The impact of Europe’s new Cyber Resilience Act

Cyber threats are on the rise, and manufacturers around the world are feeling the pressure to bolster their digital defences. For the most part, the headlines are dominated by high-profile data breaches. Although smaller and mid-sized companies, especially in the manufacturing sector, tend to be just as vulnerable.

In response to these growing concerns, the European Union (EU) is passing new cybersecurity regulations. These cybersecurity laws will significantly affect the design, production, and sale of products with digital components within their borders. One of the most critical pieces of legislation is the EU Cyber Resilience Act (CRA) 2024.

What is the EU Cyber Resilience Act (CRA) 2024?

The Cyber Resilience Act (CRA) 2024 is a landmark piece of legislation proposed by the European Union [1]. Its purpose is to ensure that products that contain digital elements adhere to the necessary cybersecurity standards. The CRA takes a different approach than the previous measures, which focused on critical infrastructure. It includes a wide range of goods, from industrial gear with embedded software to consumer electronics like smart appliances.

Scope: Any product that contains digital components is subject to this. It means that a network must have some kind of connection to software or hardware, whether this is direct or indirect. 

Objective: The main goal is to embed cybersecurity throughout the product lifecycle. From design and development to post-market surveillance, vulnerability management, and reporting.

In other words, if you produce or import connected or smart devices into the EU, you must comply with these new cybersecurity rules.

Who does the Cyber Resilience Act 2024 apply to?

The CRA 2024 has implications for a wide array of stakeholders, both within and beyond the EU:

EU-based manufacturers: Every EU-based business whose products use digital parts will be subject to the CRA's rules.

Non-EU manufacturers selling in the EU: When a product is sold or imported into the EU, the regulations come into effect. This applies even if the manufacturer is from a different country. [2]. This means American, Asian and other global manufacturers must comply if they wish to access the EU market.

Supply chain partners: Distributors and importers in the EU both have a hand in making sure items are CRA compliant. If a product is found to be non-compliant or to have known, unpatched vulnerabilities, they can bith be held accountable.

By casting such a wide net, the CRA aims to elevate cybersecurity standards across the board. This ensures all the products in the EU market are safe from cyber threats.

How will the Cyber Resilience Act impact manufacturers?

Fines and penalties

Non-compliance can be costly. According to the current CRA proposal, manufacturers could face major penalties.

They may incur fines of up to €15 million or 2.5% of their annual global turnover. In cases of severe offences, the decision will be based on the larger sum. [2]

For front-line professionals, this highlights the importance of integrating secure software practices. It also highlights the need to integrate hardware components from the ground up, whether you’re in design, production, or maintenance.

Regulatory burden

Manufacturers will need to adopt more stringent processes for product development. They will also have to enhance their risk assessment and documentation practices to comply with the CRA 2024. This might include:

• Implementing methods that ensure secure code.
• By carrying out vulnerability assessments on a regular basis.
• Providing clear product labelling about cybersecurity features and risks.

In order to meet these demands, many businesses may need to rethink their approaches to hiring those with cybersecurity expertise.  Also, to ensure that components fulfil standards, there should also be more training and possible restructuring of the procurement process.

Market differentiation

On the plus side, there is a chance that compliance will set you apart from the competition. Companies that take a strong stance on cybersecurity can earn the trust of regulators. They are also able to win the trust of end users, which allows them to stand out in a field that is highly competitive.

Cyber Resilience Act (CRA) timeline for manufacturers

The Act will roll out in stages, giving manufacturers time to adapt, though that window is relatively short:

• 10th December 2024: When the CRA starts to force.
• 11th June 2026: By this point, obligations concerning conformity assessment bodies become applicable.
• 11th September 2026: Reporting requirements for vulnerabilities and security incidents become applicable.
• 11th December 2027: Full application of the CRA, which will mark the deadline for complete compliance with the cybersecurity regulations.

In view of these dates, manufacturers should start assessing their compliance approach. In the event that your business has a lengthy design-to-production cycle, it is vital to prioritise the launch of cybersecurity measures at an early stage. This will help ensure readiness by December 2027.

Which products does the CRA 2024 impact?

The CRA 2024 applies to a wide range of products that have digital or network-connectable elements, including:

• Machinery used in industry that has control systems built within it.
• Smart sensors, robotics and industrial Internet of Things (IIoT) devices.
• Electronics for consumers, such as connected medical equipment or smart home appliances (in cases when they are related to production processes, such as for pharmaceuticals).
• Software applications that are part of critical supply chain operations.

If a device can connect to a network, it likely falls under the scope of the CRA. Furthermore, if it has the potential for data exchange, it is likely to also be included. Even simple devices could be subject to oversight if they have any form of connectivity.

What will the repercussions be for manufacturers trading with the EU?

For manufacturers outside the EU, the CRA 2024 sets a clear regulatory bar:

• Import restrictions: Any product that does not fit the standards of the CRA runs the risk of being denied entry into the EU market.
• Increased scrutiny: It's likely that certifications, documentation, and post-market surveillance activities will be subject to increased scrutiny for firms outside the EU [3].

• Potential redesign: Redesigning or repackaging products may be necessary to meet the requirements of the CRA. In particular, those that rely on software components that are either unsecure or very old.

In essence, it is a must that global suppliers strengthen their cybersecurity standards. This is vital for maintaining or expanding their presence in one of the largest marketplaces in the world.

