EU Cyber Resilience Act and how threat
modeling can help

We know it's not easy to make regulations or standards sound jazzy. So bear with us while we summarize the essentials. 
Book a demo

What exactly is the Cyber Resilience Act (CRA)?

The short answer: The CRA introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.

The longer answer: The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.

What is the purpose of the CRA?

Two main objectives were identified aiming to ensure the proper functioning of the internal market:

1. Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
2. Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Let's delve into the detail and see how threat modeling can help

Manufacturer
obligations
EU CRA & threat modeling
Other frameworks or requirements

Manufacturer Obligations

The EU Cyber Resilience Act Factsheet gives a helpful overview of the obligations, which are:

  • Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phase;
    All cybersecurity risks are documented;
  • Manufacturers will have to report actively exploited vulnerabilities and incidents;
  • Once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively;
  • Clear and understandable instructions for the use of products with digital elements;
  • Security updates to be made available for at least five years.

EU CRA and threat modeling?

Our Security Analyst, Álvaro Reyes explains in this blog that having products that are “secured by design with IriusRisk” can help companies and consumers to identify which products in the market are secure enough.

The EU Cyber Resilience Act has also introduced mandatory cybersecurity requirements for hardware & software products. Read more about it on this page, and see how Threat Modeling can help.

Read the blog

What other frameworks or requirements should companies be aware of?

The new EU cybersecurity rules ensure safer hardware and software.

The European Commission references the NIS2 Framework and CE Marking:

Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation's requirements and therefore can be sold in the EU.

Read more