top of page
certification soc 2 type II

REGULATORY COMPLIANCE WITH THE CYBER RESILIENCE ACT (CRA)

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (better known by its acronym CRA) is a European Union regulation aimed at strengthening the security of products (hardware or software) containing digital elements across the entire European Union market.

 

In particular, it complements other regulatory frameworks such as the NIS2 Directive (link to page) and the Digital Operational Resilience Act (DORA) by defining common cybersecurity requirements for digital products, from their design to their lifecycle and their release onto the market.

 

Unlike the NIS2 Directive, the Cyber Resilience Act is not a directive to be transposed, but a regulation that is directly applicable in all EU Member States.

 

The objectives of this regulation are: 

  • To raise the level of cybersecurity of digital products sold across the EU.

  • To ensure that digital products are secure by design and by default, right from the design stage.

  • To improve the management of vulnerabilities and incidents.

  • To make the entire digital supply chain accountable, not just end companies.

Who is affected by the Cyber Resilience Act?

  • Embedded solutions and software marketed by the manufacturer.  

Example: security cameras, smartwatches, connected cars, intercoms, connected lighting, etc.

 

  • Heavy client solutions marketed by the manufacturer.  

Example: locally installed business software. 

 

  • On-premise solutions marketed by the manufacturer. Note that if an on-premise application requires a remote cloud service to function, this remote service is then included in the scope of the CRA. 

Example: ERP installed on a customer's internal servers. 

 

  • Software components to be integrated into another on-premise system. 

Example: Libraries, software bricks, sold to a third-party publisher.

​

The CRA therefore aims to make manufacturers responsible for security from the design stage of PENs (i.e., products containing digital elements) that will be installed or integrated into third-party systems (infrastructure, IoT, etc.).

 

 

 

However, certain products are not affected, namely:

  • The manufacturer's overall IT system. The CRA only targets products. 

Example: The company's internal network, company servers, intranet. 

 

  • Solutions developed for internal use and not marketed by the manufacturer. 

Example: Internal ERP not marketed. 

 

  • External services or clouds not designed by the manufacturer. 

Example: Google Drive, websites, Salesforce, third-party applications not developed by the manufacturer, etc.

 

  • SaaS (managed cloud) solutions marketed by the manufacturer. 

 Example: Hosted CRM developed by the manufacturer, online software. 

​

Thus, the CRA does not include PENs (i.e., products containing digital elements) that are not marketed, installed, or physically integrated into third-party systems. Note that SaaS solutions are covered, under certain conditions, by the NIS2 directive.

What are the obligations of companies affected by the Cyber Resilience Act?

Security governance - enterprise:​

  • Monitoring of enterprise security indicators 

  • Security policies and procedures

  • Supplier management 

  • Business continuity​
    ​

Security governance - product:

  • Monitoring of product security indicators

  • Secure development 

  • Product and supplier risk analysis  

  • Vulnerability management
    ​    ​

Security governance - legal:

  • Analysis of legislative gaps (audits)

  • CE marking

  • EU Declaration of Conformity 

  • Technical documentation/instructions
    ​    ​

In the event of non-compliance, national authorities may impose significant financial penalties of up to €15 million or 2.5% of global turnover, depending on the severity of the breaches.

 

The CRA came into force on December 10, 2024, with gradual implementation.

Why is compliance with the Cyber Resilience Act important?

  • Compliance with this regulation by the organizations concerned is essential for several reasons:

  • To limit the exposure of organizations (both public and private) and the general public to cyber threats.

  • To improve the brand image and credibility of companies offering digital products.

  • To guarantee the security of users and their personal data for European citizens, in accordance with the GDPR.

CyberSecura supports you in achieving compliance with the Cyber Resilience Act

As part of implementing your compliance with the Cyber Resilience Act, CyberSecura supports you from start to finish, from creating secure-by-design products to obtaining CE marking for your products, including operational management of your compliance (security audits, documentation, risk management, product updates, etc.).

​

The first step in this service will be to perform a gap analysis to understand your current compliance status and the priority actions to be implemented.

Saghar Estehghari, consultante experte en cybersécurité.JPG

All of our Cyber Resilience Act compliance support services are supervised and overseen by Saghar Estehghari, co-founder, CTO and expert consultant in cybersecurity.

​

Do you have any questions? Would you like to discuss your compliance with the Cyber Resilience Act? Book your free call and talk to our expert IT security consultants!

Saghar Estehghari, CTO at CyberSecura, tells you more about the Cyber Resilience Act!

bottom of page