NIS2 directive and the CRA

The NIS2 Directive runs parallel to the CRA. It focuses on the cybersecurity of key infrastructure, including energy, transport, banking, and healthcare [4].

NIS2 focuses on the cybersecurity needs for organisations and infrastructure. By doing so, it ensures that service providers and operators will comply with stringent security rules. The CRA, on the other hand, places an emphasis on the products themselves.

Intersection: Manufacturers supplying products or services to critical infrastructure operators under NIS2 will likely feel the combined impact. For instance, a company that specialises in the production of industrial control systems for power plants is now tasked with new duties. It must ensure that both the operational cybersecurity of the system and the inherent product security are compliant.

Synergy: Together, these regulations aim to close cybersecurity gaps. The goal of NIS2 is to get organisations ready for cyber threats. Meanwhile, the Cyber Resilience Act aims to ensure that the products used are secure by design.

How is the CRA 2024 different from the CIRCIA 2022?

In the US, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) 2022 focuses heavily on reporting obligations for critical infrastructure operators [5]. Organisations must report significant cyber incidents. This needs to be done within a specific timeframe to the Cybersecurity and Infrastructure Security Agency (CISA).

Scope: A primary focus of the CIRCIA is the prompt reporting of cyber incidents and the protection of vital infrastructure. Meanwhile, the CRA targets the cybersecurity features of all products with digital components sold or marketed in the EU.

Preventative vs. reactive: "Preventative" measures, such as secure by design and vulnerability management, are given a large amount of value by the CRA. This means CIRCIA is more “reactive,” focusing on mandatory reporting after an incident occurs.

Global influence: The Cyber Resilience Act covers a wide range of connected goods. This suggests that the EU aims to set a higher regulatory cybersecurity standard in everyday items. This concept is less central in CIRCIA.

Cybersecurity regulations impacting manufacturers in other countries

There are many different cybersecurity standards that manufacturers all across the world are grappling to meet:

Asia-Pacific: Countries such as Singapore, Japan, and Australia are all strengthening their cybersecurity laws. This is in response to increasing threats in critical sectors, including manufacturing and supply chains [6]. They often centre their laws on the protection of data, the mandatory reporting of incidents, and the protection of infrastructure.

United Kingdom: Although it has left the EU, the United Kingdom has maintained a close alignment with the cybersecurity laws of the EU in many aspects. On the other hand, it also has the flexibility to diverge. New laws are emerging such as the Product Security and Telecommunications Infrastructure (PSTI) Act. It focuses on the security of consumer IoT devices, which may also have effects on industrial contexts.

Global trend: There is a clear indication of the direction in North America, Europe, and the Asia-Pacific region. Stricter cybersecurity laws are being enacted by governments at an alarming rate. These regulations impose substantial responsibilities on manufacturers to design secure products and maintain them over their entire lifecycle.

How the CRA has been received by manufacturers

As a first step towards market-wide cybersecurity standards, the law has the support of many major manufacturers and trade groups. This can help reduce confusion and addresses the challenges posed by different national regulations. Also, it can assist in levelling the playing field, especially for small and medium-sized enterprises [7].

Some smaller manufacturers worry about the regulatory burden and the cost of achieving compliance. In particular, those that have fewer resources to invest in new processes and training. They question whether the timeline is feasible and whether there is enough support available to assist them in adjusting to the new regulations.

What does this mean for future industry regulations?

The EU Cyber Resilience Act 2024 marks a broader evolution in how governments view cybersecurity. The CRA ensures that product security is prioritised. It establishes a legal requirement that spans from the initial stages to post-deployment.

Global harmonisation: Cybersecurity laws may converge as a result of other countries adopting the EU's higher standards.

Greater transparency: Expect more explicit labelling and documentation around a product’s security features, potentially similar to an “energy efficiency label” but for cybersecurity.

Elevated skill requirements: Cybersecurity literacy will become an essential skill for roles that haven’t historically focused on it. Engineers, technicians and procurement specialists may need extra training and resources.

The EU Cyber Resilience Act (CRA) 2024 is set to transform the design, production, and sale of products with digital components. This change will not only have an effect on Europe, but it will also have impacts on a worldwide scale. Its broad scope affects everyone from the smallest component suppliers to the largest OEMs. As a result, it requires an approach to product security that is both proactive and collaborative.

Time is of the essence for manufacturers. At each and every stage of the product lifecycle, businesses must include cybersecurity matters into their operations. This is essential to address the increasing number of important deadlines approaching. The most important of which are December 2024 to December 2027.

The scope of this work will extend beyond mere compliance. It will offer an opportunity to gain a competitive edge. As well as improve your brand image while strengthening your supply chains and production methods.

As global standards vary, the core message remains the same: cybersecurity is no longer optional; it is vital for modern manufacturing. Embracing this shift can help future-proof operations. It can also protect valuable data and ensure that products remain safe and secure in an interconnected world.

References

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act 

[2] https://www.european-cyber-resilience-act.com/ 

[3] https://www.washingtonpost.com/politics/2023/01/03/europes-cybersecurity-dance-card-is-full/ 

[4] https://emteria.com/blog/nis2-vs-cra-android 

[5] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia 

[6] https://www.crowell.com/en/insights/publications/asia-pacific-strives-to-keep-pace-with-cyber-threats 

[7] https://www.forrester.com/blogs/european-cybersecurity-reflections-2024/