Request a demo
China Announces Export Controls on Five Critical Minerals

European Cyber Resilience Act (CRA)

Article

Table of Contents

Introduction

The European Cyber Resilience Act (CRA) is set to transform cybersecurity standards, imposing strict requirements on digital products sold across the EU. Approved by the European Parliament on March 12, 2024, the CRA sets mandatory standards for manufacturers, distributors, and importers of products with digital elements (PDEs), ensuring they are resilient to cyber threats throughout their lifecycle.

With a 36-month compliance timeline, organizations have a crucial window to meet these new obligations or risk severe penalties. This article explores the CRA, its broad scope and impact, and how Exiger can empower your organization to confidently navigate and meet these new regulatory standards.

The CRA: What It Is and Who It Affects

The CRA aims to ensure that products are designed with security at the forefront – impacting a wide range of stakeholders across various sectors. It shifts accountability for cybersecurity from users to suppliers, reflecting a growing recognition that manufacturers and distributors are better positioned to manage and mitigate risks associated with their products. 

Several key clauses that facilitate this important shift in accountability include conformity assessments, vulnerability management, incident reporting, and technical documentation. Other crucial requirements include:

  • Software Bill of Materials (SBOM): The CRA mandates a Software Bill of Materials, which lists all components used in their products, including third-party software. This enhances transparency, streamlines vulnerability detection, and ensures suppliers are responsible for all software components.

  • CE Marking Requirement: Products that comply with the CRA must bear a CE marking, indicating adherence to EU safety and cybersecurity standards, ensuring manufacturers are accountable for product security.

The CRA’s broad scope means it affects a wide range of stakeholders involved in the lifecycle of digital products. This includes:

  • Manufacturers
  • Importers and Distributors
  • Software Vendors
  • Supply Chain Stakeholders

Additionally, all connected and embedded device manufacturers outside the EU that wish to sell their products in the EU market will also be subject to these regulations.

Products Covered Under the CRA

The CRA extensively covers all products with digital elements (PDEs), covering devices from smartphones to industrial control systems. This broad scope means that every connected device is subject to its regulatory framework. It shifts cybersecurity responsibility to IT, OT, and IoT manufacturers – requiring proactive risk management and prioritizing supplier accountability over user responsibility.

Here’s a breakdown of the types of products covered under the CRA:

 

  1. Software & Hardware: Products with direct or indirect network connections, including apps and firmware.
  2. Connected Devices: Smart home gadgets like thermostats and security cameras.
  3. Wearables: Internet-connected devices such as fitness trackers and smartwatches.
  4. Industrial Systems: Manufacturing and IoT devices.
  5. Network Equipment: Routers, switches, and firewalls for consumer and industrial use.
  6. Personal Devices: Laptops, desktops, tablets, and smartphones.
  7. Components: Integrative software or hardware like microcontrollers and processors.
  8. Toys: Internet-connected smart toys.
  9. Remote Solutions: Software essential for remote data processing in digital products.

There are also certain products that are excluded from the CRA’s requirements, including: 

  • Medical devices already regulated under specific EU medical device regulations.
  • Motor vehicles and aviation systems.
  • Software-as-a-service (SaaS) products covered by other regulations like the NIS2 Directive.

Implications for CRA Non-Compliance

Non-compliance with the CRA can lead to severe direct and indirect penalties that significantly impact a company’s financial health, market access, and reputation. 

  1. Direct Penalties
    • Financial Fines: 
      •  Up to €15 million, or 2.5% of global annual turnover for failing to meet cybersecurity requirements.
    • Loss of CE Mark: 
      • Inability to market products in the EU
      • Significant damage to consumer trust and brand reputation
      • Potential for substantial revenue losses as products become ineligible for sale

  2. Indirect Penalties
    • Increased Regulatory Scrutiny:
      • More frequent inspections and audits by authorities due to non-compliance.
    • Legal Liabilities:
      • Potential lawsuits if products cause harm due to cybersecurity flaws.
    • Costly Corrective Actions:
      • Necessity for product recalls or redesigns, disrupting business operations and eroding customer loyalty.

The CRA aims to help consumers make safer product choices by prioritizing cybersecurity in products with digital elements. Compliance not only shields businesses from penalties but also offers a competitive edge. Products meeting CRA standards attract security-conscious consumers, making it easier for them to choose hardware and software with strong cybersecurity features.

