Conformity Assessments: Understanding the EU Cyber Resilience Act Requirements

The EU Cyber Resilience Act (CRA) will revolutionize how IoT manufacturers approach cybersecurity. It introduces mandatory conformity assessments to verify that IoT products comply with its rigorous standards. 

The process of complying with the CRA begins with understanding how the CRA categorizes different digital products and the requirements it imposes in each category. The specific compliance measures required under the CRA are designed to align with the specific risk level associated with each product category. The CRA defines those categories as follows:

1. Default (lowest risk category) — 90% of products fall into this category
2. Important Class I 
3. Important Class II 
4. Critical 

This tiered framework ensures that regulatory efforts are appropriately scaled, prioritizing the security of critical and high-risk products without overburdening low-risk categories. Let’s look at the assessment criteria for each of these categories in more detail. 

This is the final installment in our six-part mini-series guiding IoT manufacturers through the intricacies of the EU CRA requirements. Read part five here.

EU CRA Conformity Assessment Requirements

Default Category

Products falling under the default category should use the self-assessment method to demonstrate compliance with the EU CRA. 

To conduct a self-assessment, manufacturers must prepare comprehensive technical documentation that includes: 

• A general description of the product detailing its intended purpose and functionalities 
• An analysis of potential cybersecurity risks associated with the product
• A description of the measures implemented to address identified risks and ensure compliance with the CRA’s essential requirements. 

The self-assessment protocol is explained in CRA Annex VIII.

Low-risk products include 

• Smart home devices 
• Printers 
• Bluetooth speakers
• Media player software applications

Important Class I

Products that fall under the Important Class I category can use the same self-assessment process as the Default category as long as they can apply either 

• Harmonized Standard: A European standard established by a recognized European Standards Organisation at the request of the European Commission. These standards enable manufacturers to demonstrate that their products comply with EU legislation. Specific harmonised standards are currently under development for the Cyber Resilience Act (CRA).
• Common Specification: A practical, detailed set of guidelines issued by the European Commission to outline how a product should meet specific requirements when harmonized standards are unavailable.
• European Cybersecurity Certification: A framework being developed by ENISA, under the guidance of the European Commission, to certify that products with digital elements fulfill the essential requirements of the CRA.

If none of these schemes apply, manufacturers must undergo assessment by a third-party conformity assessment body.

Important Class I products include 

• Password managers 
• Identity management systems
• Operating systems 
• Routers and modems intended to connect to the internet and switches

Important Class II 

Products in this category must have their product assessed by a third-party conformity assessment body even if they comply with the Harmonized Standard, Common Specifications, or the European Cybersecurity Certification scheme. 

Important Class II products include 

• Firewalls
• Tamper-resistant microprocessors and microcontrollers 
• Intrusion detection and prevention systems 

Critical 

Products deemed “critical” have the highest risk and, therefore, the strictest compliance process. Any product in this category must complete a European Common Criteria (EUCC) cybersecurity certification assessment conducted by an authorized conformity assessment body. 

Critical products include 

• Hardware devices with security boxes
• Smart cards 
• Smart meter gateways 

Conclusion 

The EU CRA's conformity assessments are a pivotal step in raising cybersecurity standards for IoT devices. By aligning assessment requirements with product risk levels, the CRA strikes a balance between regulatory rigor and practicality. Manufacturers must adapt to these new processes to ensure compliance and maintain market access.

Explore how Finite State’s tools and services can simplify your certification journey, from preparation to audit-ready reporting. Contact us today to learn more or schedule a consultation!