What is Cyber Resilience Act?
The European Cyber Resilience Act (CRA) aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It was introduced by the European Parliament in September 2022 and approved in March 2024. The Act establishes common rules for manufacturers and developers.
Its key objectives include enhancing the security of internet-connected products and software in the EU market, holding manufacturers responsible for cybersecurity throughout a product’s lifecycle, and ensuring consumers receive adequate information about product cybersecurity. The legislation imposes additional obligations on those placing digital products in the EU market, emphasising reporting, compliance, vulnerability resolution, software updates, and product auditing. Notably, the Act shifts the cybersecurity burden to software developers, assuming their expertise in mitigating vulnerabilities and distributing patches, ultimately aiming for a more secure digital landscape in the EU.
Who is affected
Any manufacturers of hardware or software products connected to the internet whether open source or not, who have EU users, which means anyone – as you are most certainly have some EU users.
Who is likely exempt from CRA?
Anyone who is developing and publishing software or manufacturing hardware containing software for non-profit is exempted from CRA requirements. There are strong definitions of what is considered “non-profit”.
How will CRA be enforced
Member States will designate market surveillance authorities (MSA) who will enforce the obligations outlined in the CRA. When non-compliance found, MSAs have powers to:
- require manufacturers to bring non-compliance to an end and eliminate risk;
- to prohibit/restrict the making available of a product or to order that the product is withdrawn/recalled;
- impose penalties (including fines up to 15 000 000 EUR or up to 2.5 % of worldwide turnover).
What software is affected?
All “Products with digital elements”. There are two sub-categories – Class 1 and Class 2 – of software which have higher requirements. These categories are described in detail in Annex III of the CRA and include web browsers; password managers; VPNs; network management systems; firewalls; identity management systems, operating systems, container runtime systems, etc.
The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the NIS2 Directive, or to products already regulated under EU laws that apply to medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and products developed exclusively for national security or military purposes.
The CRA also does not apply to free and open-source software developed or supplied outside the course of a commercial activity. However, the responsibilities for open source communities heavily changed once the community started expressing concerns; now the idea of an “open source steward” was introduced.
What obligations does CRA impose on me as a for-profit vendor?
The Cyber Resilience Act places software vendors under four primary categories of obligations: conducting risk assessments, maintaining documentation, performing conformity assessments, and reporting vulnerabilities. Manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements.
Below are some samples of requirements per category, for the full list please refer to Annex I, V and VI of the CRA.
Risk Assessment
- Assumes you ship software without known exploitable security vulnerabilities
- Adhere and implement secure development practices.
- Publicly disclose information about fixed vulnerabilities once a security update has become available
- Security patches and updates are available without a delay and are free of charge
For the full list of security assessments please refer to Annex I.
Documentation
CRA requires you provide:
- Software Bill of Materials (SBOM) documenting vulnerabilities and components contained in the product, apply effective and regular tests.
- Once you publish a security update, publicly disclose information about fixed vulnerabilities.
Conformity assessments:
- For Highly Critical products, the assessment must be done by an independent auditor certified by the EU.
- For other types of software, vendors can perform the assessment themselves and when they do they shall affix the CE marking to each individual product that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements of the legislative instrument.
Vulnerability reporting:
Under Article 11 of the CRA, software publishers would be obligated to report any unaddressed security vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of their discovery.
How is the use of open source affected by CRA?
When it comes to use of open-source libraries it is the responsibility of the supplier to track and monitor the risk associated with such libraries. Below are some extracts from CRA regulation with respect to the above:
- Legal persons providing sustained support for the development of free and open-source software, intended for commercial activities, should be subject to a tailored regulatory regime. (para 10d)
- The administrative cooperation group (ADCO) should undertake Union dependency assessments, and market surveillance authorities can request software bills of materials (SBOMs) from manufacturers, ensuring confidentiality through anonymised and aggregated information submission. (para 10g)
- Manufacturers must exercise due diligence when integrating components, including free and open-source software, ensuring compliance with essential requirements. Due diligence actions include verifying conformity, regular security updates, vulnerability checks, and addressing identified vulnerabilities by informing and remedying them, including for free and open-source components. (para 18a)
- In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials (SBOMs). (para 37)
In addition to the above Article 10 talks about obligations imposed by CRA on manufacturers:
- For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in a manner that such components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity. (para 4)
- Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements, report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Annex I, Section 2.
Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format. (para 4a)
How can Bitsea Help?
The CRA establishes a new set of requirements in the area of cybersecurity. One of the key areas which every vendor should have clear visibility is the software supply chain. This includes usage of open source: every company must Identify components, manage components, track security vulnerabilities and install patches.
In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials (SBOM).
Bitsea supports you in all aspects of Open-Source-Management so that you as a company are protected against a lack of compliance and cyber attacks on the software supply chain. Bitsea has over a decade of experience in helping businesses understand their code and building highly detailed and customised to their needs SBOM.
In addition we:
- Identify security vulnerabilities in SBOM.
- Manage SBOM: notify you whenever a new security vulnerability is detected.
- Setup tool chains to automatically analyse new software for open source components.
- Manage FOSS data: Which components are used in a software system.
- Support with ISO 5230 & ISO 18974, preparation for certification.