Cyber Resilience Act: the EU strikes a deal on security requirements for digital products

  • On 30 November, the Council Presidency and the European Parliament´s negotiators have reached a provisional agreement on the Cyber Resilience Act (CRA)

  • DIGITAL SME welcomes the agreement on the risk-tailored legislation, with around 10% of digital products covered by third-party assessment, including measures to support compliance in SMEs

  • By mandating security updates on a minimum product’s lifetime of five years, the new law will have a positive impact on companies focused on sustainability, including service providers in the after-sales market

First proposed by the European Commission in September 2022, the Cyber Resilience Act (CRA) addresses increasing cyber threats by mandating all EU-market products with digital elements to meet cybersecurity criteria.

DIGITAL SME’s recent report flagged a 57% surge in cyberattacks in Europe. Thus, supporting the cybersecurity of SMEs is critical and should be pursued by following a proportionate approach that balances necessary security requirements against allowing companies space to foster and secure Europe-led innovation.

As a result the provisional agreement, the new regulation maintains a risk-based approach: it is estimated that less than 10% of products with digital elements will be subject to third-party conformity assessment.

Also, the CRA agreement provides for adequate guidance and support for SMEs´ implementation of the new requirements. This includes specific SMEs awareness-raising and training activities, as well as support for testing and conformity assessment. EU institutions shall indeed provide SME-tailored guidance for the development of secure digital products. Example of the guidance needed by SMEs include materials created by DIGITAL SME and Small Business Standards (SBS) to support SMEs in implementing relevant cybersecurity standards[1] [2].

The CRA will be implemented through standards that will detail the requirements in technical specifications. DIGITAL SME is committed to maintain its collaboration with Small Business Standards as to ensure that SMEs are sufficiently represented at CEN-CENELEC and ETSI in the  development of CRA standards.

Furthermore, aspects related to the sustainability of products with digital elements are to be included in the implementation of the CRA requirements. In this respect, the provisional agreement confirms an obligation to provide security updates by manufacturers for the period of at least five years.

By mandating security updates on a minimum products’ lifetime of five years, the new law will have a positive impact on companies focused on sustainability, including service providers in the after-sales market.

Companies that focus on extended products lifetime, including service providers in the after-sales market, will be rewarded by the CRA requirement that mandates security support for at least five years. Forcing products replacement by shorting the security support duration will become more difficult, thus the CRA is expected to have substantial impacts on consumers habits, as well as on companies’ business models.

All in all, the provisional agreement reached by the EU institutions secures key provisions in the CRA regarding adequate support measures for SMEs and the definition of the product support period during which manufactures shall ensure security updates. DIGITAL SME calls for these key points to be reflected in the upcoming technical meetings that will translate the provisional agreement into the details of the new regulation.



[1] DIGITAL SME Guide on essential security controls for SMEs to protect user’s privacy and data and ensure GDPR compliance (based mainly on ISO 27002) 

[2] DIGITAL SME SME Guide for the implementation of ISO27001 Information Security Management