Software Supply Chain Regulation & Compliance Guides

EU Cyber Resilience Act (CRA)

Written by Finite State Team | Jul 24, 2024 4:56:33 PM

The European Cyber Resilience Act (CRA), approved by the European Parliament on March 12, 2024, aims to enhance the cybersecurity of devices with digital elements sold within the European Union (EU). By introducing measures to extend protection throughout the product lifecycle, the CRA aims to improve upon previous initiatives, such as the Network and Information Security (NIS2) Directive, to protect businesses and consumers better.

 

The EU Cyber Resilience Act Explained

The EU CRA is a legal framework outlining cybersecurity requirements for hardware and software products with digital elements (PDEs) sold in the European Union market. It addresses two significant issues:

  1. How few PDEs currently have adequate security measures (including provisions for updating and addressing vulnerabilities as they’re discovered).
  2. The need for consumer understanding and access to information that will enable users to choose cyber-secure products and securely use them.

The act mandates rigorous risk management practices to ensure all products covered under the CRA are shipped without known vulnerabilities and places a strict 24-hour reporting timeline for new vulnerabilities.

Examples of products covered under the Cyber Resilience Act include:

  • End devices: Laptops, phones, smart speakers, sensors and cameras, routers, switches, smart robots, industrial control systems.
  • Software: Firmware, applications, operating systems, video games.
  • Components (both hardware and software): Software libraries, computer processing units, video cards.

 

EU Cyber Resilience Act Requirements

The requirements under the Cyber Resilience Act vary slightly depending on whether the product is deemed "important and critical" or "non-important." However, general requirements include:

  • Secure by design: Products must be developed within a secure development lifecycle (SDLC)
  • Vulnerability handling & incident reporting: Manufacturers must have processes for managing vulnerabilities, including regular updates and patches. Any actively exploited vulnerabilities must be reported to the European Network and Information Security Agency (ENISA) within 24 hours. 
  • Self-assessment and third-party evaluation: Depending on the product’s risk level, manufacturers may need to conduct self-assessments or undergo third-party evaluations to ensure compliance with the security requirements. 
  • SBOMs and technical documentation: Manufacturers must prepare and maintain comprehensive technical documentation demonstrating compliance. Additionally, companies must maintain an up-to-date Software Bill of Materials (SBOM), which lists all the open-source, third-party, and first-party components and dependencies present in the codebase, as well as the component’s licenses, version history, and patch status. 
  • User instructions: Users must be provided with clear and understandable instructions and information on cybersecurity risks relating to use of the product. Products must also include labeling that informs users about cybersecurity features and updates. 
  • Updates and maintenance: Manufacturers must ensure that security updates are available and supported for the expected product lifespan. 

 

How Finite State Helps Ensure EU CRA Compliance

Finite State offers a comprehensive solution to support compliance with the EU Cyber Resilience Act. Here’s how Finite State can assist your teams:

  • Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
  • Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
  • Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
  • Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with the EU Cyber Resilience Act.