The Cyber Resilience Act (CRA) was announced for a long time, now it is official: it was passed on October 10, 2024. This means that from November 2027, new minimum security requirements will apply across the EU to a large number of networked devices and their software.
Product manufacturers in particular are held responsible: They must ensure that their products meet the safety criteria for the European market, with a few exceptions, regardless of the industry.
“The transition period until the CRA 2027 must be fully complied with is short. Companies have to reposition themselves in many areas – from conducting security risk analyzes to short-term reporting obligations when vulnerabilities become known to free security updates during the expected lifespan of the product. And delaying is not an option, because failure to comply with the CRA could result in fines running into the millions,” explains Dr. Matthias Meyer, Head of Software Technology and IT Security at Fraunhofer IEM.
The research institute recommends that companies now take three steps to begin the path to CRA-compliant product development. “Rapid response to the discovery of vulnerabilities and systematic risk analyzes are essential measures for meeting CRA requirements: Companies that take these measures now are already doing very well. In addition, an analysis of the current status with regard to the products and processes provides clarity for further action,” emphasizes Dr. Meyer.
First: setting up a rapid response team for emergencies
If manufacturers become aware that vulnerabilities in their products are being exploited, they will in future have to inform the European Union Agency for Cybersecurity (ENISA) immediately: They must give an initial warning within 24 hours and further details about the nature of the vulnerability within 72 hours. possible countermeasures and more. Apart from that, they must be accessible at all times to people who would like to report security gaps and keep an eye on whether vulnerabilities in a supplied software component become known. This is one of the tasks of a Product Security Incident Response Team (PSIRT): Manufacturers who have not yet established a PSIRT should urgently deal with this, because the duties mentioned must be fulfilled from June 2026, for all products on the market , including those that were launched long before the CRA came into force.
Second: threat and risk analyzes as a central tool
Essentially, the CRA requires that manufacturers regularly analyze their products for security risks and integrate security measures adapted to these risks. Companies must integrate the carrying out of threat and risk analyzes for all products into the development process: In this way, they systematically identify threats, evaluate the respective security risk and derive informed and targeted protective and countermeasures. The security level of the software can therefore be increased continuously and, above all, appropriately. Developers gain a new security awareness and expensive but actually unnecessary measures are even avoided.
Third: Overview through current status analysis
The first two measures are important, but will not be enough: Companies need to get an idea of which CRA requirements they meet, both in terms of their product life cycle processes and the specific products. Even if there are no harmonized standards for the CRA yet, experts agree that the existing standard for industrial cybersecurity IEC 62443 provides very good guidance. Companies do not have to wait, but can now carry out current status analyzes for their processes and products and derive measures and thus gain valuable time in implementing the CRA.
(lb/Fraunhofer)
