Cyber Resilience Act (CRA) is Here to Stay

What is the Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act (CRA) is intended to be a big step forward in cybersecurity for digital products. The draft, published in September 2022, formally adopted by the European Parliament in March 2024 and enacted in October 2024, will require all products "with digital components" (see below) in the EU to carry a CE mark that includes cybersecurity requirements. Products that do not meet the security requirements can no longer be sold, with penalties for non-compliance; digital products are now subject to the same security standards as physical goods. Manufacturers of digital products, such as software and IoT devices, are responsible for making their products secure and proactively managing vulnerabilities, and this applies to all products with digital elements that are manufactured, imported, or distributed in the EU.

Cyber Resilience Act (CRA) vs. NIS2: What's the difference?

The Cyber Resilience Act and NIS2 are closely related pieces of legislation. They aim to strengthen companies' cyber resilience but have different priorities.

In short, the CRA and the NIS2 Directive work together to ensure the EU has a sound cybersecurity strategy. They do this by requiring products, critical services, and infrastructure to be more secure. The CRA focuses on products and product development, while the NIS2 focuses more on infrastructure and critical services. The CRA goes hand-in-hand with other legislation when it comes to supply chain security risks, as we've seen with incidents such as attackers gaining access to Cisco's DevHub portal, attacks on SolarWinds' Web Help Desk, or CVE-2024-47575 in FortiManager firewall management software, which is being actively exploited. One of the main things the CRA is asking manufacturers or vendors for is a Software Bill of Materials (SBOM), which is a complete list of all the software components and helps operators to spot and fix any problems quickly. We'll be sharing more about our own SBOM initiatives, documentation, and other responsibilities as a software vendor in the next blog. In addition to documentation and vulnerability management, the CRA requires regular security updates, machine-readable vulnerability reports, and responsible disclosure processes. Vendors and manufacturers must report exposures within 24 hours, and ENISA, as the central authority, plays an essential role in implementing and coordinating these measures.

The CRA has different requirements for different types of businesses but has many things in common.

What you need to know about the obligations

Products must be secure by design, with minimal attack surface and secure update mechanisms. Producers must ensure products are designed with solid security features from the start. These features should cover potential vulnerabilities and ensure the products operate securely.

• Risk management: The obligation to perform risk analysis to identify and mitigate potential security threats early in the product's lifecycle.
• Technical documentation: All the technical details, including risk assessments, updates, and development processes, must be together.
• Development process: A secure development process must be in place and “lived” by the organization.
• Vulnerability management: Vendors must provide updates to fix identified vulnerabilities for at least five years after selling the product.
• Conformity assessment: Depending on the risk class, products are inspected, examined, or put through a quality assurance process.
• Security requirements: Cybersecurity requirements cover measures from planning and development to production, delivery, and maintenance.
• Vulnerability handling: Vendors must quickly identify, document, and fix vulnerabilities and inform users.
• Open-source as an exception: Open-source developers are exempt unless they use open-source components in commercial products.

Will everything be okay now?

The German Federal Office for Information Security (BSI) and other European authorities are pleased to see the EU adopt the CRA. Claudia Plattner, the president of BSI, says the CRA promotes transparency and gives clear instructions for fixing problems, which helps consumers and the industry.

(Positive?) impact on the risk of supply chain attacks?

The idea behind the CRA regulation is to improve cyber security, particularly regarding the risk of supply chain attacks. Let's take a closer look at that. The idea is that introducing binding security requirements and increasing transparency in the supply chain will make attacks via insecure third-party components more challenging and improve the general resilience of digital products. It tackles this issue in the following ways:

It requires companies to improve the visibility and control of their supply chain. This means that all hardware and software components integrated into a product must (and can!) be checked for security, and suppliers should prove that they have taken the necessary security measures before their components are integrated. A risk assessment for third-party suppliers should show whether their products have measures to reduce the risk posed by their solution. In conjunction with the SBOM, this requirement also ensures that known vulnerabilities in external dependencies can be efficiently assessed and remediated more quickly. By requiring continuous reassessment and remediation of vulnerabilities, the CRA forces manufacturers to regularly review their products even after they have been launched. This reduces the risk of attackers being able to exploit undiscovered vulnerabilities over more extended periods.

So, will everything be (really) OK now?

While the Cyber Resilience Act is an essential step toward improving cybersecurity, several areas need to be enhanced to ensure comprehensive and immediate protection against supply chain attacks. First, the CRA will not be fully implemented until 2027, leaving a gap of several years in which companies and their infrastructure will remain vulnerable to these attacks. And obviously, the act will not prevent any supply chain attack. Cybercriminals operate in a rapidly growing and ever-changing threat environment, and until the CRA is fully implemented, many customers will remain unaware of lacking protection.

The CRA focuses on security requirements for end products, but many vulnerabilities originate more profoundly in the supply chain, components supplied by subcontractors, or open-source software. CRA also offers security certifications for some products. However, because these certifications are merely voluntary, vendors may not seek certification due to cost or time constraints, which somewhat undermines the effectiveness of the law.

There is always a risk of over-dependence on one or a few suppliers

While the CRA holds suppliers accountable, the responsibility for implementing security measures and managing vulnerabilities remains mainly with the companies themselves. Heavy reliance on manufacturers or software vendors in a single-vendor strategy can still create supply chain vulnerabilities, even with CRA in place (and even more during the transition period that still lasts till 2027), because not all manufacturers may proactively address security vulnerabilities or fully comply with required standards, leaving gaps in the overall cybersecurity posture.

And who will do the job until then?

The need to manage the security posture in-house or with a managed service is evident if the question is more about when my next supply chain attack might occur. In addition to an Endpoint Detection and Response (EDR) for endpoints, especially in the IT network, a Network Detection and Response (NDR) solution can continuously monitor for threats and possible malicious communications that could be caused by malware exploiting vulnerabilities in IT/OT/IoT environments.