CYBER RESILIENCE ACT (CRA) COMPLIANCE IN THE UK AND IRELAND
Services to support UK and Irish businesses impacted by the Cyber Resilience Act.
The Cyber Resilience Act (CRA) is new EU cybersecurity legislation, designed to make sure products with digital elements are developed more securely and ultimately protecting consumers all over Europe. It places obligations on manufacturers of products with digital elements, as well as others in the supply chain. Bureau Veritas is on hand to support UK and Irish businesses in achieving compliance.
WHAT IS THE CYBER RESILIENCE ACT (CRA)?
The CRA is the first-ever EU-wide legislation of its kind, mandating cybersecurity requirements for both hardware and software products throughout their entire life cycle. Its aim is to improve the cybersecurity of digital products and services sold in the EU.
The CRA applies to products with digital elements (PDEs), which includes software, hardware, and remote data processing solutions. This covers smart or connected household devices, such as smartphones, tablets, PCs, cameras, TVs, fridges and exercise equipment, as well as toys and wearables.
A limited number of product categories including medical devices, automotive vehicles and aviation products are exempt, because security measures are already deemed sufficient.
Under the legislation, PDEs are categorised by risk. Those without critical cybersecurity risks are in the 'default' category and can be self-assessed by their manufacturer. Class I and Class II products with 'critical' PDEs are subject to more stringent requirements and can require third-party conformity assessments.
The legislation comes into force in 2024 and impacted companies will be required to ensure compliance for their products by 2027.
WHICH UK AND IRISH COMPANIES ARE IMPACTED BY THE CRA?
CRA applies to manufacturers (or their authorised representative) of products with PDEs made available for sale in the EU, importers selling in the EU market, and distributors, such as retailers.
Any company that intends to sell products with PDEs on the EU market (including Ireland) – whether directly or through a distributor - will therefore need to ensure that their products comply with the CRA's requirements. This includes our customers based in the UK and Ireland, if products are intended for sale in the EU.
WHAT ARE THE CRA REQUIREMENTS FOR MANUFACTURERS?
The CRA imposes a large number of obligations, many of which apply to product manufacturers. UK and Irish businesses selling products with PDEs on the EU market will be required to ensure products are designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks. This is referred to as a 'security by design' approach.
Other key requirements cover vulnerability handling and incident response. PDEs must also be delivered without any known exploitable vulnerabilities, provided with security support for a period of five years and, when technically feasible, security updates should be applied automatically.
In addition, manufacturers must ensure that within 24 hours of becoming aware of an actively exploited vulnerability in a PDE or an incident having an impact on the PDE's security, the EU Agency for Cybersecurity (ENISA) is notified and users are informed about corrective measures to mitigate any impact.
EU importers and distributors – which includes our customers in Ireland - are also liable if they do not take steps to ensure that products are compliant and that the PDE's manufacturer has compliant vulnerability handling processes in place.
OUR SERVICES FOR CRA COMPLIANCE
-
CRA Presentation
Gain a thorough understanding of CRA and its impact for your organisation with a presentation delivered by one of our specialist team. We can explain the different conformity assessments and which rules apply to your particular product(s).
-
Gap assessment and certification support
Using our extensive experience in gap assessments and certification for IEC 62443, ISO 27001/2 and other applicable standards, we can help determine which measures you need to implement to reach CRA compliance. Bureau Veritas is a recognised Common Criteria laboratory, supporting clients with consultancy and certification.
-
CRA implementation support
Once we have identified potential gaps between your current security measures and the requirements of the CRA, we can provide consultancy services to solve them and help you become CRA compliant.