CYBER RESILIENCE ACT (CRA) COMPLIANCE IN THE UK AND IRELAND

Services to support UK and Irish businesses impacted by the Cyber Resilience Act. 

The Cyber Resilience Act (CRA) is new EU cybersecurity legislation, designed to make sure products with digital elements are developed more securely and ultimately protecting consumers all over Europe. It places obligations on manufacturers of products with digital elements, as well as others in the supply chain. Bureau Veritas is on hand to support UK and Irish businesses in achieving compliance.

Ask us about the Cyber Resilience Act

WHAT IS THE CYBER RESILIENCE ACT (CRA)?

The CRA is the first-ever EU-wide legislation of its kind, mandating cybersecurity requirements for both hardware and software products throughout their entire life cycle. Its aim is to improve the cybersecurity of digital products and services sold in the EU.

The CRA applies to products with digital elements (PDEs), which includes software, hardware, and remote data processing solutions. This covers smart or connected household devices, such as smartphones, tablets, PCs, cameras, TVs, fridges and exercise equipment, as well as toys and wearables.

A limited number of product categories including medical devices, automotive vehicles and aviation products are exempt, because security measures are already deemed sufficient.

Under the legislation, PDEs are categorised by risk. Those without critical cybersecurity risks are in the 'default' category and can be self-assessed by their manufacturer. Class I and Class II products with 'critical' PDEs are subject to more stringent requirements and can require third-party conformity assessments.

The legislation comes into force in 2024 and impacted companies will be required to ensure compliance for their products by 2027.

WHICH UK AND IRISH COMPANIES ARE IMPACTED BY THE CRA?

CRA applies to manufacturers (or their authorised representative) of products with PDEs made available for sale in the EU, importers selling in the EU market, and distributors, such as retailers.

Any company that intends to sell products with PDEs on the EU market (including Ireland) – whether directly or through a distributor - will therefore need to ensure that their products comply with the CRA's requirements. This includes our customers based in the UK and Ireland, if products are intended for sale in the EU.

WHAT ARE THE CRA REQUIREMENTS FOR MANUFACTURERS?

The CRA imposes a large number of obligations, many of which apply to product manufacturers. UK and Irish businesses selling products with PDEs on the EU market will be required to ensure products are designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks. This is referred to as a 'security by design' approach.

Other key requirements cover vulnerability handling and incident response. PDEs must also be delivered without any known exploitable vulnerabilities, provided with security support for a period of five years and, when technically feasible, security updates should be applied automatically.

In addition, manufacturers must ensure that within 24 hours of becoming aware of an actively exploited vulnerability in a PDE or an incident having an impact on the PDE's security, the EU Agency for Cybersecurity (ENISA) is notified and users are informed about corrective measures to mitigate any impact.

EU importers and distributors – which includes our customers in Ireland - are also liable if they do not take steps to ensure that products are compliant and that the PDE's manufacturer has compliant vulnerability handling processes in place.

OUR SERVICES FOR CRA COMPLIANCE

  • CRA Presentation

    Gain a thorough understanding of CRA and its impact for your organisation with a presentation delivered by one of our specialist team. We can explain the different conformity assessments and which rules apply to your particular product(s).

  • Gap assessment and certification support

    Using our extensive experience in gap assessments and certification for IEC 62443, ISO 27001/2 and other applicable standards, we can help determine which measures you need to implement to reach CRA compliance. Bureau Veritas is a recognised Common Criteria laboratory, supporting clients with consultancy and certification.

  • CRA implementation support

    Once we have identified potential gaps between your current security measures and the requirements of the CRA, we can provide consultancy services to solve them and help you become CRA compliant.

GET IN TOUCH WITH A MEMBER OF THE TEAM BY SUBMITTING YOUR DETAILS BELOW:

Please select country prefix
Enquiring about
If known (Approx.)
If known (Approx.)
Maximum 3 files.
2 MB limit.
Allowed types: pdf, doc, docx, ppt, pptx, xls, xlsx, jpg, png.
I have read and understood the terms and conditions of {Personal data protection policy}.
Your personal data is collected by Bureau Veritas UK, having its registered office at Suite 206, Fort Dunlop, Fort Parkway, Birmingham B24 9FD, and is subject to computer processing in order to respond to questions from the media about the Group or its subsidiaries on the basis of your consent, and to respond to customer complaints, on the basis of the service contract that you have entered into with a subsidiary of Bureau Veritas.

Your personal data is intended for the Corporate Communication department or the Quality, Health & Safety and Environment department of the Bureau Veritas Group, depending on the nature of your request, and for their service providers, providing consulting and technical services as well as for the Bureau Veritas IT department. Your personal data will be retained for a period of one year for media requests and three years for customer complaints from your request. Your personal data can be transferred outside the European Union, in countries where Bureau Veritas subsidiaries operate, on the basis of standard contractual clauses established by the European Commission, available on request, by submitting a query here.

Fields marked with an asterisk must be filled in. Otherwise, Bureau Veritas would not be able to answer your questions and/or complaints. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation of 27 April 2016, you have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by submitting a query here and unchecking the box dedicated to the collection of your consent. You can exercise your rights online to lodge a complaint to the Information Commissioner’s Office.
Blue, pixels, abstract background

DORA

Read More
Abstract digital universe image

NIS2

Read More
A security badge made up of blue electrical looking lines

IEC 62443 Certification

Read More
CyberSecurity

IEC 62443 Consultancy

Read More
CyberSecurity

Operational Technology Cybersecurity

Read More
Digital, Lock, Graphic, Screen

Cyber Crisis and Resilience Services

Read More
Training

Cybersecurity Training Courses

Read More