Navigating the Cyber Resilience Act: A manufacturer's roadmap to compliance

Cybercrime has grown to become the world’s third-largest economy after the US and China, according to the World Economic Forum (WEF). Based on data from Cybersecurity Ventures, it is estimated that it will cost the world $10.5 trillion by 2025.

Pär Torstensson Product Manager IoT Nexus

"Everyone is talking about cyber and resilience these days," says Pär Torstensson, Product Manager of IoT in Nexus.

In response to these escalating challenges, the Cyber Resilience Act (CRA) and other directives such as NIS2, DORA, and RCE embody Europe's approach to combating the growing cybersecurity threats in our ever-evolving digital landscape.

Before diving into the details in this blog post, one thing is clear – the EU’s naming of its new act is right on trend.

"Everyone is talking about cyber and resilience these days," says Pär Torstensson, Product Manager of IoT in Nexus. “While 'cyber' often refers to computer-related matters only, 'resilience' has gained in popularity, particularly in a post-pandemic world. It represents the necessity to adapt during challenging times, in contrast to the more forceful tone associated with ‘cybersecurity.’”

Also read: Preparing for NIS2 - A checklist for affected entities

What is the aim of the CRA?

The Cyber Resilience Act (CRA) is an EU regulation currently being deliberated by the European Parliament that aims to enhance the cyber resilience of connected products with digital elements. To combat the growing cybersecurity challenges and costs, and address vulnerabilities, the Cyber Resilience Act has four specific goals:

  • To ensure manufacturers improve the cybersecurity of connected products with a digital component throughout the whole life cycle;
  • To create a single, coherent framework for cybersecurity compliance within the EU;
  • To increase the transparency of cybersecurity practices and properties of products and their manufacturers, and
  • To provide consumers and businesses with secure products ready for use.

If the EU regulation is approved in its current form, there will, for example, be CE marking for connected products with digital elements, making security requirements mandatory; – meaning products without CE marking could no longer be sold in the EU.

Who is responsible for CRA compliance?

At its core, the CRA regulation will apply to all software and hardware manufacturers who's products will be made available in the EU.

At its core, the CRA regulation will apply to all manufacturers of connected products with digital elements that will be made available in the EU, regardless of whether they are based in the EU or not. Connected products with digital elements include any software or hardware product that has a direct or indirect logical or physical data connection to a device or network.

Until now, European cybersecurity regulations have primarily been aimed at operators, who are also the risk owners for their “critical services.” This requires operators to shoulder cybersecurity responsibilities. However, the soaring number of security incidents within the supply chain in recent years and the rise of the internet of things (IoT) has illuminated a critical issue: operators struggle to monitor the diverse hardware and software components they are responsible for. It is often because operators lack the technical expertise and rely heavily on the manufacturers for guidance. The CRA addresses this challenge by aiming to enhance the cyber resilience of EU operators by centralizing responsibility at its core - shifting a sizable portion of these responsibilities directly onto the manufacturers.

Compliance actions and timelines for manufactures

Manufacturers must ensure compliance throughout the manufacturing process, encompassing planning, development, and production stages. Additionally, importers and distributors are tasked with verifying manufacturers' compliance.

To meet legislative requirements, manufacturers must:

  • Incorporate cybersecurity measures during the development and production of digital products. This includes encryption, access control, and regular security updates.
  • Provide technical documentation detailing their products' security features, vulnerabilities, and potential risks.
  • Collaborate on incident reporting with authorities and report incidents vulnerabilities promptly. For instance, manufacturers must notify the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of an actively exploited vulnerability. Users of the products should also be informed and, if necessary, any available measures. The manufacturer is responsible for regular safety testing and inspection of the products.

Although the Cyber Resilience Act is in its early stages, manufacturers will have a two-year window to become compliant once it is approved, while reporting obligations will apply 12 months after it enters into force (Article 57). Considering past regulations and directives, full compliance won't be mandatory until 2025 or 2026.

However, this doesn't imply that preparation should be postponed. When the General Data Protection Regulation (GDPR) was enforced in the EU, companies had to make significant changes to their operations, especially in how they handled consumer data, advertising, cookies, and more. The Cyber Resilience Act has the potential to be just as complex and revolutionary, altering the way IoT manufacturers and software providers manage security for their products.

How can Nexus help?

Nexus is your trusted partner in navigating the complex cybersecurity landscape and complying with the Cyber Resilience Act. We offer specialized expertise and guidance to ensure your products and services meet the CRA’s requirements. With our cutting-edge security solutions, built on Nexus Smart ID PKI (Public Key Infrastructure) technology, we fortify the cyber resilience of your IoT devices, ensuring compliance and safeguarding your business operations.

Join our webinar to know more





IoT security in the era of the Cyber Resilience Act (CRA)

Join our webinar as we delve into the Cyber Resilience Act and discover how trusted digital identities and secure device communication, supported by state-of-the-art PKI technology, can empower your organization to comply with this new directive.

Discover more blogs

Blog IoT IoT security Matter PKI Smart homes

The Future of Matter Smart Homes

22 February, 2024
Matter represents a significant milestone in the smart home industry, offering a unified standard that promises enhanced interoperability and a sea...
Blog Multi-Factor Authentication (MFA) NIS2 PKI Workforce Workplace Zero Trust

Preparing for NIS2 – A checklist for affected entities

13 December, 2023
Ensure NIS2 compliance. Read our blog to find out if your entity is affected and learn how to get started!
Authentication Blog NIS2 PKI Zero Trust

Mastering NIS2 compliance with trusted identities

30 October, 2023
Compliance with NIS2 will require cybersecurity investments. Learn how trusted identities can empower your organization to achieve and maintain com...