Insight

Early action pays off when aiming at compliance with the European Cyber Resilience Act (EU CRA)

The EU Cyber Resilience Act represents a major turning point as it officializes the responsibility of manufacturers, and in some cases importers and distributors, regarding the digital security of the products they put on the European market. This responsibility now includes all products with digital components that can be connected to a device or network and are intended for sale in Europe. Essential cybersecurity standards have been defined and will be adapted into industry-specific standards. Helbling has years of experience in developing products for regulatory compliance. Companies can benefit from this expertise as Helbling assists with implementing new CRA regulations using a proven methodology combined with the latest technology.

The rise in cyberattacks on digital products has led to major financial losses [1]. At the same time, the impact of cyberattacks through digital products has increased as more and more products are connected, expanding the attack surface for cybercriminals. Vulnerabilities in the supply chain in particular have become a major risk as they lead to malicious activities such as DDoS attacks and anonymous malware delivery to enable large-scale cyberattacks. A recent example is the botnet established on compromised hardware by cyber actors that the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) link to the People’s Republic of China [2].

In 2022, the European Commission proposed the EU Cyber Resilience Act (CRA, [3]). This establishes the essential cybersecurity standards for product manufacturers, whether within the EU or not, placing any product with digital elements on the EU market [4] where the “intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or a network” (CRA, Art. 2.1 [3]).

Figure 1: Timeline (Helbling)

The CRA is mandatory and required for CE marking and distribution of products with digital elements in the European market. There is still time until late 2027 to implement all the requirements. Details about the CRA and its timeline can be found at the end of the text. However, companies would be well advised to take the necessary measures today.

Helbling is an experienced partner with many years of involvement in developing products with digital elements, including numerous projects in regulated industries such as MedTech. Helbling has successfully integrated risk-based decision making and cybersecurity analysis into the design and development process and has supported companies with meeting the standards. It achieves all this while also helping its clients to implement robust security practices in their operations.

Helbling experts have adapted the existing methodology to meet the CRA, integrating the latest technologies to make implementation of the regulations as efficient and effective as possible.

The CRA will enhance the digital resilience of the entire ecosystem

According to CRA Art. 3 [3], the term “cybersecurity” is defined in Art. 2 point (1) of Regulation (EU) 2019/811 as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats” [5] following a defensive cybersecurity approach. By improving security, a product should always stay operational and not be compromised. However, attackers rarely target the device itself; instead, they use it as a gateway to the real target, such as the user who may be an operator working at a production site. Therefore, as its name implies, the CRA will ultimately strengthen the digital resilience of the entire ecosystem.

The CRA includes strict enforcement, with penalties such as fines of up to €15M or 2.5% of global yearly turnover for non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 13 and 14, whichever is higher (CRA, Art. 64) [3]. The fine depends mainly on two factors: the organization at fault (principally its size), and the type of non-compliance (nature, seriousness, duration, and consequences).

How to get started?

A good starting point, once the cyber security requirements are clear, is to establish the easy-to-use method of threat modeling and involve people in taking responsibility early on. It is especially important to include developers, whether for hardware or software. A key success factor for security is creating a mindset of “security as shared responsibility”.

The shared understanding of the system and the associated cybersecurity risks will evolve into a balanced security architecture. It is essential to prioritize the identified cyber risks in order to avoid being overwhelmed by the sheer number of attack points. Often, addressing certain risks also reduces others, which is why this assessment must be carried out iteratively.

Establishing the three key pillars

The CRA’s defensive approach can be summarized by the following three key pillars that must be fulfilled (see Annex I and Annex II [6]):

1. Secure Product: Ensuring a product is placed on the market only if it is secure by design and default.

2. Secure Operation: Obliging manufacturers to take security seriously and maintain it throughout the whole product lifecycle by providing security updates to address emerging vulnerabilities.

3. Transparency and Disclosure: Empowering users to take cybersecurity into account when purchasing and using products in a secure manner.

