The evolution of cyber threats has significantly amplified the economic impact of cybercrime, with global costs projected to exceed $15.63 trillion by 2029. This represents a staggering 69% increase compared to 2024, underscoring the urgency of adopting increasingly effective preventive and response measures. Cybersecurity is a multidimensional challenge requiring a coordinated approach at global, national, corporate, and individual levels.
The European cybersecurity framework: NIS 2, CRA, and DORA
In response to escalating threats, the European Union has strengthened efforts to establish a robust and coherent regulatory framework. The primary goals include protecting critical infrastructures, bolstering trust in digital services, and fostering a unified and secure digital market. A comprehensive European legal framework can overcome the fragmentation of national regulations, minimizing vulnerabilities that malicious actors might exploit.
In this context, the Cyber Resilience Act (CRA), adopted by the European Council on October 10, 2024, is the most recent pillar of the EU's cyber resilience strategy. Alongside measures like the NIS 2 Directive, it aims to enhance cybersecurity across the continent. NIS 2 and CRA operate on distinct yet complementary levels: while NIS 2 broadly defines cybersecurity requirements for entities deemed essential and important, the Cyber Resilience Act focuses on the security of products with digital components. Adhering to CRA’s requirements for product design, development, and maintenance supports compliance with NIS 2 for businesses within its scope.
DORA, the Digital Operational Resilience Act, also complements this ecosystem by extending the regulatory framework to financial entities’ operational resilience. While CRA targets products and NIS 2 addresses comprehensive security (covering essential entities), DORA emphasizes the processes within financial institutions, the backbone of Europe’s economy.
What is the Cyber Resilience Act?
The Cyber Resilience Act is a legislative measure that "introduces mandatory cybersecurity requirements for hardware and software products throughout their lifecycle" (European Commission). It reflects a growing awareness of the need to secure connected products, which are increasingly pervasive in everyday life. The vulnerabilities of these hardware devices and software systems, often characterized by low levels of cybersecurity—especially in consumer IoT products—have highlighted the need for comprehensive regulatory intervention.
What does the Cyber Resilience Act cover?
The scope of the Cyber Resilience Act is broad, encompassing all connected products, directly or indirectly linked to other devices or networks. It covers hardware and software products, ranging from smart appliances and smart home ecosystems to software packages intended for both professional and consumer use.
Historically, many products covered by the Act have lacked substantive security guarantees, which were typically limited to specific cases governed by sector-specific regulations (e.g., medical devices). The Cyber Resilience Act addresses this gap, while allowing exceptions for products already regulated in detail, software-as-a-service (considered services rather than products), and open-source software unless made commercially available.
Manufacturers, importers, and distributors
The Cyber Resilience Act applies to all parties involved in designing, producing, distributing, or importing digital component products for the European market. Manufacturers are primarily affected, but distributors and importers are also included regardless of their location, as long as the product is destined for the EU market. By extending security requirements to all supply chain actors, the EU aims to create a market for secure digital products, benefiting both businesses and private consumers.
When does the Cyber Resilience Act take effect?
The adoption of the Cyber Resilience Act by the European Council marks the conclusion of the legislative process. However, businesses will not need to comply with the new requirements immediately. Following its publication in the Official Journal of the EU, there will be a 36-month transition period to allow companies to implement the necessary measures.
Cyber Resilience Act: requirements and vulnerability management
What must businesses (manufacturers, distributors, importers) do to comply with the regulation? According to the European Commission, the Act "requires manufacturers to account for cybersecurity in the design and development of products with digital elements."
The specific obligations depend on the actor’s role in the supply chain. Nevertheless, all products must be free of known vulnerabilities at the time of market placement. Manufacturers must evaluate all components (hardware and software), whether developed internally or by third parties, from a security perspective. They must also adopt security-by-design and privacy-by-design principles, integrating cybersecurity from the earliest stages of product development. Furthermore, manufacturers are responsible for maintaining these standards through regular updates throughout the product lifecycle.
A key compliance topic, outlined in Annex I of the regulation, is the management of vulnerabilities by manufacturers. The Act specifies eight requirements, summarized as follows:
- Identifying and documenting vulnerabilities and components within the product.
- Timely remediation of vulnerabilities based on associated risks, including security updates.
- Periodic security reviews of the product.
- Public disclosure of resolved vulnerabilities through updates.
- Coordinated disclosure of vulnerability information.
- Measures to facilitate the sharing of potential vulnerability information, including a contact point.
- Mechanisms for secure distribution of product updates.
- Ensuring timely and free availability of security patches or updates.
Manufacturers must undergo an assessment process to verify compliance with security mechanisms, varying by product risk level. After successful evaluation or self-assessment (where applicable), manufacturers may affix the CE marking, signifying compliance with the Cyber Resilience Act. This mark assures users—both businesses and consumers—of the product’s adherence to high cybersecurity standards, eliminating the need for independent verification.