The Cyber Resilience Act (CRA) has been officially adopted by the European Union and heralds a new era of cybersecurity regulation for those companies that manufacture or sell products with digital components in the EU.
This groundbreaking legislation is due to come into force in 2024, with a transitional period until 2027, by which time companies must be fully compliant with the strict requirements. The aim is to improve the security of digital products, both hardware and software, from the basic design through to updates.
The CRA is responding to the sharp rise in increasingly sophisticated cyber attacks. With cybercrime costing businesses billions each year and incidents involving vulnerable digital products on the rise, this law is a global first in the regulation of cybersecurity standards and a long-awaited step towards a more secure digital landscape.
What does the CRA mean for companies?
For companies that produce or sell in the EU, compliance with the CRA is not to be neglected. The law prescribes several steps that companies must take to ensure that their products comply with cybersecurity standards.
The CRA is not just a set of guidelines; the law has bite. Companies that fail to comply face severe penalties, including fines of up to €15 million or 2.5 percent of global turnover, whichever is higher. These financial consequences and potential reputational damage underline the seriousness with which the EU is approaching digital security.
Preparation is everything
Businesses can start preparing now – implementing cybersecurity policies , establishing robust incident response procedures and adapting to the standards of the law will take time and investment. With cyber threats on the rise, early compliance could not only prevent penalties, but also boost consumer and partner confidence in an increasingly security-conscious marketplace.
The Cyber Resilience Act is an important step towards creating a more secure digital environment. At the same time, it challenges companies to improve their processes and take a proactive approach to cyber security. It is no longer just about complying with regulations. Rather, the goal should be to stay one step ahead of cyber threats to protect customers, data and brand reputation.
As this legislation takes shape, companies that embrace these changes early are likely to be better positioned in the highly competitive digital market.
Suzanne Button, Field CTO EMEA and security expert, Elastic