European Cybersecurity Milestone: Adapting to the Cyber Resilience Act (CRA)

The CRA signifies a pivotal shift towards a safer and more resilient digital ecosystem across the EU.

 

Key Objectives of the Cyber Resilience Act (CRA)

The CRA aims to:

1.  Address cybersecurity inadequacies in digital products and software by establishing stringent requirements throughout their lifecycle, from design and development to maintenance.
2. Empower consumers and businesses to make informed choices by ensuring products meet robust cybersecurity standards.

Mandatory Requirements and Scope

The CRA enforces mandatory cybersecurity measures for manufacturers, importers, and distributors of digital products in the EU. These measures include:

• Comprehensive security requirements spanning the entire lifecycle of products.
• Mandatory CE marking for products connected to the internet, signifying compliance with cybersecurity standards.

The Act casts a wide net, covering all products directly or indirectly connected to another device or network, with certain exclusions such as open-source software and services governed by existing rules. This comprehensive scope ensures enhanced cybersecurity across diverse sectors.
 

Implementation Timeline

The CRA came into force on 10th December 2024, with a transitional period of 36 months. Full compliance will be required by 11th December 2027. This phased approach provides organisations with adequate time to adapt their processes and meet the new standards.

Implications for Businesses

For businesses, the CRA represents both an opportunity and a responsibility. Organisations deploying in-scope products in the EU must:

• Ensure compliance with CRA requirements.
• Strengthen procurement and security verification processes across hardware, software, and supporting services.

Companies relying on open-source components face additional obligations to verify the security of these elements. This necessitates collaboration with vendors capable of providing compliance support and assurances.
 

Impact on Open Source and Collaboration

Open source powers a significant portion of IT infrastructure, yet many open-source projects are driven by volunteer communities lacking resources to meet CRA obligations. Industry leaders, including Red Hat, have advocated for provisions to protect these communities from stringent compliance demands. By collaborating with organisations such as the Linux Foundation and Apache Software Foundation, efforts are underway to safeguard the open-source ecosystem while supporting compliance.
 

A Cornerstone of EU Cybersecurity Strategy

The CRA is a vital component of the EU Cybersecurity Strategy, complementing frameworks like NIS2. By enforcing harmonised rules and setting a clear implementation path, the Act strengthens cyber resilience, building trust and security in digital products and software. The CRA also reflects the EU’s commitment to protecting the digital realm, ensuring safer communication, data integrity, and a secure online economy.
 

How BDO Malta Can Help

Meeting the requirements of the CRA can be complex. BDO Malta provides specific guidance and practical solutions to help businesses comply with the Act’s stringent requirements. Our expertise ensures organisations can enhance their digital defences while maintaining compliance. Partnering with BDO Malta equips businesses to thrive in an increasingly regulated cybersecurity landscape.

As the digital ecosystem changes, the CRA represents a key step towards a secure future. By fostering resilience and compliance, the Act ensures that stakeholders are well-equipped to address emerging cybersecurity challenges while building trust in the digital economy.


Contact us