 Figure 2: The three key pillars of CRA. Figure: Helbling

Pillar 1: Secure Product

How to achieve security by design

Applying security by design means focusing on minimizing vulnerabilities and reducing the attack surface of the whole system. It is important to take a holistic approach as potential risks can be identified that might be overlooked when focusing on isolated parts of the system. As stated earlier, the product is rarely the target; therefore, a cyber security threat analysis should cover the full system to better understand the possible impact of attacks. This also encompasses how users interact with the system as there can be vulnerabilities due to unintentional misuse.

It is crucial to consider cybersecurity early on during product specification and design. This enables a robust architecture to be developed that can withstand cyberattacks, requiring less effort (and lower costs) than making “end-of-pipe” changes to enhance security in an existing design.

An additional important point is to always consider end-to-end security. If insecure transport channels are protected through encryption, the focus shifts to how the key is secured. With the increase in identity-based attacks, authentication of users and devices is essential. But what is the basis of the trust? Does the product’s hardware support secure boot?

How to achieve security by default

Applying the security by default principle means designing products so that the most secure configuration and settings are applied as the standard, out-of-the-box experience. Instead of relying on users to implement security measures after deployment, security features are automatically built in and enabled without requiring extra steps.

For a product, security by default usually starts by limiting potential entry points by disabling unnecessary services and elements such as diagnostic features (e.g., detailed logs). Whenever a device provides access to sensitive data, strong authentication and the principle of least privilege must be implemented. Data at rest and in transfer must be protected by encryption.

Manufacturers of products that utilize protocols like OPC UA, recognized for their security architecture, must ensure that security measures such as ACLs are not optional features, even though they may increase operational complexity.

 

Pillar 2: Secure Operation

Providing strong support and automated testing for products with digital elements throughout the entire lifecycle is crucial. This is not just for cybersecurity but also to enable improvements and new features to be implemented rapidly and at high quality through secure software updates (addressing signing, validation, encryption, control over updates, etc.).

Efficiently managing vulnerabilities is vital when it comes to secure operation. Accordingly, the SBOM (software bill of materials) is key (Annex I, Part II, point (1) [6]) as it enables rapid assessment of a product's exposure to new vulnerabilities. Compiling an SBOM has become mandatory. To support CRA adoption, Germany's Federal Office for Information Security (BSI) has clarified SBOM requirements by publishing Technical Guideline TR-03183 [8]. It is important to follow a standard to make the SBOM actionable.

The idea of viewing security as a shared responsibility is also fundamental in operations. The term DevSecOps reflects this as a methodology that combines development, operations, and security practices that are integrated throughout the entire software supply chain. For example, the processes for creating and maintaining an SBOM should be standardized for predictability and repeatability. Creating the SBOM early (during the development phase) helps with tracking all software components from start to finish and provides transparency so that organizations have an insight into their supply chain dependencies.

During production, monitoring can be further automated through new approaches, such as AI agent-based systems, which can take over vulnerability monitoring for an SBOM and even automatically apply patches in the event of particularly severe risks.

The level of automation and maturity in DevSecOps affects how quickly organizations can address issues and reduce exposure to threats.

Pillar 3: Transparency and Disclosure

As mentioned previously, awareness is the starting point for any security consideration. There must be clarity regarding where to request information about vulnerabilities and what the coordinated policy on vulnerability disclosure entails so that users are aware of weaknesses in the product (Annex II, point (2) and Annex I, Part II, point (5) [6]).

After addressing vulnerabilities with security updates, manufacturers are required to publicly disclose this information and provide clear guidance to users to remediate the issues (Annex I, Part II, point (4) [6]). This ensures transparency, empowering users with the knowledge necessary to safeguard their systems and take necessary actions to maintain security and resilience in a rapidly evolving digital landscape.

Throughout the entire lifecycle, end users must be provided with instructions to enable safe installation, operation, and use. In addition, the relevant technical documentation for the assessment of a product's security must be made available and kept for 10 years after the product is placed on the market (CRA, Art.13, point(13) [3]). This extends the concept of “awareness” to the end user and implements it – again – from end to end.

