The EU Cyber Resilience is Here: Five Regulatory Essentials to Start With

It’s understandable if you roll your eyes when you see the word “regulation” – after all, it’s a synonym for “minefield of paperwork.”

As frustrating as it can be to jump through regulatory hoops, new laws like the EU’s Cyber Resilience Act are essential for safeguarding the economy, national security, and the privacy of citizens, fostering trust in digital technologies, and ensuring that the EU remains competitive and secure.

New EU regulation: Is it just another tick box?

First proposed in September 2022, the EU Cyber Resilience Act (CRA) was expected to come into effect in early 2024 (although it had not yet at the time of this publication). Under the new law, manufacturers of any connected product with digital elements (i.e., any software or hardware product that can communicate with other products) must meet new regulatory requirements and take a “secure by design” approach.

An extensive number of products, such as medical equipment and cars, are already covered under existing EU laws, and the CRA is an attempt to close remaining regulatory gaps.

What products are affected?

The exact requirements that organizations must follow under the Cyber Resilience Act depend on what category their products fall into:

Standard Category (Unclassified or Default): This category will cover around 90% of connected devices and products with basic security relevance, e.g., laptops and smartphones.

Critical Class 1: Products that play a role in security infrastructure, e.g., data encryption software.

Very Critical Class 2: Products used in industrial contexts, e.g., supervisory control and data acquisition (SCADA) systems.

How long do we have?

Any organization that imports or distributes products applicable to the new regulations has three years to meet the requirements. For manufacturers, this timeline is condensed to 21 months.

The CRA is widely applicable to any company in the EU and to organizations with non-EU headquarters supplying products to the EU.

If your organization misses the deadline, you could face fines of up to $15 million or 2.5% of your global turnover during the previous financial year. Other ramifications include expensive product reworks, recalls, or even the denial of CE (European conformity) labeling.

Do the good intentions outweigh the downsides?

The CRA emphasizes speed – manufacturers must disclose actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours. Although this initiative sounds proactive, it could ultimately hinder security. Forcing companies to move so quickly could encourage them to apply quick fixes (“shallow fixes”) rather than deep fixes that would take at least 24 hours.

Overall, the goals of the CRA are clear and well-intended. Experts expect the CRA to standardize cybersecurity production requirements throughout the entire product lifecycle, from design to distribution. Hence, secure by design.

Why open source is feeling the heat

Billions of people worldwide use open source software as a driving force behind innovation and cross-country collaboration in the EU. The CRA proposes to make any developer that receives any amount of financial compensation for an open source product liable for damages if it contains unpatched or actively exploited vulnerabilities.

Even if the developers in question didn’t create the end product, they will still be held accountable. Many developers invest their time and talent into open source projects for goodwill, fun, and innovation. But, under the CRA, even a small tip, donation, or sponsorship from a grateful fellow developer can make them liable for security flaws. The lines of liability are blurred, threatening to dismantle the speed of the open source revolution.

Five essential strategies for meeting regulatory requirements

Whether you are a manufacturer or reseller of products that must meet CRA requirements, it is important to understand best practices to ensure you don’t run into trouble.

Understand secure by design. The secure-by-design principle that underscores the CRA means manufacturers are responsible for embedding cybersecurity best practices into their products from day zero. Manufacturers should see this as a duty of care to their customers and take every precaution to mitigate known vulnerabilities, address risks, and make security settings the default.

Prioritize comprehensive documentation. Unsurprisingly, the new EU law comes hand in hand with a lot of paperwork. CRA requirements include regularly conducting risk assessments to identify threats, their severity, and mitigation measures.
The most notable piece of documentation is the risk reporting requirement – all organizations must report exploited vulnerabilities within 24 hours. As discussed above, the EU’s emphasis on speed is a double-edged sword.

Implement security updates. Under the protection of the CRA, it is the manufacturers’ responsibility to provide cybersecurity support for their products for at least five years. As part of this expectation, they must make security updates available for either 10 years or the duration of the support period – whichever is longer. This initiative is designed to help manufacturers focus on long-term cybersecurity sustainability.

Verify product conformity. When a product complies with EU regulations, it can feature a CE mark of European conformity. To get a CE stamp of approval under the umbrella of the CRA, products will need to be audited, as some might require further third-party testing and auditing.

Keep your finger on the pulse. Global cybersecurity regulations change as quickly as the weather. Also, the bureaucratic delays between the inception and implementation of new laws can be challenging to moderate and predict. It’s always a good idea to keep your finger on the pulse and stay alert to new laws, cybersecurity news, and emerging threats.  

Dotan Nahum
Head of Developer-First Security at Check Point Software Technologies | + posts

Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.).