TÜV Rheinland on Cyber Resilience Act: Requirements now clearer

Cyber Resilience Act (CRA): EU Cybersecurity Agency clarifies important questions on the application of standards / Ongoing cybersecurity risk assessment for networked products required in future / Early preparation possible and important for companies / www.tuv.com

A new publication from the European Union Agency for Cybersecurity (ENISA) provides more clarity on basic cybersecurity requirements and the standards that can be applied under the Cyber Resilience Act. “The new paper provides insights into the standardization process under the Cyber Resilience Act for the first time. ENISA provides a helpful overview of the proposed requirements and their implementation in harmonized standards,” explains Felix Brombach, cybersecurity expert at TÜV Rheinland.

“Security by design” required

The background to this is the Cyber Resilience Act (CRA), which the EU Parliament passed in March 2024. The aim of the CRA is to improve the cyber security of products that can be connected to each other or to the internet. This applies to products for end consumers as well as products that companies use in their production, for example. The CRA incorporates the principle of “security by design” into European technology law for the first time. In future, it will no longer be sufficient to ensure CRA compliance for a product with digital elements only at the time of market entry, but an ongoing assessment of the risk will be necessary.

The Cyber Resilience Act is relevant for all companies that manufacture such products or use them in their production. Until now, however, companies have lacked a lot of information on the basic requirements of the CRA in order to prepare for it today. “The paper and the 'guard rails' described in it now make it possible to analyze whether your own digitally networked products are likely to already meet the standards required by the CRA. The first possible adjustments to your own production and development processes are now also becoming tangible,” says cybersecurity expert Brombach.

Recognizing gaps in good time

According to the cybersecurity experts at TÜV Rheinland, companies should address the internationally recognized standards set out in the paper as soon as possible and secure their products accordingly. “Companies can already achieve a level of security today that corresponds to the CRA – or identify gaps in good time,” continues Brombach. The CRA is due to come into force within 24 months of its adoption by the European Council. As the CRA is a regulation, it applies directly in all European member states; a national transposition act is not required.

The ENISA paper can be found at: Cyber Resilience Act Requirements Standards Mapping - ENISA.