CRA Compliance Timeline

Timeline Milestone
Date
Details
Adoption of the CRA
October 2024
The CRA is expected to be officially adopted by the European Parliament and the Council of the EU.
Publication in Official Journal
November 2024
The CRA will be published, marking the start of its enforceability timeline.
Entry into Force
20 Days After Publication
The CRA becomes legally binding across all EU member states.
Provisions Related to Conformity Assessment Bodies
August 2025 (Approximately nine months post-entry)
Manufacturers can begin working with authorized conformity assessment bodies (CABs) for compliance.
Security Vulnerability and Cyber Incident Reporting Requirements
November 2025 (Approximately 12 months post-entry)
Manufacturers must implement systems for reporting actively exploited vulnerabilities and severe incidents.
Full Enforcement of All CRA Requirements
February 2027 (Approximately 36 months post-entry)
All provisions of the CRA become enforceable, including cybersecurity requirements for product design and vulnerability management.

Navigate CRA Compliance with Exiger

With the enactment of the CRA, it’s crucial that businesses ensure compliance and maintain robust security standards to secure a competitive edge. Exiger stands out with its ability to map adversarial contributions, proactively detect risks, and provide a comprehensive view of the supply chain – positioning your business to navigate the CRA effectively.

The table below highlights CRA requirements, Exiger’s solution features and capabilities that address them, and the unique business benefits of leveraging this intelligence.

 

CRA Requirements

1Exiger Features

Unique Business Advantages

Software Bill of Materials (SBOM)

The CRA mandates that “manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials.”

1Exiger offers robust SBOM management tools that can generate SBOMs directly from binary files, making it essential for situations where source code is unavailable or contractual mechanisms are lacking.

Accurate Assessment of OEM/Vendor-Supplied SBOMs:

  • Evaluates the accuracy and completeness of supplied SBOMs.

Binary-Derived SBOMs:

  • More accurate as they include actual shipped dependencies and libraries.
  • Mitigate risks occurring downstream of potential tampering opportunities.

Comprehensive Coverage:

  • Industry-leading coverage across IT, OT, and IoT products.
  • All insights are provided under a single pane of glass for streamlined visibility.

Vulnerability Management and Disclosure Obligations

The CRA requires that “manufacturers must have processes for managing vulnerabilities, including regular updates and patches. Any actively exploited vulnerabilities must be reported to the European Network and Information Security Agency (ENISA) within 24 hours.”

Continuous Scanning:

  • Exiger continuously scans vulnerability disclosure sources, including vendor websites

AI-Powered Matching:

  • Utilizes AI to match identified vulnerabilities to specific products and components

Supplier Risk Identification:

  • Detects supplier risks in software with unpublished vulnerabilities using leading risk indicators, such as:
    • Single code committers
    • FOCI signals
    • End-of-life status
    • Project abandonment

Comprehensive Analysis:

  • Exiger Ion Channel identifies known vulnerabilities (CVEs) and goes beyond to analyze software components and libraries, including open-source

Proactive Monitoring:

  • Monitors leading risk indicators that may signal vulnerabilities appearing in the software supply chain and product lifecycle 8-12 months before they become known vulnerabilities

Unmatched Data Depth:

  • Provides extensive data on upstream and downstream risks, encompassing 1.5 trillion events in the software supply chain.

False Positive Mitigation:

  • Effectively addresses false-positive issues common in other vulnerability management tools, allowing focus on critical vulnerabilities.

Provenance Matching:

  • Accurately matches vulnerabilities to components, even if they have altered provenance (e.g., renamed, mistyped, rebranded).

Advanced Vulnerability Analysis:

  • Identifies vulnerabilities that do not require network access, such as grenade-ware and wiper-ware.
  • Proactively detects these threats – 8-12 months before they become known vulnerabilities.

Comprehensive Risk Monitoring:

  • Analyzes software components and libraries, including open-source, for leading risk indicators throughout the product lifecycle.

Prompt Disclosure of Vulnerabilities:

  • Allows for 1-click, machine-readable VDRs (Vulnerability Disclosure Reports) to efficiently communicate vulnerabilities and their exploitability status.

