A Comprehensive Guide to the EU Cyber Resilience Act (CRA) for Manufacturers

NebulaNebula
10 min read

Table of contents

EU Cyber Resilience Act (CRA)

Abbreviations & Terms:

NumberAbbreviationDescription
1ENISAThe European Union Agency for Cybersecurity
2SBOMSoftware Bill of Materials
3CRACyber Resilience Act
4NIS2Network and Information Security Directive 2022/0383
5HSMHardware Security Module
6ASICApplication-specific integrated circuit
7IACSIndustrial Automation and Control Systems
8EU-CyCLONeThe European cyber crisis liaison organization network

1. Introduction

On 15 September 2022 the European Commission presented a legislative proposal for the EU cyber resilience act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements.

2. Scope

The scope of the proposal covers a broad range of devices - (digital) products that are connected directly or indirectly to a device or network, including hardware, software and ancillary services.

For example:

  • Hardware products and components placed on the market separately, such as laptops, smart appliances, mobile phones, network equipment CPUs or GPUs.

  • Software products and components placed on the market separately, such as operating systems, software libraries, word processing, games or mobile applications.

The manufacturers and service providers of the products covered by the proposal are required to ensure that their digital products are designed and manufactured to meet the expected cybersecurity requirements and provide security updates until the end of their product life cycle (5 years).

The proposal does not cover:

  • Non-commercial, open-source projects - Software that is openly shared and freely accessible, usable, modifiable and redistributable.

  • Services, in particular Cloud/Software as a Service covered by NIS2.

  • Certain products which are sufficiently regulated on cybersecurity already (cars, medical devices, in vitro, certified aeronautical equipment, high-risk AI systems).

  • Digital products that do not establish a direct or indirect data connection to other devices or networks.

3. Aim of the Proposal

  • Ensure that products with digital elements placed on the EU market have fewer vulnerabilities

  • Obligate manufacturers to remain responsible for cybersecurity throughout a product’s life cycle

  • Improve transparency on security of hardware and software products

4. Classification of Products

The legislation considers certain digital products as 'Critical' based on the core functionality of the product.

The 'Critical' products are further divided into two subclasses (Class 1 and Class 2) based on the level of cybersecurity risks and their use in sensitive environments.

Class I Critical Products:

  • Identity management systems software and privileged access management software.

  • Standalone and embedded browsers.

  • Password managers.

  • Malware detection and removal tools.

  • Virtual private network (VPN) products with digital elements.

  • Network management systems.

  • Network configuration management tools.

  • Network traffic monitoring systems.

  • Management of network resources.

  • Security information and event management (SIEM) systems.

  • Update/patch management, including boot managers.

  • Application configuration management systems.

  • Remote access/sharing software.

  • Mobile device management software.

  • Physical network interfaces.

  • Operating systems not covered by Class II.

  • Firewalls, intrusion detection/prevention systems not covered by Class II.

  • Routers, modems for internet connection, and switches, not covered by Class II.

  • Microprocessors not covered by Class II.

  • Microcontrollers.

  • Application-specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA).

  • Industrial Automation & Control Systems (IACS), including programmable logic controllers (PLC), distributed control systems (DCS), CNC, and SCADA, not covered by Class II.

  • Industrial Internet of Things devices not covered by Class II.

Class II Critical Products:

  • Operating systems for servers, desktops, and mobile devices.

  • Hypervisors and container runtime systems supporting virtualized execution environments.

  • Public key infrastructure and digital certificate issuers.

  • Firewalls, intrusion detection/prevention systems intended for industrial use.

  • General purpose microprocessors.

  • Microprocessors designed for integration in programmable logic controllers and secure elements.

  • Routers, modems for internet connection, and switches, intended for industrial use.

  • Secure elements.

  • Hardware Security Modules (HSMs).

  • Secure cryptoprocessors.

  • Smartcards, smartcard readers, and tokens.

  • Industrial Automation & Control Systems (IACS) intended for essential entities as per Directive in NIS2.

  • Industrial Internet of Things devices intended for essential entities under the same directive.

