- Services
- Industries
- Automotive
- Battery
- Building inspection
- Fire alarms system testing
- Household appliances
- Installation materials
- Industrial machinery
- IT & audio video
- Laboratory, test & measurement
- Lighting equipment
- Maritime, oil & gas
- Medical & healthcare equipment
- Military & aerospace product testing
- Wireless & telecom
- Resources
- About
- Blog
- Events
November 20, 2024
The Cyber Resilience Act is now published in the EU’s Official Journal. So, what about RED?
Written by: Geir Hørthe
Today marks a significant milestone in the journey towards enhanced cybersecurity across the European Union.
The Cyber Resilience Act (CRA), a cornerstone regulation designed to strengthen the digital landscape, has officially been published in the EU's Official Journal. This development sets the stage for the regulation’s implementation, shaping the future of cybersecurity for manufacturers, service providers, and consumers alike.
The requirements of CRA will become mandatory in late 2027 – but note that cybersecurity for many wireless products becomes mandatory already Aug ’25 (see last paragraph)
What is the Cyber Resilience Act?
The Cyber Resilience Act is the EU’s ambitious response to the rapidly evolving cybersecurity challenges that come with digital innovation. Its primary goal is to ensure that hardware and software products placed on the EU market are designed and developed to minimize cybersecurity risks. It also emphasizes the need for secure products throughout their lifecycle, requiring manufacturers to actively maintain cybersecurity standards post-market introduction.
Key highlights of the CRA include:
- Mandatory cybersecurity requirements for digital products and services.
- Improved transparency through labeling and documentation.
- A robust framework for addressing vulnerabilities in real-time.
You can explore the full text of the regulation in the Official Journal here.
Why Does This Matter?
The CRA sets a precedent by introducing cybersecurity obligations that align with a product’s entire lifecycle. For businesses, this means re-evaluating existing development processes, supply chains, and compliance strategies. For consumers, it signifies greater confidence in the security of the digital products they use every day.
For industries, particularly those working with physical products like e.g., IoT devices or software development, this regulation represents both a challenge and an opportunity. Adapting to these new requirements will not only ensure compliance but also offer a competitive edge in an increasingly security-conscious market.
What This Means for Cybersecurity Certification
While the CRA doesn’t mandate specific certification schemes, its emphasis on conformity and compliance naturally ties into the role of cybersecurity certifications. Certifications provide a clear path for organizations to demonstrate their commitment to security, both in product development and ongoing maintenance.
As a company actively involved in cybersecurity assessments, we recognize the importance of informing and supporting stakeholders as they navigate the implications of this regulation. Our focus is on fostering a secure digital ecosystem through transparency, collaboration, and adherence to international standards.
Looking Ahead
The publication of the CRA in the Official Journal is just the beginning. With implementation timelines now in motion, businesses across the EU will need to prepare for compliance and adapt their processes to meet the new requirements. It’s an exciting time for those of us in the cybersecurity field, as we work together to meet the challenges and opportunities this regulation presents.
But wait, what about RED?
Mandatory cybersecurity does not wait for CRA! The Radio Equipment Directive introduced mandatory requirements for most connected wireless products already from 1 Aug 2025!
The standard chosen for these requirements is the EN 18031 and this is now widely used in Europa in the race to make all relevant products comply in time. When the CRA becomes mandatory in late 2027, the cybersecurity requirements of RED will be removed as they are replaced by the CRA which has a much wider scope.
Stay tuned for more updates and insights as the CRA moves from publication to full implementation.
And, if you need assistance book a free meeting.
Tags:
Cyber security
Geir Hørthe
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...
Other posts you might be interested in
Germany introduces IoT cyber security labelling scheme
September 20, 2021
//
Cyber security
New Cyber Security Requirement for CE Marking: What You Need to Know
September 27, 2021
//
Cyber security
Nemko Achieves CB Certifications for Cybersecurity: A Game-Changer in IoT Security
June 28, 2024
//
Cyber security