Conformity Assessment

The regulation states, “Prior to placing products on the EU market, manufacturers must carry out a conformity assessment to demonstrate whether the requirements applicable to a specific product are complied with.”

Exiger Dashboards and Reporting Features Include:
  • Audit Evidence:
Provides comprehensive dashboards and reports to demonstrate compliance.
  • Longitudinal Audit Capability:
Time metrics and event tracking enable ongoing audits, surpassing the capabilities of point solutions or one-time scans.

Trusted Partner:

Exiger delivers supply chain risk insights to over 500 global customers.

Holistic Risk Analysis:

Offers entity-level risk analysis for comprehensive visibility.

360° Visibility:

Provides a complete view of the people, companies, products, and components in your supply chain.

Security by Design and Default

The CRA emphasizes that products must be designed with security as a fundamental consideration throughout their lifecycle.

Secure by Design and Default:

  • Incorporates risk analysis of the software supply chain throughout the product lifecycle.

Third-Party Software Scanning:

  • Helps technology suppliers scan third-party software for risks before embedding it in their products.

Continuous Monitoring:

  • Provides enterprise-wide monitoring to ensure security is integral to software product development.

Continuous Monitoring:

  • Evaluates for various risks, including:
    • Existing and future vulnerabilities
    • Malware
    • Counterfeits
    • Compromised compilers
    • Prohibited components and suppliers
    • Additional threats

Data Backplane:

  • Maps adversarial contributions to open-source components with a risk-scoring methodology

Proactive Risk Detection:

  • Identifies risks beyond known vulnerabilities or binary analysis

Scalable Enterprise Solution:

  • Designed to support the entire organization

Leading Indicators of Risk

  • Single Committers: Risks associated with one person maintaining the code
  • FOCI Signals: Contributions from developers linked to sanctioned entities
  • End-of-Life and Project Abandonment: Indicators of potential supply chain fragility
  • Supply Chain Fragility: Assessing vulnerabilities in the supply chain structure
  • Pedigree and Provenance: Evaluating the origin and history of components.

Anomalies in Chain of Custody

  • Risk Identification: Detects malware risks linked to missing or false connections to source code repositories


Contact us to learn more about how Exiger can help your organization navigate CRA challenges and ensure CRA compliance for a secured competitive advantage.

More Resources:

Table of Contents

Learn more

Get in touch to start your CBAM compliance process today!

insights

Perspectives

SEE ALL
What_to_Know_about_the_Corporate_Sustainability_ Reporting_Directive(CSRD)
Article
What to Know about the Corporate Sustainability Reporting Directive (CSRD)
Export Controls on Five Critical Minerals
Client Alert
China Announces Export Controls on Five Critical Minerals
upward view of national flags from all over the globe
Article
Modern Slavery in Global Supply Chains: Essential Tools for Transparency and Compliance
Graph of Software Maintenance Required Over Time
White Paper
Why Neglected Software Maintenance Crumbles Supply Chain Resilience
Crumbling bridge: an analogy of unmaintained software
Article
The High Cost of Neglected Software Maintenance
Dispatch from Davos - Rehabilitating the Supply Chain
Article
Dispatch from Davos: Rehabilitating the Supply Chain
shot of car on snow-covered road
Article
Winter Storms: A Lesson in Supply Chain Fragility and the Need for Visibility
NDAA FY2025 - Perspectives
Article
Meeting NDAA FY2025 Supply Chain Requirements
Meeting_DORA_Requirements-The_Critical_Technologies_and_Solutions_to_Ensure_Compliance
Article
Meeting DORA Requirements: The Critical Technologies and Solutions to Ensure Compliance
Supply Chain Cold War - Perspectives
Article
Supply Chains: Front Lines for a New Cold War?
Cybersecurity Supply Chain
Client Alert
EO Outlines Actions to Strengthen Software Supply Chain Security across Federal Government
DHS Adds 37 Entities to Uyghur Forced Labor Prevention Act Entity List
Client Alert
DHS Adds 37 Entities to Uyghur Forced Labor Prevention Act Entity List
Industries
Solutions
Products
Company
contact us
join the team
Logo - Exiger AI-powered supply chain risk management
©
2025
Privacy and Legal Center

Demo The
Exiger Platform