Understanding the Cyber Resilience Act (CRA)

Jonathan Johansson

Publish date: Aug. 15, 2024

Ett glödande digitalt hänglås lyser i centrum av ett komplext blått nätverk med sammankopplade noder och linjer. Bilden illustrerar robust nätverkssäkerhet och den nya EU-lagstiftningen Cyber Resilience Act (CRA) för anslutna produkter.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is a new EU law that requires all products and services connected to networks to meet security standards. The aim is to prevent security issues from arising that could harm both businesses and consumers. In order for a product to be sold, it must be CE marked, indicating that it meets the requirements and is safe to use.

En närbild av Europeiska unionens blå flagga med böljande tyg och framträdande gula stjärnor. Bilden understryker de strikta kraven i den nya EU-lagstiftningen Cyber Resilience Act (CRA) gällande produktövervakning och incidentrapportering.

How CRA affects your business

If your company develops or distributes products in the EU, it is high time to prepare for CRA. Here are some key points you should focus on:

Product monitoring: Products must be monitored throughout their lifecycle, and security updates should be distributed free of charge if vulnerabilities are discovered.
Reporting: When safety issues are detected, they must be reported to the authorities within 24 hours, regardless of the day of the week.
Documentation: Full technical documentation and installation instructions must be available to users and authorities.

En kvinna i profil granskar en stor, lysande datorskärm med ett futuristiskt kontrollgränssnitt märkt 'CYBER RESILIENCE'. Bilden illustrerar den strikta tidslinjen och implementationen av EU:s nya säkerhetslagstiftning CRA i Sverige.

When will the CRA enter into force in Sweden?

The Cyber Resilience Act (CRA) will apply across the EU, including Sweden, on January 1, 2025. This means that all companies and organizations operating in the EU must have adapted to the new rules before this date. To ensure full compliance and avoid potential fines or sanctions, it is crucial to start preparing now.

21 months after the law is published, there will be a requirement to report vulnerabilities and security incidents, such as ransomware attacks or physical breaches.
36 months after publication, the CRA becomes fully effective.
42 months after publication, all products must be recertified under the new rules, as previous certifications are no longer valid.

Competitive advantages and business opportunities with CRA

“Regulation not only poses challenges but can also be used as a strategic advantage,” says Jonathan Johansson. By adapting to the regulatory requirements early, companies can profile themselves as leaders in the field, which strengthens customer confidence and opens up for increased market share.

– Ultimately, when the customer is faced with the choice between two equivalent products, trust becomes a decisive factor. The companies that can best demonstrate their work on CRA and effectively market it will be able to use security as a competitive advantage, which can lead to new business opportunities and potential customers.

Jonathan Johansson, VD och Projektledare på Quality Think.

Get started, see which of your products must comply with CRA requirements.

The Cyber Resilience Act (CRA) is an important EU law to make the internet safer. By following the rules, your business can better protect itself against future threats. Need help understanding what it means for you? Get in touch with us – we’re here to guide you through it all. We can help you with:

Review your products – Check which ones need to be adapted.
Security updates – Ensure that updates can be provided free of charge.
Reporting – Be prepared to report security breaches within 24 hours.
Documentation – Have clear instructions and technical info ready.
Certification – Check if your products need CE marking.

Want to get started with CRA? Get in touch!

Published by