New requirements

On November 30th, 2023, the European Union (EU) reached a political agreement on the Cyber Resilience Act (CRA), marking it as the first-ever worldwide law to regulate the cybersecurity of digital and interconnected products designed for the EU market.

Vulnerability Management

Effective vulnerability management involves a systematic approach to identify, assess, prioritize, mitigate and monitor these vulnerabilities to minimize potential security breaches and their impact. These are the new requirements related to vulnerability management:

  • Document product vulnerabilities.   
  • Address and remediate vulnerabilities promptly. 
  • Implement effective and regular testing and reviews. 
  • Publish information about vulnerabilities and patches according to coordinated policies. 
  • Report vulnerabilities to ENISA within a 24-hour timeframe. 
  • Provide security updates promptly and free of charge, for at least five years. 

Product Conformity

Product compliance is crucial to ensure that IT products meet the quality, safety and performance standards required for effective and safe use in business and consumer environments. These will be the new requirements applied:

  • Design, develop, and produce the product with an adequate level of cybersecurity, and with default security policies. 
  • Evaluate and document all cybersecurity risks.
  • Include cybersecurity assessment in the technical documentation. 
  • Systematically document relevant cybersecurity aspects. 
  • Consider changes in the development, production, and design process that may impact cybersecurity.