The Cyber Resilence Act (CRA) was adopted by the Council of the European Union

The new version of the CRA has been published

On October 10, 2024, the Council of the European Union published the revised version of the CRA.

Once adopted, the legal act will be signed by the President of the Council and the President of the European Parliament in the coming weeks and then published in the Official Journal of the EU.

The official publication of the CRA in the Official Journal of the European Union will still take a short time.

Nevertheless, the requirements of the CRA will become mandatory in the European Union from 2027.

The CRA regulates the cybersecurity of products with digital elements and therefore affects not only consumers, but also products used in manufacturing and industry.

Products with digital elements are one or more hardware components and associated software components that add one or more functions to the product.

Software as a Service (SaaS) and Platform as a Service (PaaS) products will not be affected by the CRA, unless the software solutions are necessary to provide functions for the product with digital elements, as is the case with cloud-connected IoT products, for example.

The CRA distinguishes between four categories of products with digital elements

  • Low risk products
  • Important products - Class I
  • Important products - Class II
  • Critical products

The four product categories differ significantly in the choice of the applicable conformity assessment procedure, while the safety-related technical requirements, as well as the requirements for the information that must be provided to users, remain the same for all four categories.

The most important technical safety requirements for products with digital elements include

  • Providing security updates for the entire expected lifetime of the product or at least 5 years
  • Delivery with a secure standard configuration
  • The ability to delete all data from the device
  • Ensuring the confidentiality, authenticity and integrity of processed data
  • Introduce logging mechanisms
  • Ensuring the availability of basic functions even in the event of security incidents
  • Set up control mechanisms to protect against unauthorized access

Furthermore, cybersecurity must be considered during the design, development and manufacturing stages and a risk assessment must be carried out to ensure an appropriate level of cybersecurity.

The technical documentation must be extended for products with digital elements to include a cybersecurity risk assessment, including with regard to compliance with the cybersecurity requirements in Annex I of the CRA. Furthermore, a software bill of materials is required.

It must also include the support period for the product with digital elements, evidence of how it has been verified that the product with digital elements complies with the CRA, including any standards used, and "a description of the design, development and manufacture [...] and the procedures for addressing vulnerabilities." (Annex VII - Content of the technical documentation, sub-item 2.)

Another important innovation is the obligation to document and report vulnerabilities. An early warning of actively exploited vulnerabilities must be given within 24 hours via a reporting platform to the respective CSIRT (computer security incident response team) of the Member State and ENISA (The European Union Agency for Cybersecurity). Further information on the security incident must be submitted after 72 hours at the latest.

In addition to the technical requirements for products with digital elements, the CRA also regulates information requirements for the user.

These must set out in detail how the product can be operated safely and must also be included in the technical documentation.

With the exception of the obligation to report vulnerabilities, which becomes mandatory 21 months after the CRA comes into force, the CRA is valid from 36 months and 20 days after publication in the Official Journal of the European Union.

The CRA will become a regulation requiring CE marking. The declaration of conformity of the products concerned must be extended to include the CRA from the date of application.



If you have any questions or require further support, please do not hesitate to contact us

 

Author

Anne Barsuhn
Junior Consultant Cybersecurity

More Information

Published on 18.10.2024
Category: Fokus Electrical and Wireless, Compliance

back to list

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
GLOBALNORM News
Review of the GLOBALnorm Customer Day 2025

From sharing experiences to dreams of the future: our standards event in Waldkirch

Read more

Our Christmas campaign “donate rather than send” 2024

Charity instead of Christmas cards

Read more

Awarded as an entrepreneur of the future 2024

First of all: The German Innovation Institute for Sustainability and Digitalization (diind) is a Hamburg-based institution that brings together science and business to provide communication and marketing managers with reliable, high-quality information.

Read more

STANDARDS News
Introduction of ISO/PAS 8800

Functional safety for AI in road vehicles

Read more

Draft DIN EN ISO 12100:2025-12

Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO/DIS 12100:2024)

Read more

New DIN DKE SPEC 99100:2025-02

Requirements for data attributes of the battery passport

Read more

COMPLIANCE News
Inspection of the HAS evaluation forms

The right of access to European Parliament, Council and Commission documents

Read more

Listing in the Official Journal of the RED (2014/53/EU)

A new list appeared on 15.5.2025 since November 2023

Read more

Harmonized standards for the Machinery Regulation (EU) 2023/1230

The mandate

Read more

De
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK