Behind the myth of the Cyber Resilience Act (or CRA for cybersecurity insiders)

The Cyber Resilience Act provides a common regulatory framework for Member States to fight the increasing number of cyberattacks to which connected devices are victim and that caused over €5,700 billion in damage in 2021. The regulations also aims to make economic players responsible for the cybersecurity of the products they offer on the European market.

The new European regulation will apply to all products with digital elements, whether they are physical devices (such as smartphones, toys, computers, etc.) or software (such as antivirus software, operating systems, etc.). However, it will not apply to connected products already governed by specific laws, such as those used in aeronautics or medicine.

In addition, this European framework will be reinforced for products which play a central role in network security or which are subject to vulnerabilities affecting many users. This includes operating systems, hypervisors, antivirus software, password managers and connected objects for the industrial sector. According to the proposed regulation, these products, which are considered “critical”, will be subject to additional obligations.

The Cyber Resilience Act, currently under discussion among the European Union bodies, does not yet exist in a final version. Talks are underway, particularly regarding open source software. An adaptation is being considered to avoid imposing the obligations of the CRA on free software communities.

To date, no specific timeline has been established for implementing the Cyber Resilience Act. Once adopted by the European Parliament, its entry into force is expected to take place approximately 24 months after its publication in the Official Journal of the European Union.

It goes without saying that the legislator intends to supervise the implementation of these new obligations. With this in mind, Member States are expected to appoint market monitoring bodies to enforce the obligations set out in the Cyber Resilience Act.

These bodies will have the opportunity to take various measures. In particular, they may ask operators to rectify non-conformities, restrict the availability of a product or eliminate a risk. They will also have the power to demand the recall or withdrawal of a product from the market.

These responsibilities will be accompanied by disciplinary measures, accompanied by a power of sanction including fines of up to 2.5% of turnover or even €15 million.

Whatever the risk level of your IoT product (default, class 1 or class 2), LACROIX will support you in ensuring that it rises to the cybersecurity challenges generated by the CRA, in particular:

• Ensure the security-by-design along the entire value chain of your product
• Provide expertise in complying with the requirements of the Cyber Resilience Act to anticipate the launch of your solution on the market
• Support the scaling up of your solution thanks to our various IoT platforms that will speed up your projects

As you will have understood, the Cyber Resilience Act is no small matter and this new cybersecurity regulation will require certain changes to be made in order to comply with and meet the standards required. LACROIX is here to support you in this legislative and technological transition, ensuring that you will comply with these new regulations.