Cybersecurity blog header

CRA Regulation: Increasing the security of the software and hardware we use

- Ciber 4 All Team

The CRA regulation is a European standard that imposes obligations on software and hardware manufacturers

The CRA regulation imposes obligations on manufacturers, importers, and distributors to ensure secure software and hardware in the EU market

Can the monitor a parent uses to monitor their baby while it sleeps peacefully in its crib be hacked? What about toys connected to the Internet? The European Union has just passed the Cyber Resilience Regulation, popularly known as the CRA regulation, a pioneering regulation that sets out the security requirements that software and hardware marketed in the EU must meet.

The objectives of the CRA regulation are:

  • Ensure the cybersecurity of the hundreds of thousands of products with digital elements used by citizens and businesses daily.
  • Establish cybersecurity requirements from design for digital products.
  • Strengthen the security of products throughout their life cycle, including managing vulnerabilities that may affect them.
  • Increase the capacity to monitor software and hardware used in the EU.
  • Provide assurance to users of digital products on compliance with cybersecurity requirements through CE marking.

Below, we analyze the key aspects of the CRA regulation that manufacturers, importers, and distributors of hardware and software in the EU must consider to comply with the regulation and avoid heavy penalties.

1. Which products are covered by the CRA regulation?

The following products must comply with the security requirements of the CRA regulation:

  • Products with digital elements:
    • Software.
    • Computer hardware.
    • Remote data processing solutions.
  • In their daily use, they will have a data connection with a device or a network.

However, the standard establishes exceptions when defining its scope of application. Thus, digital products in some areas will continue to be regulated by their specific rules:

  • Medical devices and in vitro diagnostic products.
  • Motor vehicles.
  • Aviation.
  • Marine equipment.
  • Digital elements are for national security, defense, or classified information processing.

Likewise, within the products that must comply with the security requirements of the regulation, the standard establishes two special categories: critical products. These products must undergo a more stringent CRA conformity assessment process than products that do not fall into these categories.

1.1. Important products

The CRA regulation lists more than 20 important products with digital elements, divided into two major groups:

  • Class I:
    • Identity management systems, access management software, and hardware, such as biometric or authentication readers.
    • Browsers, either stand-alone or integrated.
    • Password managers.
    • Software used to detect, remove or contain malware.
    • VPNs.
    • Network management systems.
    • SIEM.
    • Boot managers.
    • Digital certificate-issuing software.
    • Network interfaces.
    • Operating systems.
    • Routers, modems and switches.
    • Microprocessors and microcontrollers that perform security functions.
    • ASICs and FPGAs.
    • Virtual assistants for smart homes.
    • IoT devices for homes that perform security functions such as locks, cameras or baby monitoring systems.
    • Internet-connected toys that perform social functions such as talking or location tracking.
    • Products can be placed on the body for medical monitoring purposes or for children.
  • Class II:
    • Hypervisors and container execution systems can be used to run operating systems in a virtualized manner.
    • Firewalls and systems to prevent and detect intrusions.
    • Tamper-resistant microprocessors and microcontrollers.

1.2. Critical products

The CRA regulation also sets out three critical digital products:

  • Computer equipment devices with security boxes.
  • Smart meter gateways and other advanced security devices, such as those that perform secure crypto-asset processing.
  • Smart cards or similar devices with security features.

CRA regulation affects almost all products with digital elements

2. What are the main obligations of hardware and software manufacturers?

The CRA regulation establishes a series of obligations to manufacturers, importers and distributors of digital products in the European Union.
A wide range of obligations are established in the specific case of hardware and software manufacturers. The first 25 are product-related, while the rest are obligations of an informative nature.

