{"id":10381,"date":"2025-04-11T09:10:10","date_gmt":"2025-04-11T09:10:10","guid":{"rendered":"https:\/\/www.europesays.com\/uk\/10381\/"},"modified":"2025-04-11T09:10:10","modified_gmt":"2025-04-11T09:10:10","slug":"sgs-on-why-the-european-unions-cyber-resilience-act-matters","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/uk\/10381\/","title":{"rendered":"SGS on why the European Union\u2019s Cyber Resilience Act Matters"},"content":{"rendered":"<p>            <a href=\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/Untitled-design-2025-04-11T112035.736.jpg\" data-caption=\"\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"400\" class=\"entry-thumb td-modal-image\" src=\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/Untitled-design-2025-04-11T112035.736.jpg\"   alt=\"Cyber Resilience\" title=\"SGS on why the\u00a0European Union\u2019s\u00a0Cyber Resilience Act Matters\"\/><\/a>            <\/p>\n<p>Adopted in 2024, the Cyber Resilience Act (CRA) is a key step in strengthening the European Union\u2019s <a href=\"https:\/\/timestech.in\/tag\/cybersecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">cybersecurity<\/a> framework.[i] It mandates cybersecurity requirements for hardware and <a href=\"https:\/\/timestech.in\/technology\/software\/\" target=\"_blank\" rel=\"noreferrer noopener\">software<\/a> products to enhance resilience, reduce vulnerabilities and protect consumers from increasing cyber threats. Manufacturers must understand the Act\u2019s broader impact on product design, security protocols, and market access as they prepare to meet these new requirements.<\/p>\n<p>In an increasingly connected world, digital trust is vital. The CRA plays a crucial role in strengthening cybersecurity for European businesses and consumers by addressing vulnerabilities in digital products that expose users to cyberattacks. It offers a structured approach to enhancing cyber resilience, which is essential as cyber threats continue to evolve. By establishing clear cybersecurity requirements, the CRA ensures that both hardware and software products are resilient against malicious attacks. It applies to all connectable devices and software, including remote data processing solutions available on the EU market. Products that meet the regulation\u2019s requirements for their risk level will display the CE mark, signaling compliance and commitment to cybersecurity.<\/p>\n<p><strong>The core principles of cyber resilience focus on:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>Risk mitigation \u2013 Minimizing vulnerabilities in digital products from the design stage onward<\/li>\n<li>Incident recovery and response \u2013 Ensuring effective strategies are in place to respond to and recover from cyber incidents<\/li>\n<li>Business continuity \u2013 Maintaining operational stability despite security incidents<\/li>\n<\/ul>\n<p>The CRA impacts a wide range of economic operators within the European market, including manufacturers, software developers, distributors, importers and resellers involved in the supply of new or updated digital products. Unlike the Network and Information Security 2 (NIS2) Directive and Digital Operational Resilience Act (DORA), which relate to entities, the CRA regulates the security of products. This marks a fundamental change in cybersecurity governance in Europe.<\/p>\n<p>Historically, cybersecurity efforts have primarily targeted industries handling sensitive data, such as financial institutions. However, as connected devices \u2013 from smart refrigerators and smartwatches to baby monitors \u2013 become more prevalent, they are increasingly targeted for cyberattacks. The CRA addresses this gap by ensuring that all connected devices, regardless of their function or market, meet specific security standards.<\/p>\n<p><strong>Building trust with certification<\/strong><\/p>\n<p>Under the CRA, manufacturers will be required to certify the cybersecurity of their products before they can be sold within the EU market. Certification not only ensures compliance but also serves as a key differentiator in the marketplace. As consumers become increasingly aware of cybersecurity risks, digital trust will be a significant factor in their purchasing decisions. Certification, therefore, becomes not just a regulatory requirement but a competitive advantage, offering assurance that a product is resilient to cyber threats.<\/p>\n<p>By strengthening the cybersecurity of products with digital elements, the CRA contributes to a more secure and resilient digital ecosystem in Europe, positioning it to better handle emerging cyber threats.<\/p>\n<p><strong>Product categories and classification<\/strong><\/p>\n<p>One of the key elements of the CRA is its classification of digital products into four categories based on their cybersecurity risk level \u2013 Default, Important Products Class I, Important Products Class II and Critical Products. Each classification determines the level of security measures, certification requirements and regulatory scrutiny the product must undergo before entering the\u00a0European market. The higher the risk, the more rigorous the compliance process.