European flag

FAQ

A collection of frequently asked questions on the Cyber Resilience Act and cyber resilience in general.

The Cyber Resilience Act is a regulation proposed by the European Commission that aims to improve the cybersecurity of IoT devices used in the European Single Market.

Once adopted, this legislation will impose mandatory cybersecurity features on both manufacturers and developers of IoT products. In order to ensure their products’ cyber resilience throughout their lifespan. It will also give more control to users by mandating manufacturers to provide them with free and automatic security updates and information about security risks.

The CRA has not yet been passed, though we expect it to be signed into law in January or February 2024.

Once the Act is signed, it will be published in the European Official Journal of the EU.

Then, it will be another 21 months before the reporting requirements become enforceable and another 15 months before the technical requirements also become enforceable (i.e: 36 months following the entry into force of the Act)

One common approach is to use a software composition analysis (SCA) tool. An SCA tool can generate an SBOM that lists all of the software components in the application, along with their names, versions, and vendors.

Another approach to preparing an SBOM is to manually collect the information about the software components in a product. However, this can be a time-consuming process, but it can be done by reviewing the source code of the product, the installation files, and the documentation.

Cyber resilience encompasses the ability of individuals or organizations to withstand, recover from, and adapt to cyber attacks. In addition, it offers several benefits, including protecting data and systems from unauthorized access or manipulation, reducing financial losses, reputational damage, increasing customer trust and satisfaction.

Cyber resilience is built on five pillars. By implementing those, organizations can strengthen their cyber resilience:

  1. Identification: Understanding an organization’s assets but also its threats and vulnerabilities.
  2. Protection: Implementing security controls.
  3. Detection: Continuously monitoring systems and networks for signs of attacks.
  4. Response: Having a plan for responding to cyberattacks, such as isolating affected systems, containing the damage, and restoring operations.
  5. Recovery: Having a plan for recovering from cyberattacks, such as restoring data, rebuilding systems, and compensating for losses.

ACHIEVING COMPLIANCE

I am an IoT device manufacturer

IoT device manufacturers are first in line when it comes to compliance.

Read our practical guides on what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.

I am a software company

While free and open-source software, for now,  does not fall under the purview of the Cyber Resilience Act, commercial software that include remote data processing solutions will need to comply with the Act.

Read our practical guides to understand what you need to do.

I import / distribute/ resell

IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.

Our guides detail these stakeholders’ responsibilities and liabilities.