2.1. Continuous assessment and immediate notification

Thus, among the many duties of manufacturers, we can highlight the following:

  • Ensure that products have been designed, developed and produced in compliance with the essential cybersecurity requirements of the CRA regulation.
  • Assess the cybersecurity risks of a product and consider the results from the design and throughout its life cycle to reduce risks and prevent incidents.
  • Use the cybersecurity risk assessment to determine which cybersecurity requirements affect the product and, therefore, need to be met.
  • Update the risk assessment regularly and include information on known vulnerabilities.
  • Be diligent in integrating third-party and open-source components to prevent supply chain attacks. Report any vulnerabilities found in these components.
  • Manage product vulnerabilities for the product’s life or at least 5 years, and provide appropriate security updates and patches.
  • Prepare and maintain the technical documentation and the EU declaration of conformity available to public authorities for at least 10 years.
  • Notify the CSIRT of each country and ENISA of “any actively exploited vulnerability present in the product with digital elements of which they are aware”. Serious incidents that undermine the security of a product should also be reported.
  • Inform users who may be affected by actively exploited vulnerabilities or serious security incidents, including the measures they can put in place to reduce the risks and mitigate the consequences of the exploitation of a vulnerability or a security incident.

2.2. Importers and distributors must also comply with the CRA regulation.

Similarly, the CRA regulation imposes an obligation on importers to place only products that have met the essential cybersecurity requirements on the European market and ensure that manufacturers have assessed them correctly.

Distributors must ensure that products bear the CE marking and that manufacturers and importers have fulfilled all their obligations related to the technical documentation of the products and information to users.

Both importers and distributors must inform the manufacturer if they become aware of a vulnerability. If it poses a significant risk, they must bring it to the attention of the authorities. Similarly, suppose they suspect that a product does not comply with the obligations of the CRA regulation. In that case, they must also ensure that it complies with the regulation and, if not, withdraw it from the market or not distribute it.

3. What essential cybersecurity requirements must products meet?

Throughout this guide to the CRA regulation, we have referred several times to essential cybersecurity requirements. This is because the requirements are the cornerstone of the standard.

Thus, the CRA regulation establishes two types of requirements: those related to software and hardware properties and those related to vulnerability management.

3.1. Requirements for product properties

Firstly, the European standard dictates that all products with digital elements must be designed, developed and produced in a secure manner. In such a way, an adequate level of cybersecurity can be guaranteed, considering the risks throughout their entire life cycle.

This means that digital products must meet a series of requirements based on cybersecurity risk assessments conducted by manufacturers. These requirements are designed to cover 11 critical issues for digital products and the safety of the people and businesses that use them:

  • Product release. It must be guaranteed that they do not have known vulnerabilities that malicious actors can exploit and that they have a secure default configuration.
  • Automatic and free security updates.
  • Access control mechanisms to prevent and manage unauthorized access.
  • Protection of personal data and minimization of data handling.
  • Integrity of data, software and its configuration.
  • Availability of essential and basic product functions even during a security incident.
  • Minimization of the impact of products on the availability of services provided by other devices or networks.
  • Limiting the attack surface.
  • Mechanisms to reduce the effects of security incidents.
  • Logging of internal activity.
  • Ways to allow users to delete or transfer data securely.

3.2. Vulnerability Management Requirements

Beyond software and hardware properties, the CRA regulation also imposes various requirements on manufacturers that revolve around vulnerability management. Thus, they are obliged to:

  • Identify and document vulnerabilities present in any component of their products.
  • Mitigate vulnerabilities as quickly as possible, developing and distributing security updates and publicly informing about the vulnerabilities fixed and the products affected.
  • Have a vulnerability disclosure policy and facilitate the exchange of information on vulnerabilities.
  • Conduct product security audits regularly.

European Union continues to create a common cybersecurity framework

4. What is the mechanism for validating the conformity of products with the requirements of the CRA regulation?

The regulation contemplates a process of conformity validation that includes elaborating the technical documentation of the products, the realization of evaluations, the presentation of a declaration of conformity and the incorporation of a CE marking. Thus, manufacturers must:

  1. Prepare technical documentation specifying all the means used to ensure that the product and the vulnerability management process meet the essential requirements of the CRA regulation.
  2. Perform a conformity assessment of both the product and the processes for managing vulnerabilities. This assessment is intended to verify that all essential requirements are met and may be performed by conformity assessment bodies that meet the requirements set by the CRA regulation. To perform this assessment, several types of procedures are envisaged and are defined in the annexes of the standard:
    • Internal control procedure (self-assessment).
    • EU-type examination and conformity assessment based on internal production control.
    • Safety assessment based on full quality assurance.
    • European cybersecurity certification scheme to be set up by the European Commission.
  3. Suppose the product is classified as critical or important, submission of the EU declaration of conformity to a notified body. This document states the product’s characteristics and guarantees that it complies with the essential cybersecurity requirements. In addition, the conformity assessment procedure carried out must also be described. In this way, manufacturers assume responsibility for product compliance with the regulations.
  4. Incorporation of the CE marking on the hardware and software before it is placed on the market and in such a way that it is visible to all users.

