Cyber Resilience Act makes security by design a must

The Cyber Resilience Act (CRA) is intended to define and introduce binding cyber security requirements for hardware and software products throughout the EU for the first time. This will make security by design mandatory.

Complementing the NIS-2 directive, which regulates information security on the operator side, the CRA is intended to expand the security of digital products and services. In this context, the EU Commission is pursuing four main objectives:

  • Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole lifecycle.

  • Ensure a coherent cybersecurity framework that makes it easier for hardware and software manufacturers to comply.

  • Increase transparency of security features of products with digital elements.

  • Empower businesses and consumers so they can safely use products with digital elements.

To achieve these goals, the CRA defines a set of security and support requirements for digital product manufacturers. The requirements are designed to ensure security, confidentiality and integrity during use along the entire product lifecycle. To achieve this, the EU Commission relies on best practices such as encryption, data minimization and preventive protection against attacks. In addition, there are specifications that regulate the communication and elimination of vulnerabilities and define the scope and up-to-date nature of documentation and operating instructions.

Detailed information on the scope of the CRA with an overview of the affected product types as well as information on security requirements, support requirements, sanctions for violations and the expected timeline can be found in the Myra Fact Sheet Cyber Resilience Act ( GER only).

Related articles