Loading...

Guides

Cyber Resilience Act: digital resilience in Europe 

Security updates, along with the Cyber Resilience Act and the NIS2 framework, strengthen the digital ecosystem, protecting critical infrastructure and promoting innovation. The CRA highlights the importance of a proactive approach to ensuring high security standards against cyber threats.

Security obligations for digital products

Table of contents

  • Cyber Resilience Act: what it is and why it matters 
  • Obligations for manufacturers and digital services 
  • The importance of security updates 
  • Part of a global strategy

With the approval of the Cyber Resilience Act, the European Union is committed to strengthening the cyber security of hardware and software products. 

This new regulation, which came into effect in Italy on December 11, 2024, also known as CRA, defines mandatory security requirements for products with digital elements. Its goal is to protect consumers and businesses from growing cyber threats

But what exactly is the Cyber Resilience Act in Italy, and how will it change the cyber security landscape? 

Click here to read the European Cyber Resilience Act regulation in English. 

Cyber Resilience Act: what it is and why it matters 

The Cyber Resilience Act is a European regulation designed to improve vulnerability management in connected digital products. This regulation mandates adopting the security by design principle, meaning products must be secure from the start. 

The law requires manufacturers to ensure product security throughout the lifecycle by providing timely security updates and tools to counter potential cyberattacks

Obligations for manufacturers and digital services 

The Cyber Resilience Act imposes a series of specific obligations on manufacturers and digital service providers to ensure that hardware and software products remain secure throughout their use.

This new approach aims to protect consumers and reduce the risks of cyberattacks, which can compromise not only personal data but also critical infrastructure

Compliance with security standards 

Manufacturers must comply with specific security standards established by the European Union. This means every product must be designed and developed following the security by design principle, with a particular focus on managing vulnerabilities from the earliest development stages. 

CE marking for compliant products 

To be marketed in Europe, products with digital elements must obtain CE marking, certifying compliance with the security requirements defined by the regulation.

The CE marking serves as a guarantee for consumers and businesses, ensuring that the product has undergone rigorous checks and is safe for use

Mandatory support and updates 

A central element of the Cyber Resilience Act is the requirement for manufacturers to provide security updates for a minimum of 36 months. This is crucial to ensure that connected digital products remain protected against emerging cyber threats over time.

Updates must be delivered promptly and at no additional cost to consumers. 

Transparency and risk communication 

Manufacturers must enhance transparency regarding their products’ security by providing clear information to consumers about potential risks and the measures taken to mitigate them. This includes details about vulnerability management and support policies, enabling users to make informed decisions. 

Accountability for non-compliance 

The new regulation includes significant consequences for non-compliance. Non-compliant products will not be allowed to enter the European market, and manufacturers risk penalties if they fail to adhere to security standards

Impact on digital services

 Digital services connected to products with digital elements are also subject to the Cyber Resilience Act. This means that providers of platforms or software interacting with these products must ensure an adequate level of security, contributing to the protection of the entire digital ecosystem. 

European Cyber Resilience Act regulation

The importance of security updates 

Security updates are a cornerstone of the Cyber Resilience Act, ensuring that connected digital products remain protected against emerging cyber threats.

In an ever-evolving digital landscape, where cyberattacks are becoming more sophisticated, ensuring that devices and systems are consistently updated is essential for safeguarding users, businesses, and infrastructure. 

A product lifecycle approach

 The Cyber Resilience Act stipulates that manufacturers must provide security updates for at least 36 months from the date the products are marketed. This obligation reflects a lifecycle approach, recognizing that cyber threats do not end after a device or software release but continue to evolve. 

Updates not only fix vulnerabilities identified over time but also help keep products compliant with the security standards required by the European Union

Protection against emerging threats 

Cyber threats are constantly changing, and new attack techniques can make even the most advanced systems vulnerable. Security updates enable rapid action to close any gaps and ensure that products continue to operate safely, protecting users’ personal and business data.

Manufacturer responsibilities 

A key principle of the Cyber Resilience Act is the responsibility manufacturers must assume in keeping their products secure even after the sale. This means manufacturers must: 

  • Constantly monitor vulnerabilities in their products;
  • Release timely and easy-to-install security updates;
  • Clearly inform users about risks and the importance of updates. 

Benefits for consumers and businesses 

For consumers, regular updates ensure safe usage, minimizing the likelihood of falling victim to cyberattacks. For businesses, these updates are crucial for protecting sensitive data and ensuring operational continuity. 

Furthermore, the new regulation obligates manufacturers to provide updates at no additional cost, removing a common barrier that often discourages users from installing necessary patches. 

Part of a global strategy 

Security updates not only protect individual devices but also form part of a broader strategy to strengthen the entire digital ecosystem. Combined with other measures, such as security by design and proactive vulnerability management, they contribute to building a more resilient and secure network of devices and services. 

In conclusion, the Cyber Resilience Act’s focus on security updates underscores the importance of proactive defense against cyber threats.

Only through constant attention and responsible vulnerability management can hardware and software products continue to meet the security standards demanded by the digital era. 

The CRA and the NIS2 framework 

The Cyber Resilience Act is a fundamental component of the European cyber security plan, aligned with the NIS2 regulatory framework. Both aim to create a secure and resilient digital environment, protecting critical infrastructure and promoting the development of innovative technologies. 


Questions and answers

  1. What is the Cyber Resilience Act? 
    It is an EU regulation introducing security obligations for digital products with connected elements. 
  1. Who does the CRA apply to? 
    It applies to all hardware and software products sold within the European Union. 
  1. When will the CRA take effect? 
    The regulation will be fully operational from December 11, 2027. 
  1. What are the security requirements? 
    Ensuring vulnerability management and providing security updates for at least 36 months. 
  1. How does it protect consumers? 
    By reducing the risk of cyberattacks and improving transparency regarding product security. 
  1. What does security by design mean? 
    Designing products to be secure from the initial development stage. 
  1. What is the role of manufacturers? 
    Manufacturers must provide ongoing support and adhere to European security standards. 
  1. Is the Cyber Resilience Act connected to NIS2? 
    Yes, it complements the NIS2 framework to strengthen European digital security. 
  1. What happens to non-compliant products? 
    They cannot be sold in the European Union unless they meet the new regulation requirements. 
To top