Cyber-Resilience Act

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) applies to manufacturers of products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

A product with digital elements is understood as a product consisting of computer programs or equipment and their remote data processing solutions. It also includes the components of computer programs or equipment that are introduced in the market separately.

There are several product categorizations: product with digital elements, critical product with digital elements and highly critical product with digital elements. As the categorization ascends in criticality, the obligations to be fulfilled are reinforced.

Among CRA’s main obligations are:

• Risk management: it is necessary to assess the cybersecurity risks associated with the product and implement security measures. The objective is to minimize risks, prevent incidents and reduce their possible consequences.
• Technical documentation: the technical documentation of the product shall, among others, include the risk assessment, as well as details of how the product complies with certain CRA requirements.
• Incident reporting: there is an obligation to notify the European Union Agency for Cybersecurity (ENISA) of any incident within 24 hours. In addition, product users must be notified of any incident without undue delay.
• Conformity assessment: a conformity assessment of the product must be carried out, with issuance of a certificate of conformity. Sometimes, the certificate must be issued by a third party.

CRA provides for penalties of up to €15 million or up to 4% of the organization’s total annual turnover.