noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Human Rights Campaign Inc.

Federal Court Denies the Trump Administration’s Request to Stay the[...]
The Office of the Governor of the[...]

Governor Katie Hobbs Legislative Action Update
Crowdstrike Holdings Inc.

Statement of Changes in Beneficial Ownership (Form 4)

Technology

SGS SA

03/25/2025 | Press release | Distributed by Public on 03/24/2025 10:17

Why the Cyber Resilience Act Matters

Adopted in 2024, the Cyber Resilience Act (CRA) is a key step in strengthening the European Union's cybersecurity framework.¹ It mandates cybersecurity requirements for hardware and software products to enhance resilience, reduce vulnerabilities and protect consumers from increasing cyber threats. Manufacturers must understand the Act's broader impact on product design, security protocols, and market access as they prepare to meet these new requirements.

In an increasingly connected world, digital trust is vital. The CRA plays a crucial role in strengthening cybersecurity for European businesses and consumers by addressing vulnerabilities in digital products that expose users to cyberattacks. It offers a structured approach to enhancing cyber resilience, which is essential as cyber threats continue to evolve. By establishing clear cybersecurity requirements, the CRA ensures that both hardware and software products are resilient against malicious attacks. It applies to all connectable devices and software, including remote data processing solutions available on the EU market. Products that meet the regulations' requirements for their risk level will display the CE mark, signaling compliance and commitment to cybersecurity.

The core principles of cyber resilience focus on:

Risk mitigation - minimizing vulnerabilities in digital products from the design stage onward
Incident recovery and response - ensuring effective strategies are in place to respond to and recover from cyber incidents
Business continuity - maintaining operational stability despite security incidents

The CRA impacts a wide range of economic operators within the European market, including manufacturers, software developers, distributors, importers and resellers involved in the supply of new or updated digital products. Unlike the Network and Information Security 2 (NIS2) Directive and Digital Operational Resilience Act (DORA), which relate to entities, the CRA regulates the security of products. This marks a fundamental change in cybersecurity governance in Europe.

Historically, cybersecurity efforts have primarily targeted industries handling sensitive data, such as financial institutions. However, as connected devices - from smart refrigerators and smartwatches to baby monitors - become more prevalent, they are increasingly targeted for cyberattacks. The CRA addresses this gap by ensuring that all connected devices, regardless of their function or market, meet specific security standards.

Building trust with certification

Under the CRA, manufacturers will be required to certify the cybersecurity of their products before they can be sold within the EU market. Certification not only ensures compliance but also serves as a key differentiator in the marketplace. As consumers become increasingly aware of cybersecurity risks, digital trust will be a significant factor in their purchasing decisions. Certification, therefore, becomes not just a regulatory requirement but a competitive advantage, offering assurance that a product is resilient to cyber threats.

By strengthening the cybersecurity of products with digital elements, the CRA contributes to a more secure and resilient digital ecosystem in Europe, positioning it to better handle emerging cyber threats.

Product categories and classification

One of the key elements of the CRA is its classification of digital products into four categories based on their cybersecurity risk level - Default, Important Products Class I, Important Products Class II and Critical Products. Each classification determines the level of security measures, certifications requirements and regulatory scrutiny the product must undergo before entering the European market. The higher the risk, the more rigorous the compliance process.

Default: Most products (around 90%), EU Declaration of Conformity (self-assessment)
Important Products Class I: Conformity assessment based on internal controls following harmonized standards (self-assessment possible)
Important Products Class II: High-risk products like hypervisors, firewalls and intrusion detection systems. Requires third-party certification
Critical Products: Devices with higher security risks, such as smart meter gateways and secure elements in smartcards. Requires stringent third-party certification through ENISA schemes, such as European Cybersecurity Certification (EUCC), at a minimum of 'substantial' level