Understanding the new Cyber Resilience Act (CRA)

The digital age has brought about unprecedented opportunities and challenges. As businesses and consumers become more interconnected, ensuring cybersecurity has become paramount.

In response to growing cyber threats, the European Union introduced the Cyber Resilience Act (CRA), a landmark regulation aimed at enhancing the security of connected products. This article explores what the CRA is, its key provisions, why designing products to meet its standards is crucial for businesses and consumers alike, and how Anglia Unicorn can help you navigate this regulation to ensure your business is compliant.

What is the Cyber Resilience Act (CRA) and what does it apply to?

The Cyber Resilience Act (CRA) is a regulatory framework proposed by the European Commission to strengthen cybersecurity across the digital ecosystem. Introduced as a proposal in September 2022 and adopted in October 2024, the new regulation will apply 36 months after its entry into force with some provisions to apply at an earlier stage. The CRA aims to set mandatory cybersecurity requirements for hardware and software products sold within the European Union (EU). The Act targets manufacturers, distributors, and importers, ensuring they integrate robust cybersecurity measures throughout the product lifecycle.

The CRA applies to a broad range of hardware and software products with digital elements, including Internet of Things (IoT) devices, consumer electronics such as smart home devices, security cameras, wearables, tablets, phones, and white goods, industrial control systems, software applications, and operating systems. Essentially any product connected to the internet. Certain products that are deemed critical, such as those used in essential services like healthcare and energy, will face stricter compliance requirements.

The key objectives of the CRA are to enhance the cybersecurity of products by design, minimise vulnerabilities in digital products, increase transparency regarding security features and vulnerabilities, and improve incident response and vulnerability management.

Core provisions of the Cyber Resilience Act

The CRA sets out specific obligations for manufacturers, importers, and distributors to ensure the cybersecurity of digital products. These key provisions include:

1. Security by design and default: manufacturers must integrate security features from the initial design stage and ensure that products are secure by default. This includes implementing measures like secure authentication, encryption, and regular software updates

2. Vulnerability management: manufacturers are required to establish procedures for managing vulnerabilities throughout a product’s lifecycle. This includes monitoring for security issues, providing patches, and notifying authorities and users of potential risks

3. Transparency and information disclosure: vendors must provide clear and detailed information about a product's cybersecurity features and known vulnerabilities. This transparency helps consumers make informed purchasing decisions

4. Compliance and certification: products must undergo rigorous testing and certification to verify compliance with the CRA’s requirements. Non-compliance can result in significant penalties, including fines of up to 2.5% of a company’s annual global turnover

5. Incident reporting: companies must report significant cybersecurity incidents to relevant authorities within 24 hours of detection. This ensures timely responses and mitigates potential damages

Adhering to the CRA’s standards is not just about regulatory compliance, it’s also a business imperative that offers several critical benefits. Starting with enhanced security and trust, by embedding cybersecurity into product design, manufacturers reduce the likelihood of breaches and data leaks. This builds consumer trust and enhances brand reputation.

In an ever more competitive market, compliance with the CRA will be mandatory for accessing the EU market. Businesses that meet the CRA standard will be able to expand their market presence and gain a competitive edge over non-compliant competitors. It’s also particularly important to consider the legal and financial risks as non-compliance can result in hefty fines, legal battles, and loss of market access. Investing in cybersecurity from the outset minimises these risks and ensures long-term financial stability. Designing products with cybersecurity in mind future proofs products ensuring they remain relevant and resilient as technology evolves and helps reduces costs associated with retroactive fixes and recalls. Finally, and most importantly, secure products offer better user experiences, increase customer satisfaction and foster loyalty. Customer satisfaction and loyalty in a competitive market is a significant differentiator.

Strategy for meeting CRA standards

To align with the CRA’s requirements, businesses need to adopt clear policies and practices including conducting regular security risk assessments to evaluate products for potential vulnerabilities.

Implementation of secure development practices following firmware and software coding standards is critical, along with conducting thorough testing during development. Businesses must also stay updated on cybersecurity regulations and adapt accordingly, and ensure training and education is in place for employees to keep them well-versed in cybersecurity best practices. Most importantly, businesses must engage in continuous monitoring and establish processes for ongoing product monitoring, incident detection, and vulnerability management.

While the CRA sets clear standards, achieving compliance can be challenging for some businesses due to the technical complexity of integrating advanced security features and keeping up with evolving cyber threats which requires continuous investment in research and development. Small and medium enterprises (SMEs) in particular may struggle with the costs associated with compliance. Added to this, ensuring that all components in a product’s supply chain meet CRA standards can be complex.

Anglia Unicorn can help customers develop a CRA strategy with access to white papers, training, and technical resources to assist during the development of products and the deployment of them into the marketplace. We have a wide selection of Microcontroller, Microprocessor, Memory, Wireless connectivity, and System on Module (SoM) products designed specifically to enhance cyber security, available from our world leading partners including STMicroelectronics, Telit Cinterion, Digi International, and Winbond to name just a few.

Embracing the Cyber Resilience Act for competitive advantage

The Cyber Resilience Act is a game-changer in the digital product landscape, emphasising cybersecurity by design and lifecycle management. As cyber threats become more sophisticated, the CRA’s requirements are critical for safeguarding digital infrastructure and protecting consumers.

Businesses that proactively design products to meet CRA standards stand to benefit from enhanced security, market access, and customer trust. While compliance may pose initial challenges, the long-term rewards in terms of reduced risk, legal protection, and competitive advantage are undeniable. By embracing the CRA’s principles, companies can build a safer and more resilient digital future.

Anglia Unicorn are here to support customers at all stages of the design and deployment process, helping them meet the requirements of CRA and benefit from enhanced customer loyalty and market access. Contact us today via www.anglia-live.com/Unicorn

This article originally appeared in the January/February 2025 issue of Startups Magazine. Click here to subscribe