  • Robot sensing and actuator components and robot controllers.

  • Smart meters.

4.1 Conformity Assessment for Critical Products

For the 'Critical' class products, the manufacturers are required to apply for a conformity assessment (CA) by the official regulatory body or an approved third party assessor.

For the products which do not fall under the 'Critical' class, the manufacturers are required to self-assess to ensure that they comply with the CRA requirements.

5. Obligations of the manufacturers

Manufacturers have the following obligations when releasing a digital product under CRA regulation on the EU market:

  1. Compliance with Essential Requirements: Manufacturers must ensure their products comply with essential cybersecurity requirements (explained in Section 6 of this document).

  2. Cybersecurity Risk Assessment: Conduct a risk assessment to minimize risks, prevent incidents, and manage impacts related to user health and safety.

  3. Provide Risk Assessment Report: Include a cybersecurity risk assessment report in technical documentation.

  4. Verify Third Party Components: Exercise due diligence when integrating third-party components, ensuring they do not compromise product security.

  5. Document Vulnerabilities: Document relevant cybersecurity aspects concerning the product, including vulnerabilities and information from third parties; update risk assessments as necessary.

  6. Vulnerability Handling: Identify, report and fix vulnerabilities. See setion 7. Vulnerability Management.

  7. Conformity Assessment: Carry out conformity assessment procedures, and prepare the EU declaration of conformity if compliance is demonstrated. Include the EU declaration in printed format or provide the web address to the online version.

  8. Documentation Retention: Keep technical documentation and EU declarations accessible to market surveillance authorities for at least ten years after product placement.

  9. Continuous Conformity: Ensure products remain in conformity with changes in development processes, design characteristics, standards, certification schemes, or common specifications.

  10. Provide Information to Users: Provide clear instructions and information about the product's use, including language considerations to ensure understanding by users.

  11. Take Corrective Actions: Immediately take necessary actions if a product is found not to comply with essential requirements; withdraw or recall products as appropriate.

  12. Cooperation with Authorities: Cooperate with market surveillance authorities upon request and provide information in an understandable format for conformity assessment.

  13. Notification of Cease Operations: Inform relevant authorities and users before ceasing operations if unable to fulfill obligations under the regulation.

  14. Software Bill of Materials (SBOM) Format: The Commission may specify the format and elements of SBOMs through implementing acts, following a specific procedure for adoption.

5.1 Reporting obligations of the manufacturers

The text outlines reporting obligations for manufacturers concerning vulnerabilities and incidents affecting their digital products:

  1. Vulnerability Reporting: Manufacturers must notify ENISA about any actively exploited vulnerabilities within 24 hours of discovery, providing details on the vulnerability and any measures taken to address it. Notifications are then forwarded by ENISA to relevant CSIRTs in Member States for coordinated vulnerability disclosure.

  2. Incident Notification: Similar to vulnerability notifications, manufacturers report incidents impacting product security to ENISA within 24 hours. ENISA forwards these reports to designated single points of contact in Member States and informs market surveillance authorities.

  3. Information Sharing with EU-CyCLONe: ENISA shares relevant information on vulnerabilities and incidents with the European cyber crisis liaison organization network (EU-CyCLONe) for managing large-scale cybersecurity crises at an operational level.

  4. User Notification: Manufacturers promptly inform users about incidents, offering corrective measures to mitigate impact when necessary.

  5. Commission Guidance: The Commission can specify further details on information and procedures for notifications through implementing acts, following a specific adoption procedure.

  6. Biennial Technical Report: ENISA compiles a biennial technical report on emerging cybersecurity risks in products with digital elements based on received notifications, which is submitted to the Cooperation Group under Directive (NIS2).

  7. Component Vulnerability Reporting: Manufacturers are required to notify the entity maintaining any component (including open source components) when they identify vulnerabilities within integrated products.

6. Cybersecurity Requirements

The proposal outlines the following cybersecurity requirements which the manufacturers must comply with:

  1. Design, Development and Delivery Standards: Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on risk assessment and the delivered product should not contain any known exploitable vulnerabilities.

