A webinar hosted by David Pashley, Managing Director of Direct Insight in December 2024 delved into the finer points of the Cyber Resilience Act (CRA) legislation, covering the scope, timeline, requirements and reviewing the compliance process, for the benefit of embedded engineers, who were in attendance.
Pashley said in the session that the authors of the CRA “are casting the net even wider than you might assume,” a statement that could be used to encapsulate the session itself as clarification on wording, common misconceptions and what to do to ensure compliance were all key focuses.
Common misconceptions
The CRA officially entered into law as of the 11th December 2024, meaning all products with digital elements being shipped from 36 months within the date must comply, i.e. the transitional period.
Pashley, however, was careful to take attendees through the wording in reference to the transitional arrangements, as he remarked that English native speakers in particular get confused: “The actual wording in question here is, ‘products with digital elements that have been placed on the market before the 11th December 2027 shall be subject to the requirements only if they’ve been modified’ … But what exactly is meant by placed on the market?”
The issue, he explained, was that some people took this wording to mean that products that had already been placed on the market before the CRA came into force aren’t applicable to compliance. Referring to the Blue Guide – the EU’s own terms dictionary, in effect – Pashley said: “The act of placing on the market happens every time you ship a product, irrespective of whether the product’s been shipped before.”
Another common misconception of the CRA was that it applied only to Internet connected products, and “not any product which is capable of being attached or connected to a network,” Pashley said. “Let’s say [the product] has a USB port or an Ethernet port. It is covered by the provisions of the CRA and people try to get out of that by saying they don’t use their USB port. Then don’t have it.”
Another requirement of the CRA is for manufacturers to notify their customers of actively exploited vulnerabilities and the impacted users. Although that is a requirement, interestingly those same manufacturers don’t have an obligation to patch or update the vulnerability – just to inform their customers.
Pashley advised against following this process whereby customers are informed of exploited vulnerabilities but the vulnerabilities aren’t patched.
“You could then be in the invidious situation where you’re informing your users of a problem but saying that the CRA doesn’t require you to do anything about it … It isn’t exactly what your users are going to want to hear,” he stressed.
The penalties that the CRA poses for non-compliance – 2.5% of a company’s turnover or 15 million euros, whichever is greater – were not noted by Pashley as what was going to be the incentive for compliance.
“What’s more significant is that a non-conforming product may not be CE marked, and you’ll want to [be able] to ship your product to Europe and other territories, including the UK, where we’re still in the habit of looking for the CE mark,” he explained.
“I don’t think we should be under any misapprehension [in] thinking that nobody’s going to check your compliance,” he said.
Key takeaways
Key takeaways, which Pashley took attendees through near the end of the webinar, included planning, preparation and not panicking when it came to ensuring compliance with the CRA.
“There’s no reason that with a bit of planning, you can’t shift painlessly to a CRA compliance methodology,” said Pashley.
Appropriate planning means beginning with threat modelling, he advised, not taking measures that aren’t necessary and starting now. Wise words.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.