Cyber Resilience Act: compliance countdown set to start for EU law focused on eliminating vulnerabilities

November 25, 2024

The clock for compliance with the EU Cyber Resilience Act has now started ticking

A 36-month countdown to compliance with the EU Cyber Resilience Act (CRA) is about to begin.

Vendors of products with digital elements (PDEs) now have three years to fulfil all the law’s security requirements – which are focused heavily on eliminating vulnerabilities – if they want to sell their devices or software in the world’s largest trading bloc.

Cyber Resilience Act timeline, scope and penalties

Having been adopted on 10 October, the CRA was published in the Official Journal of the EU on Wednesday (20 November). This means the act enters into force from 10 December. However, to give regulated organisations more time to prepare, most of the act’s provisions will apply from 11 December 2027.

Depending on the gravity of the offence, violations could result in fines of up to €15 million, €10 million or €5 million, or, respectively, up to 2.5 %, 2% or 1.5% of an entity’s worldwide annual turnover (whichever is higher). Offending products could also be banned from sale within the single market.

PDEs are defined as any software or hardware that connects to networks or other devices. That definition covers the vast majority of modern devices, from smartphones, laptops and tablets to smart TVs, cameras and toys. There are certain exemptions for open-source software, and products covered by existing rules, such as medical, aviation and automobile products.

EU CRA focused on tackling ‘widespread vulnerabilities’

When the CRA was proposed in 2022 to address “a low level of cybersecurity” in digital products, the European Commission set out to tackle certain deficiencies above all. As well as observing a lack of security information provided to users, it noted “widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.”

As a result, the European Cyber Resilience Act has a big focus on identifying, disclosing and fixing vulnerabilities.

For instance, products must arrive on the market in a secure-by-default configuration (with certain exceptions) and free from “known exploitable vulnerabilities”. Identifying the presence of known vulnerabilities is facilitated by the mandatory creation of a software bill of materials (SBOM), which must cover a product’s top-level dependencies as a minimum.

Vulnerabilities should be addressed and remediated “without delay”, the CRA instructs.

Bug Bounty backed by the Cyber Resilience Act

The CRA requires that coordinated vulnerability disclosure policies (CVD policies or VDPs) are implemented to facilitate the external reporting of vulnerabilities, both directly to the vendor “and where requested anonymously, via CSIRTs”. There should also be a single point of contact to which vulnerability information can be relayed and where the CVD policy can be found.

Bug Bounty Programs are explicitly referenced as a vehicle for fulfilling CVD obligations. “Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts,” reads the act. “This refers to so-called ‘bug bounty programmes’.”

The Cyber Resilience Act 2024 also urges member states to protect vulnerability researchers from legal harms by adopting “guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities”.

Specific Cyber Resilience Act requirements are detailed for “high-risk AI systems”, including accounting for “AI specific vulnerabilities such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights”.

Security updates and advisories

Security updates should be distributed promptly, securely and free of charge, and be accompanied by security advisories, according to the CRA. Where applicable, they should be automatic or separate from functionality updates.

Once patches have been issued, manufacturers are obliged to publicly disclose remediated vulnerabilities, providing a description and information about impact, severity and remediation/mitigation. However, disclosure can be delayed to give users more time to apply patches where “manufacturers consider the security risks of publication to outweigh the security benefits”.

Manufacturers are also expected to notify Computer Security Incident Response Teams (CSIRTs) and ENISA, the EU cyber agency, about “severe incidents” and the active exploitation of vulnerabilities. These requirements apply in 21 months, from 11 September 2026.

Other CRA rules

Recognising the complexity of the threat landscape, lawmakers have designed the CRA to increase cyber-resilience both throughout the supply chain and lifecycle of digital products.

Vendors must handle vulnerabilities for a minimum support period of five years, unless the product’s lifetime expires sooner. Longer support periods are prescribed for typically long-life components like microprocessors, network devices and operating systems.

When support periods end, “manufacturers should consider releasing the source code of such products” to the public domain or “other undertakings which commit to extending the provision of vulnerability handling services”.

Other CRA requirements cover areas such as authentication, encryption, minimising attack surfaces, reducing the impact of cyber-attacks, and the collection of personal data.

CRA and the wider legal context

Irrespective of their place of manufacture, PDEs must be compliant if they are sold in the EU single market, encompassing 27 member states plus Norway, Iceland and Liechtenstein. Alongside safety, health and environmental protection standards, CRA compliance is now a condition of bearing a CE mark.

The CRA forms a key plank of the EU’s recent drive to upgrade its cybersecurity framework. Other notable pillars are Cybersecurity Act 2019 (introduced a common certification framework for ICT products), NIS 2 (Network and Information Security) Directive (wide-ranging requirements for member states and ‘essential’ or ‘important’ services) and the Digital Operational Resilience Act 2023 (ICT security rules for financial services firms).

These regulations all prioritise – in common with cyber laws emerging elsewhere in the world – a risk-based approach to understanding and minimising your attack surface, and proactively finding, fixing and remediating vulnerabilities.

YesWeHack crowdsourced security testing and VDP solutions can help you fulfil your compliance obligations in a scalable and cost-effective fashion. In particular:

  • YesWeHack can help you create a branded VDP that aligns with CRA requirements and your specific needs
  • A Bug Bounty Program with YesWeHack that provides agile security testing adapted to your development model, results-based pricing, in-house triage, seamless integration with your security tools and more secure development practices

Contact our sales team or book a demo of our Bug Bounty and vulnerability management platform.