Figure 3: End-to-end implementation of cyber security awareness. Figure: Helbling

Summary: CRA compliance can be managed as a continuous, iterative process

CRA is essentially an extension of CE marking. With the constant increase in threats, cybersecurity cannot be ignored anymore. There is no avoiding the need to embed security into the DNA of any manufacturer providing products with digital elements, especially to efficiently meet the requirements on vulnerability management.

The challenges may seem significant, and for some companies achieving CRA compliance can feel like a Herculean task. It is important not to panic and to start the journey. As mentioned previously, it is an iterative process, and now is the ideal time for a first iteration. Helbling supports companies and their products with digital elements throughout the entire lifecycle, from design and development to operation, combining precise knowledge of interdisciplinary teams and years of experience.

 

Authors: Frederic de Simoni, Martin Junghans

Main Image: iStock

Factbox

6 answers for practical use

Which products does the Cyber Resilience Act apply to?

The CRA applies to all products with digital elements on the market that can be connected either directly or indirectly to another device or a network. There are some exceptions for products where cybersecurity requirements are already set out in existing EU rules. For example: medical devices, aeronautical products, and cars. CRA Art. 3 [3] makes it clear that all software solutions also fall within the scope of the CRA if they are linked to any product, such a SaaS platform retrieving data from an IoT device.

What is the timeline for adopting the new regulations?

The CRA was finalized on October 10, 2024 and will be signed by the presidents of the Council and of the European Parliament. The new regulation will enter into force (EIF) twenty days after its publication in the Official Journal of the European Union. Product manufacturers have three years for full adoption. In 2026, after 21 months, notifications to the authorities will be mandatory. After 36 months, full adoption of the CRA must be complete. (CRA, Art. 71, 2) [3].

What happens to existing products with digital elements on the EU market?

Products placed on the market before 2027 (EIF + 36 months) will only need to comply if significant modifications are made to the product. This refers to changes in hardware and/or software.

How can products on the market remain compliant?

Once a product with digital elements complies with the CRA there are two potential reasons it may later become non-compliant:

1. Substantial modifications to the product are made (e.g., new software version with new features).

2. A new vulnerability has been found and must be fixed with a security update but is handled with delay.

While substantial changes can potentially be avoided, in the second case, only the organizational implementation of rapid and effective vulnerability management can help.

What are substantial modifications to software?

A software change for a product with digital elements should be considered to be substantial when the software update modifies the intended purpose of that product and those changes were not foreseen by the manufacturer in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity risk has increased because of the software update (PE-100-2023-INIT (2024) point (39) [7]). In contrast, minor functionality updates, such as visual enhancements, the addition of new languages to the user interface, or of a new set of pictograms, should generally not be considered to be substantial modifications.

An example of a substantial change is adding new input elements to an application, requiring the manufacturer to ensure adequate input validation. The addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk. Therefore, the new risks must be re-assessed by the manufacturer.

What about security updates?

Security updates, designed to decrease the cybersecurity risk level of a product with digital elements, do not modify the intended purpose of a product with digital elements; they are not considered a substantial modification. This usually includes situations where security updates entail only minor adjustments of the source code.

For example, this could be the case when a security update addresses a known vulnerability, including by modifying functions or the performance of a product with digital elements for the sole purpose of decreasing the level of cybersecurity risk. Therefore, a re-assessment of security risks is not necessary.

References:

1. According to IBM, the global average cost of a data breach in 2024 is USD 4.88M – a 10% increase over last year and the highest total ever, see: https://www.ibm.com/reports/data-breach 

2. People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations, https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF

3. CRA, https://www.cyberresilienceact.eu/the-cyber-resilience-act/

4. The legal term “placing on the market” is defined in the Blue Guide, June 29, 2022, clause 2.3, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.C_.2022.247.01.0001.01.ENG

5. Regulation (EU) 2019/81, https://eur-lex.europa.eu/eli/reg/2019/881/oj

6. CRA Annex, https://www.cyberresilienceact.eu/the-cyber-resilience-act-annex/

7. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No. 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act), October 10, 2024, https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdf  

8. Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products, Part 2: Software Bill of Materials (SBOM), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5

Contact

Frederic de Simoni

Schachenallee 29
5000 Aarau

Other Insights

Get in touch with us

Contact now