Fit for the CRA

Mr Kuczera, why do we need EU legislation on cyber resilience? And who is affected by the requirements?

The aim of the Cyber Resilience Act is to pro­vide better pro­tec­tion from cyber attacks for con­sumers and busi­nesses. The CRA con­tains a variety of spec­i­fi­ca­tions for man­u­fac­turers, importers and dis­trib­u­tors of prod­ucts with dig­ital ele­ments, which are capable of com­mu­ni­cating with other prod­ucts. This includes hard­ware and soft­ware prod­ucts.

Con­sumer prod­ucts such as smart­phones, lap­tops, smart home devices, smart­watches and con­nected toys are affected. B2B prod­ucts such as con­trollers and sen­sors also fall under the scope of the CRA. Soft­ware prod­ucts such as oper­ating sys­tems are also affected.

When must the requirements of the Cyber Resilience Act be implemented?

The CRA is an EU Reg­u­la­tion and not a Direc­tive. So, in con­trast to the NIS‑2 Direc­tive, it is directly applic­able in all EU member states and national imple­men­ta­tion is not required. How­ever, there is a tran­si­tion period. The CRA is to be imple­mented in var­ious stages, from the end of 2024 until manda­tory appli­ca­tion from 11 December 2027. Man­u­fac­turers’ reporting oblig­a­tions will apply from 11 Sep­tember 2026, and require­ments to notify con­for­mity assess­ment bodies will apply from 11 June 2026.

What specifically is required in the legally binding CRA?

The new Reg­u­la­tion is binding on man­u­fac­turers, importers and retailers. All prod­ucts that con­tain dig­ital ele­ments and bear the CE mark must guar­antee an appro­priate level of cyber­se­cu­rity. To sum­marise, this means there are spe­cific require­ments for risk assess­ment and guar­antee, vul­ner­a­bility man­age­ment, doc­u­men­ta­tion and reporting oblig­a­tions.

An overview of the key requirements:

Do you have any tips for machine manufacturers?

For decades, Pilz has been sup­porting machine builders and users with the Safety of their plant and machinery – including with the new require­ments for Indus­trial Secu­rity. Because without Secu­rity, a machine with all its Safety mea­sures is vul­ner­able and unpro­tected. Pre­cau­tionary mea­sures are a must. We rec­om­mend that machine man­u­fac­turers address the require­ments of the CRA promptly, and work with com­po­nent man­u­fac­turers and oper­a­tors to develop coop­er­a­tion con­cepts. Typ­ical ques­tions that need to be clar­i­fied between eco­nomic actors include: In which net­work zone should a machine be oper­ated? How should soft­ware updates be han­dled? When does com­po­nent sup­port end? For how long can users expect to receive secu­rity updates and have vul­ner­a­bil­i­ties fixed? What con­sti­tutes a “sub­stan­tial mod­i­fi­ca­tion” to a machine?

Only when ques­tions like these are clar­i­fied can each eco­nomic oper­ator fulfil its new organ­i­sa­tional and tech­nical oblig­a­tions. It is also helpful to always keep up to date. Sub­scrip­tions to newslet­ters and RSS feeds on eur-lex.europa.eu will keep you informed about leg­isla­tive changes at EU level. I also rec­om­mend the Common Secu­rity Advi­sory Frame­work (CSAF) for imple­men­ta­tion of the CRA require­ments. It is a stan­dard­ised, open source frame­work for com­mu­ni­ca­tion and auto­mated dis­tri­b­u­tion of machine-process­able vul­ner­a­bility and mit­i­ga­tion infor­ma­tion, known as Secu­rity Advi­sories.