SME Survey on the ´´Cyber Resilience Act´´: cybersecurity requirements for manufacturers of connected devices

The European Commission has published a proposal for the Cyber Resilience Act (CRA), which will set out new cybersecurity requirements for connected devices.  The proposal will now be debated in the European Parliament and this presents an opportunity for SMEs to inform policymakers of the impact that the Act will have on their business.

The Cyber Resilience Act is a horizontal legislation for cybersecurity products, applicable to all sectors within the Single Market. The Act covers “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”.

This means that tangible digital products, such as connected devices (i.e smart devices), and non-tangible digital products, such as software products that are embedded into connected devices will all fall under the scope of the Act. Non-embedded software, such as apps, or Software-as-a-service, are outside the scope of the legislation.

When placing a product on the market, companies will need to declare that it meets the cybersecurity requirements set out in the Act, and if it is in a higher risk category, potentially undertake a third party assessment (see below).

Based upon an initial risk assessment, the European Commission has categorised products by their risk profile, which entail differing forms of compliance:

  • Unclassifed or default are products without critical cybersecurity vulnerabilities. According to the Commission, this category will cover 90 percent of connected devices. Products in this category will have to undergo self-assessment for compliance.
  • Class 1 Critical Products must adhere to standard or be subject to a third-party assessment of their compliance.
  • Class 2 Critical Products have to prove compliance to the requirements via a third party assessment.

Further to this, companies must notify ENISA (the European Union Agency for Cybersecurity) of the discovery of any exploited vulnerability within a 24-hour window.

Companies are also mandated to guarantee support for the product for 5 years after it is placed on the market, or for the expected lifetime of the product (whichever is shorter), and they shall ensure that the vulnerability of the product are handled in compliance to the requirements set forth by this regulation. On top of this, companies must keep the technical documentation of the product at disposal of the market surveillance authorities, for a period of 10 years after the product was placed on the market.

Please findbelow a summary of the new requirements below and read the full Regulation and the Annex. In addition, please find also below a survey on the CRA. We would like to encourage you to provide your answers to the survey to assess the CRA impact on your company.


Manufacturers must do the following to comply with the essential vulnerability requirements:

  • Document vulnerabilities and components of a product
  • Address and remediate vulnerabilities without delay
  • Have regular tests and reviews of their products’ security
  • Publicly disclose information about what vulnerabilities they fix
  • Create and enforce coordinated vulnerability disclosure policies
  • Facilitate information sharing about the vulnerabilities and provide a contact for said reporting
  • Provide mechanisms to distribute updates that minimize exploitable vulnerabilities securely
  • Disseminate security patches without delay and free of charge while providing users with a digestible explanation of what the patch is for

Connected devices and/or the manufacturers of connected devices must:

  • Be designed, developed, and produced with an appropriate level of cybersecurity
  • Be delivered without known exploitable vulnerabilities
  • Be provided with a secure-by-default configuration
  • Protect against unauthorized access through tools like authentication and identity management
  • Protect the confidentiality of data by processing and potentially encrypting relevant data
  • Protect the integrity of stored, transmitted, or processed data
  • Minimize the collection of data to only process what is adequate and relevant for intended use
  • Mitigate denial of essential functions or services
  • Reduce the lack of availability of services provided by other devices
  • Limit attack surfaces
  • Reduce the exploitative effects and impact of a cybersecurity incident
  • Record or monitor relevant security-related information
  • Address future vulnerabilities through security updates, preferably automatic ones that notify users

If you would like to share how the Cyber Resilience Act will impact your company, you can complete our survey, below:

Contact Us