5. What are the penalties for companies not complying with the CRA regulation?

Manufacturers, importers and distributors who fail to comply with the CRA regulation are subject to heavy fines. The regulation leaves the design of the penalty regime to the states but establishes a common EU-wide penalty framework:

  • If essential requirements and manufacturers’ obligations are not met, they face fines of up to €15 million or 2.5% of the company’s annual turnover if that figure is higher.
  • If importers and distributors fail to comply with their obligations, they face maximum penalties of up to €10 million or 2% of the company’s total turnover.
  • Failure to comply with the articles relating to the EU declaration of conformity, affixing of the CE marking, technical documentation, conformity assessment procedures and notified bodies may also result in administrative fines of up to EUR 10 million or 2% of worldwide turnover.
  • Submitting incomplete or incorrect information to product conformity assessment bodies and surveillance authorities can lead to fines of up to €5 million or 1% of the company’s global turnover.

However, the CRA regulation provides for an exception: microenterprises cannot be penalized for failure to meet the deadlines for notification of early warning of a vulnerability or security incident.

Less than 3 years to go before the CRA regulation is fully implemented

6. When will the CRA regulation start to apply?

Although the CRA regulation was finally approved in October and is already in force, its applicability is not immediate. The regulation provides for three deadlines after which its provisions must be complied with:

  • From June 11, 2026, the rules of Chapter IV, which regulates the obligations of notifying authorities and conformity assessment bodies, will be applicable.
  • From September 11, 2026, the obligations of manufacturers of products with digital elements regarding information and notification to surveillance authorities and users affected by a vulnerability or serious incident must be fulfilled.
  • The remaining articles will apply throughout the EU from December 11, 2027.

Software and hardware manufacturers must therefore be prepared to meet their reporting obligations in less than two years and implement all measures to ensure security from the design stage of their products in less than three years.

7. What role do cybersecurity services play in CRA compliance?

Given the requirements and obligations outlined above, it is clear that cybersecurity services play a critical role in CRA compliance:

7.1. Risk assessments and security audits

Manufacturers must analyze the risks to which their products are exposed on an ongoing basis; hence, they must conduct a security risk assessment regularly.

In addition, they must also perform security audits to verify that all the essential requirements of the CRA regulation are met and that the products maintain an optimal level of cybersecurity.

7.2. Vulnerability management

As noted above, many of the cybersecurity requirements revolve around vulnerability management.

It is, therefore, vital for software and hardware manufacturers to have experienced vulnerability management services. These professionals have the expertise to detect vulnerabilities and prioritize their mitigation based on the likelihood of exploitation and the impact they may have on the product and its critical functions.

Efficient and continuous vulnerability management is critical to ensure that products have adequate security.

7.3. Detection of emerging vulnerabilities

Exploitation of zero-day vulnerabilities is one of the greatest threats facing digital product manufacturers.

For this reason, emerging vulnerability detection services are key to acting as quickly as possible when a vulnerability is discovered and taking measures to mitigate it before it is successfully exploited.

7.4. DoS testing

One of the cybersecurity requirements of the CRA regulation is to ensure the availability of products even when security incidents occur.

The regulation stipulates that products’ cyber resilience must be improved, particularly in the event of distributed denial-of-service attacks.

Manufacturers of products that can be attacked using this technique must subject them to regular DoS tests. This makes it possible to check whether the products can withstand this type of attack without affecting their essential functions.

In short, the CRA regulation requires manufacturers to place product cybersecurity at the heart of their strategies and to implement a security approach from design throughout the software and hardware lifecycle.

Although it may seem that there is still a long time to go before the CRA regulation is implemented, the fact is that companies that manufacture products with digital elements must already consider the essential cybersecurity requirements when designing, developing and producing their software and hardware.