<\/p>\n<ul class=\"wp-block-list\">\n<li>Default: Most products (around 90%), EU Declaration of Conformity (self-assessment)<\/li>\n<li>Important Products Class I: Conformity assessment based on internal controls following harmonized standards (self-assessment possible)<\/li>\n<li>Important Products Class II: High-risk products like hypervisors, firewalls and intrusion detection systems. Requires third-party certification<\/li>\n<li>Critical Products: Devices with higher <a href=\"https:\/\/timestech.in\/tag\/security\/\" target=\"_blank\" rel=\"noreferrer noopener\">security<\/a> risks, such as smart meter gateways and secure elements in smartcards. Requires stringent third-party certification through ENISA schemes, such as European Cybersecurity Certification (EUCC), at a minimum of \u2018substantial\u2019 level<\/li>\n<\/ul>\n<p><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/unnamed-34-1024x576.jpg\" alt=\"\" class=\"wp-image-368216\" style=\"width:600px;height:auto\"  \/><\/p>\n<p>Understanding these classifications and their associated compliance requirements is critical for manufacturers in determining the level of cybersecurity protection needed to meet the CRA\u2019s requirements.<\/p>\n<p><strong>Timeline for CRA implementation<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>2024 \u2013 Approved by the European Parliament, adopted by the EC, published in the Official Journal of the EU (OJEU) and entered into force on December 10, 2024<\/li>\n<li>September 11, 2026 \u2013 Manufacturers must begin mandatory incident reporting, which requires reporting actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours and ensuring timely updates<\/li>\n<li>December 11, 2027 \u2013 Full enforcement of CRA requirements<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/unnamed-8-1024x576.png\" alt=\"\" class=\"wp-image-368217\" style=\"width:600px;height:auto\"  \/><\/p>\n<p><strong>Achieving compliance<\/strong><\/p>\n<p><strong>The essential requirements of the CRA fall into two groups:<\/strong><\/p>\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Thirteen product cybersecurity requirements \u2013 cover the level of security and the intrinsic characteristics of the products<\/li>\n<li>Eight vulnerability handling requirements \u2013 cover the measures and processes implemented by manufacturers<\/li>\n<\/ol>\n<p>These requirements are the core of the CRA, and their implementation will determine whether a product is considered to be compliant or not.<\/p>\n<p>The European standardization organizations \u2013 European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) and <a href=\"https:\/\/www.etsi.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">European Telecommunications Standards Institute<\/a> (ETSI) \u2013 have been tasked with developing new series of standards that comply fully with essential requirements of the CRA. Many of these new standards build on existing cybersecurity frameworks such as Security Evaluation Standards for IoT Platforms (SESIP), EN 303 645, IEC 62443 and EN 18031. Manufacturers already compliant with these standards will find it easier to align with the CRA\u2019s requirements. However, these existing standards do not fully cover all the CRA\u2019s essential requirements, creating a gap that still needs to be addressed.<\/p>\n<p><strong>Brightsight solution<\/strong><\/p>\n<p>Brightsight provides comprehensive support for businesses navigating the CRA\u2019s requirements. Its\u00a0experts assist with gap analysis, evaluating existing cybersecurity practices and providing the necessary guidance to efficiently achieve certification. From training workshops and technical documentation reviews to conformance testing and final certification, Brightsight ensures that businesses are well-equipped to meet international market standards and maintain long-term compliance.<\/p>\n","protected":false},"excerpt":{"rendered":"Adopted in 2024, the Cyber Resilience Act (CRA) is a key step in strengthening the European Union\u2019s cybersecurity&hellip;\n","protected":false},"author":2,"featured_media":10382,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5174],"tags":[3457,7152,2000,299,5187,1699,5775,7153,7154],"class_list":{"0":"post-10381","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-eu","8":"tag-cybersecurity","9":"tag-electronic-news","10":"tag-eu","11":"tag-europe","12":"tag-european","13":"tag-european-union","14":"tag-network","15":"tag-sgs","16":"tag-software"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@uk\/114318555510889713","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/10381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/comments?post=10381"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/10381\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media\/10382"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media?parent=10381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/categories?post=10381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/tags?post=10381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}