The Cyber Resilience Act’s main focus in on companies developing and commercializing non-embedded software.
On the other hand, free and open-source software, as well as pure SaaS software is not targeted by the CRA, unless, for the latter, it is used to remote process the data generated by a hardware product retailed in the European market.
Further, software already targeted by other EU legislations (such as medical and civil aviation software) do not need to also comply with the act for (and only for) requirements already covered by other legislation.
For software companies targeted by the Act, the legislation aims to strengthen their security feature and address vulnerabilities, ensuring software applications are better equipped to withstand cyber threats.
Follow our comprehensive guide to know more!
Software developers are required to ensure an appropriate level of cybersecurity and compliance with the Cyber Resilience Act. These prerequisites are the followings:
Products with digital elements shall be designed, developed and produced in such a way that they enable an appropriate level of cybersecurity based on the risks;
be placed on the market without any known exploitable vulnerabilities;
be placed on the market with a secure by default configuration, including the possibility to reset the product to its original state, and including a default setting that security updates be installed automatically according to requirements in point (aaa) of this section and Annex II (9), with a clear and easy-to-use opt-out mechanism.
where applicable under Annex I,1 (3)a of this section, set as a default setting – which can be switched off – that security updates are installed automatically on products with digital elements if not installed within a certain timeframe;
ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;
protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions;
process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product (‘minimisation of data’);
protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;
minimise their negative impact by themselves or connected devices on the availability of services provided by other devices or networks;
be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions;
enable that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates by default, but with a clear and easy-to-use opt-out mechanism, and where applicable through the notification of available updates to users, and the option to temporarily postpone them;
provide the possibility for users to securely and easily remove all data and settings and, where such data can be transferred to other products or systems, ensure this is done in a secure manner.
Software developers are required to maintain certain mandatory documentation in compliance with the Cyber Resilience Act. This documentation includes:
identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the accompanying documents and where applicable to the packaging.
a copy of the EU declaration of conformity
where applicable, the software bill of materials as defined in Article 3, point (36), further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.
Under the Cyber Resilience Act, software developers have certain reporting obligations. These requirements include:
1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to other Union harmonisation legislation shall remain valid until [42 months after the date of entry into force of this Regulation], unless they expire before that date, or unless otherwise specified in other Union legislation, in which case they shall remain valid as referred to in that Union legislation.
2. Products with digital elements that have been placed on the market before [date of application of this Regulation referred to in Article 57], shall be subject to requirements of this Regulation only if, from that date, those products are subject to substantial modifications in their design or intended purpose.
3. By way of derogation from paragraph 2, the obligations laid down in Article 11 shall apply to all products with digital elements within the scope of this Regulation that have been placed on the market before [date of application of this Regulation referred to in Article 57].
Economic operators shall, on request and where the information is available, provide to the market surveillance authorities the following information:
(a) name and address of any economic operator to whom they have supplied a product with digital elements;
(b) product with digital elements;
Economic operators shall be able to present the information referred to in paragraph 1 for ten years after they have been supplied with the product with digital elements and for ten years after they have supplied the product with digital elements.
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.