What is the Cyber Resilience Act?

23 January 2025

According to the results of a recent study, every smart TV, smart socket and Internet router is attacked by hackers ten times a day. And the volume of connected hardware and software is growing apace. It was to make these more resilient to cyberattacks that the EU passed the Cyber Resilience Act (CRA) in October 2024. Jacques Kruse Brandao from TÜVIT explains how the CRA is intended to enhance the security of which devices and which software.

Jacques Kruse Brandao: The Cyber Resilience Act (CRA) breaks new ground by establishing mandatory cyber security requirements for virtually all connected devices and software on the market in the EU: from apps and online games to internet browsers, smart home devices and the security chips in our bank cards. The CRA also holds retailers and importers to account alongside the manufacturers of these digital products. It therefore complements other EU regulations on cybersecurity, such as the new NIS 2 Directive, which imposes stricter IT security requirements on operators of critical infrastructures.

In the future, all digital products covered by the CRA will be developed according to the principles of security by design and privacy by design. This means that IT security and data protection must be fully taken into account as early as the development process. And the connected devices will have to be supplied to users in line with the principle of security by default. They will therefore have to be configured in such a way that they can be operated safely straight away. This will mean, for example, that security updates will have to be installed automatically to eliminate the risk that they may be forgotten. And that secure passwords will have to be set up by the manufacturer or devices configured to ensure that they no longer even allow users the option of setting insecure and hacker-friendly passwords such as “12345”. Manufacturers will have to ensure that their IT products don’t contain any known security vulnerabilities at the point of market launch.

In such cases, manufacturers will then have to inform the users and report the incidents to the European Cybersecurity Agency (ENISA) within 24 hours. They will also be obliged to effectively remedy any security vulnerabilities that may arise over five years and provide their hardware and software products with security updates for at least five years.

The first group is made up of “non-critical products”, which include, for example, hard drives, smartphone apps and PC games. According to estimates, around 90 percent of hardware and software fall within this category. The second group covers “important products”, which include security features, where a distinction is made between two classes: Class 1 includes internet browsers, password managers and antivirus software as well as smart home devices, smartwatches and connected toys. Class 2 includes firewalls for companies, for example. The last and smallest group concerns “critical products” that include the security chips in our bank and credit cards and smart meter gateways, which guarantee the secure communication of smart electricity meters with grid operators and electricity providers.

The requirements are the same in principle for the devices in all the groups. However, the criteria according to which manufacturers must prove whether they meet the requirements differ: While self-declaration by the manufacturer is sufficient for non-critical products, important Class 1 products must either meet harmonised EU standards, which are currently still being defined, or be tested by independent third parties such as TÜVIT. For important Class 2 products, this kind of external test is mandatory. Critical products such as chips for bank cards and ID cards have to go through a strict certification process, which, as it happens, is already mandatory in Germany.