New EU rules for digital security - the Cyber Resilience Act at a glance. Opportunities and challenges for your company.
The CRA is a new EU regulation that aims to improve the security of digital products. It closes an important regulatory gap and makes compliance with its requirements a prerequisite for the CE marking of affected products. With its adoption, which is expected in the coming weeks, the CRA will enter into force immediately and apply directly without transposition into national law.
The draft at a glance
The CRA applies to all products with digital elements that were not previously subject to specific regulation. This includes software, firmware and embedded logic components, with the exception of areas already tightly regulated such as medical devices or aerospace.
The draft requires that the entire lifecycle of a product be designed with security risks in mind. From development to decommissioning, manufacturers are expected to manage and document security risks. Specific requirements include, among other things, the mandatory provision of security updates for at least 5 years and the timely disclosure of security vulnerabilities within defined timeframes (24 hours).
With ambitious deadlines - 21 months for essential requirements and 36 months for all provisions - the CRA sets a tight schedule. Companies are under pressure to adapt or face significant penalties that can reach up to 2.5% of global annual turnover. A central element is the obligation related to CE marking, which will now include explicit security requirements.
Criticism of the CRA
The CRA has already sparked debate even before its adoption, particularly because the transition periods are perceived as short. The handling of open-source software, for which clear responsibilities are not defined, is another point of criticism. The role of notified bodies and fears of delays in product approvals are also the subject of intense discussion. Companies must adapt quickly to avoid being disadvantaged by delays or fines.
Lessons from the past
Past regulatory initiatives such as the introduction of the Medical Device Regulation (MDR) for medical devices or the General Data Protection Regulation (GDPR), which led to almost panicked adjustments, offer valuable lessons. They show that a proactive approach to compliance not only reduces risks but can also serve as a differentiator that gives companies a competitive advantage.
Strategic implications and recommendations
For companies, the CRA represents both a challenge and an opportunity. Early alignment with the new requirements can minimise the risk of regulatory penalties and strengthen market position. It is advisable to review and adapt product development and governance in good time. Aligning with international standards and best practices can help avoid reinventing the wheel. In addition, the introduction of the CRA should be used as an opportunity to establish a central regulatory monitoring function within the company to stay informed about current and upcoming regulatory requirements.
Conclusion
The Cyber Resilience Act marks a turning point in EU regulatory policy. It offers the opportunity to improve the quality and security of digital products. Through a forward-looking and strategic approach, companies can not only avoid regulatory penalties but also strengthen their market position and drive innovation. The time to act is now to set the course for a secure digital future.