In March 2024, the European Parliament overwhelmingly approved the EU Cyber Resilience Act, or CRA, which will now be formally adopted with the goal of improving the cybersecurity of digital products. It sets out to do this by establishing essential requirements for manufacturers to ensure their products reach the market with fewer vulnerabilities.
Most of its provisions will likely become enforceable in 2027, which means now is the time to start preparing. So let's take a quick look at this sweeping cybersecurity regulation.
The CRA applies to any software or hardware product and its remote data processing solutions, as well as products with digital elements whose intended use includes a logical or physical data connection to a device or network. Essentially, it requires anyone publishing software to provide a minimum level of cybersecurity protection and reporting. There are exceptions for products already covered by legislation specific to certain industries, including medical devices, vehicles, and the military.
The CRA seeks to strengthen the detection and response to cybersecurity incidents by:
Raising the overall level of cybersecurity across the EU;
Requiring all software components to obtain the CE mark, making it a badge of cybersecurity assurance; and
Holding organizations liable if found to be non-compliant.
The European Commission issued eight annexes to supplement the CRA, and these supplemental elements provide some insight into how the CRA wants organizations to go about increasing cybersecurity. For example, Annex 1 outlines the Essential Requirements a product must meet before it can be introduced into the market. These are divided into Information Security and Vulnerability Management, and documentation is going to be required to prove this.
There are also Reporting Requirements that make it mandatory for software publishers to disclose vulnerabilities within 24 hours of discovery to the European Cybersecurity Agency (ENISA) and to the national Computer Security Incident Response Team (CSIRT). An update is required within 72 hours with a full report that includes the nature of the exploit, any corrective actions that are being taken, and the sensitivity of the information at risk.
Finally, within two weeks a final report has to be submitted that includes the following:
A description of the vulnerability, including its severity and impact;
Where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; and
Details about the security update or other corrective measures that have been made available to remedy the vulnerability.
These requirements put software supply chain management at the forefront of the CRA and underscore the importance of software bills of materials (SBOMs) in hardening the EU's cybersecurity posture. Products will be presumed to be compliant, but if they are discovered not to be, sanctions will apply, including fines of up to €15 million or 2.5% of a company's global annual turnover, whichever is higher.
The Sonatype platform can help developers gather and report on compliance information, identify vulnerabilities, and meet the reporting requirements of CRA. In particular, Sonatype SBOM Manager is built with compliance workflows in mind and makes it possible for organizations to meet any regulatory compliance requirements.
For a detailed look at how the Sonatype platform delivers CRA compliance, download our CRA User's Guide to Compliance.