How to prepare for the Cyber Resilience Act (CRA): A guide for manufacturers

The EU is toughening up its regulations and measures to enhance cybersecurity across industries. There is a good reason why it is no longer just critical infrastructure that is being considered: the increased interconnectivity of infrastructure and the wide network of suppliers involved in projects. If just one supplier is compromised, this can open a door for cybercriminals into applications used by other companies and their customers, thus spreading the risk much further.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is an EU cybersecurity regulation focused on ‘products with digital elements’ that are distributed or sold within the EU. This includes software and hardware products and the respective remote data processing capabilities of IIoT solutions e.g. used for remote services or predictive maintenance. However, it does not apply to products with digital elements that are already covered by other more stringent legislation, e.g., those found in the medical, automotive, and aviation sectors.

The CRA aims to ensure that products are designed with, and maintained at, an adequate safety level across the products’ lifetime. It includes a framework of requirements that makes manufacturers, importers, and distributors responsible for checking security vulnerabilities and providing security updates, a responsibility that used to lie with the products’ users. Now, users only have to take care of updating their product with the patches provided.

The CRA is expected to come into effect by the end of 2024 and will be applied starting in 2027. However, the reporting obligation acc. to article 14 already needs to be observed a year earlier, in 2026. Therefore, it is important to start reviewing the CRA at an early stage to understand what requirements need to be met.

What are the main points of CRA?

The CRA covers four main topics:

Rules for making products with digital elements available on the market.
Requirements for the design, development, and production of these products.
Requirements for dealing with vulnerabilities during the time the product is in use.
Rules related to monitoring, and rule enforcement.

Some key requirements manufacturers providing an IIoT solution or including one in their offering should be aware of according to CRA Annex I are:

Security-by-design: Manufacturers must design and develop their products with cybersecurity in mind i.e. ensure that basic security requirements are met, such as data confidentiality and integrity.
Security-by-default: Products must have a secure configuration when they are delivered.
Availability of security updates: Manufacturers must ensure security updates are freely available for a minimum of ten years after each update’s release. They are, however, not responsible for users rolling out the updates.
Protect confidentiality for stored, transmitted, and processed data through appropriate technical measures, e.g., encryption.

Obligations arising from the CRA for all software providers:

Technical documentation: Manufacturers need to provide documentation (including a software bill of materials).
Regular risk assessments: Test and review security related product components, monitor potential weaknesses and track discovered vulnerabilities.
Provide a contact point for reporting vulnerabilities or weaknesses discovered in the product over time.
Maintenance of product security: Manufacturers must ensure they react to possible vulnerabilities regarding their own code, inform the relevant stakeholders in a timely fashion, and provide security patches over the product’s lifespan and beyond. This also applies to due diligence for integrating components from third-party suppliers (e.g., open-source applications).
Reporting obligations: Manufacturers must follow a specified process when they become aware of an actively exploited vulnerability or in case of a critical incident, including informing the European Union Agency for Cybersecurity (ENISA) and the national Cybersecurity Incident Response Team (CSIRT).

Where is CRA applied and to which companies?

The CRA defines four classes of products with digital elements, each of which has different conformity requirements based on the criticality of the product. The most common type under which about 90% of all products will fall is the standard “products with digital elements”. These products are not part of critical infrastructure and thus do not need to be evaluated by third parties – documentation can be provided in the form of a compliance self-assessment by the manufacturer. It is, however, important that manufacturers carefully check which class/category their product falls into.

The CRA is applied across industries in all EU member states. The focus is on products released after the CRA has come into force. However, even for products originally released before the CRA came into force, any new variants released afterwards must comply with the CRA.

The first steps towards ensuring CRA compliance

Given the wide scope of the CRA, it is recommended that manufacturers take a close look at their product portfolio and ensure proper documentation of their products’ functions, lifecycle, and expected uses. Based on this, cybersecurity risks and vulnerabilities can be assessed, and a list of measures to mitigate them can be drawn up.

The next step is to look for ways to ensure compliance – this can involve a lot of effort, in particular for IIoT solutions integrating legacy equipment, using open-source software, or individual solutions developed in-house. One option can be to use an edge platform solution that covers many of the cybersecurity requirements, especially as related to security updates, patches, and security-by-design.

For machine builders looking for options to comply with CRA, choosing a solution that is certified according to the industrial cybersecurity standard IEC 62443 can make a lot of sense. IEC 62443 provides guidelines for safe and secure development practices and ensuring security across the product lifecycle. IEC 62443 certification takes a lot of effort, and, in some respects, the standard even exceeds the requirements of CRA, which means that a solution complying with this standard is virtually guaranteed to also be CRA-compliant.

How TTTech Industrial can support

TTTech Industrial was certified according to the IEC 62446-4-1 substandard in 2023, which guarantees secure product development processes and lifecycles for our solutions. The product certification of our industrial IIoT platform Nerve according to IEC 62443-4-2 is currently underway. Nerve offers a software infrastructure for the plant floor and the cloud that enables users to access data, manage devices and deploy applications remotely.

Nerve can significantly reduce compliance efforts by offering a secure basis for integrating and managing applications, including a central management system that supports the rollout of security updates and deployment of patches. Some of the topics relevant for the CRA that Nerve can support with are:

Software update and patch management: The central management system gives an overview of all machines on the shop floor across locations worldwide. It also enables the remote rollout of patches and security updates to all or selected machines.
Security checks: Nerve was designed in compliance with IEC 62443-4-1. It therefore meets the requirements of CRA in terms of documentation, monitoring of potential vulnerabilities and provision of patches und software updates to mitigate them. This can be highly relevant in reducing the effort of complying with CRA, as machine builders only need to take care of their own applications and rely on Nerve to cover the basics for all others.
Limiting potential openings for cyberattacks and vulnerabilities:
- Secure encapsulation of legacy applications: Some IIoT solutions rely on data from legacy applications. Nerve provides a secure environment for these applications to be run and encapsulated, e.g., in Docker containers, or as virtual machines.
- Nerve is an edge-computing solution; thus, data can be processed at the source and only selected data is transferred off-premises or to the cloud. It can also run in offline modus, if required, limiting the chance for data to be compromised.

Nerve is a flexible and modular solution suitable for different use cases. However, we know every company has individual requirements, so we also provide consulting and development support if you are looking to make an existing IIoT solution CRA-compliant.