A closer look at the EU Cyber Resilience Act (CRA)

Enhancing Cybersecurity: A Closer Look at the EU Cyber Resilience Act (CRA)
In an era where digitalisation permeates every aspect of our lives, the security of products and software with a digital component has become paramount. Recognising the growing threats posed by cyberattacks and the need to protect consumers and businesses alike, the European Union (EU) has taken a significant step forward with the introduction of the EU Cyber Resilience Act (CRA).

Scope of the CRA: Safeguarding the Digital Landscape
At its core, the CRA seeks to address two critical challenges:
  • it aims to rectify the inherent inadequacies in the cybersecurity of many products and software, and
  • it endeavors to empower consumers and businesses by providing them with the means to discern which products offer robust cybersecurity measures.

Mandatory Cybersecurity Requirements
One of the most pivotal aspects of the CRA is the introduction of mandatory cybersecurity requirements for manufacturers and retailers. These requirements span the entire lifecycle of products, encompassing planning, design, development, and maintenance. By establishing stringent standards, the Act endeavors to raise the bar for cybersecurity across the board. One of the significant advantages of the CRA is its commitment to ensuring harmonised rules. By streamlining regulations, the Act aims to eliminate discrepancies and create a level playing field for all stakeholders involved in the market for products and software with a digital component.


Upon the Regulation coming into force, products and software connected to the internet will bear the CE marking, signifying compliance with the new cybersecurity standards. This visible indicator will provide consumers and businesses with the assurance that the products they are purchasing meet the requisite security criteria. The CRA also casts a wide net, encompassing all products connected directly or indirectly to another device or network. While certain exclusions exist, such as open-source software or services already covered by existing rules, the Act maintains a comprehensive scope to ensure robust cybersecurity measures across various sectors.

Anticipated to come into effect in early 2024, the CRA provides manufacturers with a transitional period of 36 months to adapt and comply with the new regulations. This phased approach acknowledges the complexities involved in implementing cybersecurity measures while ensuring a smooth transition for all stakeholders.

CRA: A Crucial Component of the EU Cybersecurity Strategy

The inception of the CRA in the 2020 EU Cybersecurity Strategy underscores its significance as a cornerstone of the EU's cybersecurity framework. Complementing existing legislation such as the NIS2 Framework, the Act reflects the EU's commitment to bolstering cyber resilience and safeguarding the digital realm, thereby preserving the integrity of communication, data, and the online economy. In conclusion, the EU Cyber Resilience Act represents a proactive step towards fortifying cybersecurity in an increasingly digitised world. By establishing mandatory requirements, harmonising rules, and delineating a clear path for implementation, the Act sets a robust foundation for enhancing cyber resilience and fostering trust and confidence in digital products and software. As the digital landscape continues to evolve, the CRA stands as a beacon of resilience, guiding stakeholders towards a more secure and resilient future.


How can BDO help?

As the digital landscape continues to evolve, staying ahead of cybersecurity threats is paramount. BDO Malta offers indispensable expertise and support. Our team provides tailored guidance and proactive solutions to help businesses understand, implement, and maintain compliance with the Act's stringent requirements. By partnering with BDO Malta, businesses can enhance their digital defenses and navigate the evolving cybersecurity landscape with confidence.

Get in touch