Approved on March 12, 2024 by the European Parliament, it already has its Spanish version. Whether you have not had time to review it or not, here is a brief summary of it:
What do you regulate?
The Cyber Resilience Act establishes minimum cybersecurity requirements for products with digital elements in the European Union (EU). This uniform legal framework seeks to ensure that these products meet essential security standards before reaching the market.
Why is it important?
Cybersecurity is a critical challenge for the EU, especially with the exponential increase in connected devices. Cyber-attacks not only affect the economy, but also democracy, health and consumer safety. This law seeks to protect individuals and organizations from these risks. It is part of a broader protection strategy.
How does it do it?
The CRA introduces clear conditions for developing more secure digital products:
- Vulnerability reduction: Products must be designed and updated with a focus on cybersecurity throughout their lifecycle.
- Transparency for users: Consumers will have information about technical support and product security updates.
- Comprehensive coverage: The regulation includes remote data processing solutions (e.g. mobile applications that rely on cloud services).
In addition, it has public companies, such as INCIBE, which allow to carry out a study, detection and prevention work on the risks in technologies that are offered to citizens.
Practical example
Imagine an application for ordering food at home. To work, it needs to connect to cloud servers via an API, which handles requests such as displaying menus or processing orders. According to the CRA, the manufacturer of this app is responsible for the security of this entire infrastructure, ensuring that data is protected both on the device and on the server.
Who is affected?
The law covers a wide variety of products with digital elements:
- Consumer products for vulnerable users: connected toys and baby monitoring systems.
- Critical consumer products: Smart locks, alarm systems and wearable medical devices.
These are just a few examples, but your coverage goes beyond that.
Now, most importantly, what is the difference between CRA and NIS2? </p>
<p>
What does it mean for manufacturers?
Manufacturers must guarantee:
- Secure design: Comply with essential cybersecurity requirements from product development.
- Protection against vulnerabilities: Ensure security in both direct and indirect connections to other devices or networks.
- Constant updates: Maintain product safety throughout its useful life.
Cyber Resilience Law:
- Objective: To ensure that products with digital elements are safe throughout their life cycle.
- Scope: Applies to a wide range of products with digital elements, from IoT (Internet of Things) devices to software and hardware components.
Approach: Establishes cybersecurity requirements for manufacturers of these products, such as secure design, vulnerability management and software updates.
Directiva NIS 2:
- Objective: To improve the general level of cybersecurity in the European Union.
- Scope: Applies to sectors considered essential and important for the economy and society, such as energy, transportation, banking, health, digital service providers, etc.
Approach: Establishes obligations for entities in these sectors, such as risk management, incident notification and implementation of security measures.
Conclusion
The Cyber Resilience Act is an essential step towards strengthening digital security in Europe. With this regulation, the EU protects both consumers and businesses, fostering a safer and more secure digital marketplace.
