The EU’s Cyber Resilience Act (CRA) is on the brink of adoption as the European Parliament and EU Council reached a political agreement. Proposed in September 2022, the CRA imposes security requirements for IoT device manufacturers, marking a sector-agnostic legislative approach. Notably, it mandates manufacturers to report cyber incidents and unpatched vulnerabilities, a pioneering move in transversal law. The legislation necessitates a risk assessment by manufacturers, five-year product support, and a compliance self-assessment. Critical products require security audits.
The agreement, pending formal approval, sets a 36-month adaptation period for affected entities, reinforcing the EU’s digital product security. The Cyber Resilience Act (CRA), proposed by the EU Commission in September 2022, has advanced as the European Parliament and EU Council reached a political agreement. This legislation, unique in its sector-agnostic approach, focuses on bolstering the security of digital products, particularly IoT devices. A key provision mandates manufacturers to report significant cyber incidents and unpatched vulnerabilities, setting a precedent in the regulatory landscape. Manufacturers must conduct a risk assessment and provide at least five years of support for their products. Notably, the CRA introduces a self-assessment option for compliance, with security audits required for critical products. Once adopted, organizations affected by the CRA will have a 36-month adaptation period. The EU Council and Parliament have reached a political agreement on the Cyber Resilience Act (CRA), a groundbreaking legislation proposed in September 2022.
The CRA, designed to enhance the security of digital products, introduces security requirements for manufacturers of connected devices, including IoT devices. A significant aspect of the legislation is the mandate for manufacturers to report serious cyber incidents and actively exploited vulnerabilities. This marks the first instance of such a requirement in a sector-agnostic law. The legislation requires manufacturers to conduct risk assessments, offer a minimum of five years of support, and self-assess compliance, with security audits for critical products. The agreement awaits formal approval and, upon adoption, will initiate a 36-month adaptation period for affected organizations.
The EU’s Cyber Resilience Act (CRA) is poised for adoption, with the European Parliament and EU Council reaching a political agreement. Initially proposed by the EU Commission in September 2022, the CRA targets the security of digital products, introducing sector-agnostic security requirements for connected device manufacturers. Notably, the legislation mandates reporting of serious cyber incidents and unpatched vulnerabilities, a pioneering move in the regulatory landscape. Manufacturers are required to conduct risk assessments, provide a minimum of five years of support, and undergo security audits for critical products. The agreement is pending formal approval, with a 36-month adaptation period envisaged for organizations affected by the CRA.
Reference: