Today, the Cyber Resilience Act (CRA, EU Regulation 2024/2847) was officially published in the Official Journal of the European Union, marking the start of the countdown for the implementation of the cybersecurity legislation. The Cyber Resilience Act sets horizontal cybersecurity requirements for products with digital elements in the EU to address widespread vulnerabilities and inconsistent security updates.
Prof. Norbert Pohlmann, Board Member for IT Security at the eco Association, comments: “With the Cyber Resilience Act (CRA), the EU is taking an important step towards improving cybersecurity in an increasingly networked digital world. The CRA has the potential to position Europe as a cybersecurity pioneer and, in the long term, to set global standards for connected devices, especially with regard to IoT applications. This is not only a win for the security of end-user devices, but also for the overall stability of our digital infrastructures.”
Responsibility for manufacturers
This makes the Cyber Resilience Act the first European regulation to establish a minimum level of cybersecurity for all connected products placed on the EU market. According to Pohlmann, a particularly welcome aspect of the CRA is the clear allocation of responsibilities: “Manufacturers will be held more accountable to meet cybersecurity requirements, not just during development but throughout the entire lifecycle of their products. This approach is a critical step towards sustainably strengthening resilience and trust in digital products.”
“Moreover, the solution found for open-source technologies is a compromise that combines security requirements with the promotion of innovation. Nevertheless, we must continue to critically and constructively monitor its implementation to ensure that open-source projects are not compromised by excessive requirements,” emphasises Pohlmann.
Challenge for small companies
At the same time, the CRA’s detailed structure, particularly its division into four risk categories, is viewed with mixed feelings: “While this differentiation provides more clarity, it could be too complex for smaller companies and other market players. Here it will be important to ensure the manageability of the regulations in practice and to avoid unnecessary bureaucracy,” cautions the IT expert.
“Overall, the CRA is an important milestone for strengthening cybersecurity in Europe. The eco Association will actively work to ensure that the regulation achieves its goals and that practical solutions are developed for all market participants,” Pohlmann concludes.