  2. Secure Configuration: Products should come with a secure default configuration that includes options for resetting to original state if necessary.

  3. Protection from Unauthorized Access: Implementing control mechanisms like authentication, identity management systems, and encryption for data confidentiality are essential.

  4. Data Integrity and Confidentiality: Protect stored, transmitted, or processed data integrity and confidentiality using state-of-the-art encryption techniques.

  5. Minimization of Data: Process only adequate, relevant, and necessary data related to the product's intended use (minimization of data).

  6. Availability Protection: Safeguard essential functions against denial of service attacks and ensure resilience.

  7. Negative Impact Minimization: Design products to minimize impact on other services provided by devices or networks.

  8. Attack Surface Reduction: Limit attack surfaces through design, development, and production processes.

  9. Incident Response: Use appropriate exploitation mitigation mechanisms and techniques to reduce incident impacts.

  10. Security Information Recording/Monitoring: Record and monitor internal activities related to data access, modification, etc., for security purposes.

7. Vulnerability Management

The following is the summary of the vulnerability management process required for the compliance with the CRA:

  • Identify vulnerabilities in products

  • document components (Software billing of materials)

  • address risks promptly through updates

  • apply regular security tests/reviews

  • disclose fixed vulnerabilities publicly

  • enforce coordinated vulnerability disclosure policies

  • facilitate information sharing about potential vulnerabilities

  • ensure secure distribution of updates.

8. Technical Documentation

The below is a summary of the technical documentation requirements:

  1. General Product Description: Details on purpose, software versions impacting compliance, external and internal features, markings, and user information/instructions.

  2. Design, Development & Production Processes: Full details on product design and development, including system architecture showing component interdependencies, vulnerability handling processes with specifics like the software bill of materials, coordinated disclosure policy, contact for reporting vulnerabilities, secure update distribution methods, production process validation, and monitoring.

  3. Cybersecurity Risk Assessment: The risk assessment report of the product's design, development, production, delivery and maintenance process.

  4. Standards Compliance: List the description of the solutions adopted to meet the CRA's cybersecurity requirements.

  5. Conformity Verification Reports: Test reports confirming compliance with essential requirements in Annex I section 1 and 2.

  6. EU Declaration of Conformity: A copy of the declaration proving conformity with applicable regulations.

  7. Software Bill of Materials (SBOM): SBOM is provided when necessary for market surveillance authorities to verify compliance.

  8. Language Requirements: A singular technical documentation must be available in an official language of the Member State where the local CRA regulatory body is established.

9. EU declaration of conformity

The EU declaration of conformity must include:

  1. Unique product identification details.

  2. Manufacturer's name and address or their authorized representative.

  3. A statement that the declaration is issued under sole responsibility.

  4. Identification of the product for traceability, possibly including a photograph if applicable.

  5. Assurance of conformity with relevant Union harmonization legislation.

  6. References to used harmonized standards, common specifications, or cybersecurity certifications.

  7. Information on notified body (if applicable), description of assessment procedure, and certificate identification.

  8. Signature by an authorized person, indicating the place and date of issue.

10. CE marking

The CE marking added to the product indicates that the product conforms to the CRA regulations. The following is a summary of the CE marking requirements:

  1. Affixation: The CE marking should be visibly, legibly, and indelibly affixed to the product or its packaging, with digital elements being an exception where it can be placed on a website instead of the physical product.

  2. Size: For products that are digital elements, like software, the CE marking's height may be lower than 5 mm as long as it remains visible and legible.

  3. Timing: The CE marking must be applied before the product is placed on the market.

  4. Notified Body Identification: If a notified body is involved in the conformity assessment procedure, its identification number should follow the CE marking.

  5. Compliance with Other Legislation: If a product is subject to additional EU legislation requiring the CE marking, it must also meet those requirements.

11. References

  1. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454
0
Subscribe to my newsletter

Read articles from Nebula directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritySecurityregulatory complianceCyberSecData security

Written by

Nebula
Nebula