party conformity assessment run by a CAB. Picture below helps to identify what is required from you.

ENISA, the EU agency dedicated to enhancing cybersecurity in Europe, has done cybersecurity standards mapping. For vendors which already are cybersecurity standard compliant, the mapping is helpful to analyse whether the compliance is enough for Class I products: https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping

For example, in the picture above by ENISA, IEC 62443-4-2, typical for a wide range of industrial IoT devices, suffices for Class I self-assessment purposes reasonably well.

Example devices

The EU has estimated that non-critical devices account for 90% of the market's products, which are connected to networks and basically come from every corner of life, consumer and industrial.

Examples of Class I products are identity and access management software, standalone browsers, password managers, virus scanners (“Software that searches for, removes, or quarantines malicious software”), VPN, operating systems, network devices like routers, modems, and switches, smart home devices with virtual assistants, smart home products with security features like smart locks, security cameras, baby monitors and alarm systems. Also, personal wearable devices that are not medical devices are included in this category.

Class II devices are hypervisors and containers, firewalls and intrusion detection systems, and smart meter gateways within smart metering systems.

In the second part of this series, we will focus on the essential cybersecurity requirements CRA imposes on products.