{"id":25326,"date":"2023-05-04T10:00:48","date_gmt":"2023-05-04T08:00:48","guid":{"rendered":"https:\/\/stage-fp.webenv.pl\/blog\/?p=25326"},"modified":"2025-01-30T17:42:37","modified_gmt":"2025-01-30T16:42:37","slug":"eu-the-new-cyber-resilience-act","status":"publish","type":"post","link":"https:\/\/www.future-processing.com\/blog\/eu-the-new-cyber-resilience-act\/","title":{"rendered":"EU: The new Cyber Resilience Act"},"content":{"rendered":"\n

How serious is this? Well, this new law is something that software makers should definitely be focusing on already,<\/strong> since choosing not to comply may result in painful financial consequences<\/strong> and could even harm their hard-earned reputations.<\/p>\n\n\n

\n
\n \n \"CRA\" <\/a>\n <\/figure>\n \n
\n
\n \n Close picture \n <\/use>\n <\/svg> <\/button>\n
\n
\"CRA\" <\/figure>\n <\/div>\n <\/div>\n<\/div>\n <\/div>\n\n\n\n

Furthermore, these new safety regulations for software development companies will impact \u2014 one way or another \u2014 the entire western world, so this is not just a regional change in politics. <\/p>\n\n\n\n

For instance, the Biden administration has just released its National Cybersecurity Strategy,<\/a> <\/strong>and while it may differ from the CRA in certain details, its goals are quite similar. Australia is also considering making comparable changes<\/strong> in its cybersecurity strategy<\/a>.<\/p>\n\n\n\n

Plus, we can expect that the UK will want to comply with the new act<\/strong> as well (just as it did with NIS2<\/a>), despite no longer being a member state of the European Union.<\/p>\n\n\n\n


Cyber Resilience Act \u2014 the reasons why<\/h2>\n\n\n\n

Digital products (both hardware and software) are becoming increasingly vulnerable to cyberattacks.<\/strong> According to the European Council<\/a>, the estimated global annual cost of cybercrime amounted to \u20ac5.5 trillion by 2021. <\/p>\n\n\n\n

And apart from this low level of product security, there\u2019s also another problem that has proven quite challenging: namely, how to increase limited user knowledge and improve poor user understanding of software security.<\/strong><\/p>\n\n\n\n

That\u2019s why something needs to be done in order to create a new European cyber ecosystem that is safe <\/strong>for all of its citizens \u2014 no matter how educated they are on the subject of digital security.<\/p>\n\n\n\n


Cyber Resilience Act \u2014 the goals<\/h2>\n\n\n\n

Law-makers have outlined two general and four specific objectives of the Cyber Resilience Act. <\/strong>The former focus on ensuring that the internal European market functions properly, while the latter basically revolve around creating a set of requirements for more secure coding.<\/p>\n\n\n

\n
\n \n \"Cyber_Resilience_Act\u2013the_goals <\/a>\n <\/figure>\n \n
\n
\n \n Close picture \n <\/use>\n <\/svg> <\/button>\n
\n
\"Cyber_Resilience_Act\u2013the_goals <\/figure>\n <\/div>\n <\/div>\n<\/div>\n <\/div>\n\n\n\n

That\u2019s it for the general background of the new law. Now it\u2019s time for the particulars.<\/p>\n\n\n\n


Cyber Resilience Act \u2014 key takeaways<\/h2>\n\n\n\n

First and foremost, unlike the American National Cybersecurity Strategy, the CRA is designed to make everyone comply, whether you\u2019re a small or large software development company,<\/strong> and not only \u201cmanufacturers and software publishers with market powers\u201d. <\/p>\n\n\n\n

So, as long as you operate in the European market \u2014 you will have to take this seriously and adhere to the presented standards. <\/strong>And when it comes to producing software, this is absolutely revolutionary.<\/p>\n\n\n\n

Cybersecurity will now become a crucial part of every phase of the software development process<\/mark><\/strong> \u2014 from planning to maintenance. So, even if you plan to build a very basic product, you should take the essential security requirements under consideration from the very beginning.<\/p>\n\n\n

\n
\n \"\" <\/div>\n
\n

Are you concerned about the impact of EU cybersecurity regulations \u2028on your business?<\/strong><\/p>\n

Leverage our AI-powered chatbot to answer all your questions about EU cybersecurity regulations. Understand and verify your compliance \u2028with DORA, NIS 2, and CRA using our AI assistant.<\/p>\n<\/div>\n

\n \n Start a conversation now!<\/span>\n \n <\/use>\n <\/svg> \n <\/use>\n <\/svg> <\/a>\n <\/div>\n <\/div>\n<\/div>\n\n\n\n

Plus, there should be a set of outlined processes in place in case any emergencies should occur, and any detected vulnerabilities or cyberattack incidents (both successful and unsuccessful) should be immediately reported to ENISA<\/a> (the European Agency for Cybersecurity, which oversees CRA). <\/p>\n\n\n\n

This way, every IT company will be forced by law to monitor and mitigate any vulnerabilities during the entire product lifecycle.<\/strong><\/p>\n\n\n\n

There\u2019s also something that every user can benefit from directly: since companies will be obligated to publish all relevant security information,<\/strong> this includes clear instructions on how to properly install and use a given device or piece of software.<\/p>\n\n\n\n

OK, but what if a company doesn\u2019t comply with the new regulations? Is there any way the authorities will be able to put pressure on organisations to make them introduce all of the necessary changes? Well, not complying could be financially painful for them, <\/strong>since fines of up to 15 million euros or 2.5% of turnover<\/strong> (whichever is higher) can be levied.<\/p>\n\n\n\n


Controversies<\/h3>\n\n\n\n

Of course, every new and somewhat revolutionary law brings controversies <\/strong>and casts doubts. Here, doubts arise from the fact that it seems like the EU is trying to force developers to create software that is resilient against unspecified denial of service attacks, which is virtually impossible. <\/p>\n\n\n\n

So, I think that we can expect this point to be clarified or changed<\/strong> later on, since it might just become a dead letter.<\/p>\n\n\n\n

Another significant consequence of the CRA is the fact that customers will no longer be allowed to be beta testers of products or services, since companies will be obligated to only release products that are already free of vulnerabilities.<\/p>\n\n\n\n

Plus, since the CRA is still a living document,<\/strong> and coordinated standards are yet to come, we cannot prepare for it in detail.<\/strong> The act is likely to enter into effect in 2025<\/mark><\/strong> with more precise requirements becoming mandatory another 24 months after that.<\/strong><\/p>\n\n\n\n


What you can do now?<\/h2>\n\n\n\n

Although no one can really know all the technicalities of a law that is still being shaped, there are some things that you can do right away,<\/strong> without waiting until the last minute:<\/p>\n\n\n\n