Introduction

The CRA is an act and not a directive. Unlike the NIS 2 Directive, it is therefore directly applicable in all EU Member States, meaning that national implementation law is not necessary. However, a transitional period is planned so that market participants have sufficient time to prepare for the new requirements. The European Parliament has already voted in favour of the CRA. The legal act was officially adopted by the Council in October 2024. The final text was published on 20th November 2024 in the Official Journal of the EU and will enter into force 20 days later. The CRA will then be implemented in multiple stages from the end of 2024 to 2027.

The cyber resilience agt (CRA) aims to address two issues noted by EU legislators:

  • Inadequate level of cybersecurity inherent in many products, or inadequate security updates.
  • Inability of consumers to determine which products are cybersecure, or how to set them up in a way that it is protected.

The CRA intende to safeguard consumers and businesses buying or using products with digital elements (PDEs),

Find CRA specification here

EU has also issues a standdization request to support for products with digital elements.

Find the Standardisation request here

Scope of the CRA

All products with digital elements (PDEs) in the EU market are divided into four categories:

  • Default products
    • 90% of products
    • Hard drives
    • Smart speakers
  • Important products class I
    • Password managers
    • Operating systems
    • Wearable devices
  • Important products class II
    • Hypervisors
    • Firewalls
    • Intrusion detection systems
  • Critical products
    • Smartcards
    • Harware security modules
    • Smart meter gateways

LIst of products provided in Annex III and Annex IV.

CRA standardization requests for products with digital elements

Relationship with international standards

Many of the CRA relevant standards are developed as international standards. Some of these may also be issued as European norms (ENs).

Item (14) in the introduction text states:

There is a large body of existing international standards that are relevant to the scope of this request. Appropriate modes of cooperation between the European Standardisation Organisations, internal cooperation between technical committees, and cooperation with international standardisation organisations should therefore be established to benefit from possible synergies with existing or related European and international standards.

Annex I – Standardization deliverables

In a table of this annex is listed 41 standardization requests. Those requests that are relevant for the type of cybersecurity standards by this site are listed here.

Standardization request 6

European standard(s) and/or European standardisation deliverable(s) on protecting the confidentiality of data stored, transmitted or otherwise processed by a product with digital elements.

Securing confidentiality under transmission requires the use of encryption, which involves symmetric key handling.

Standardization request 7

European standard(s) and/or European standardisation deliverable(s) on programs by a product with digital elements, and its configuration  against any manipulation or modification not authorised by the user, as well as reporting on corruptions. 

Securing integrity under transmission requires use of digital signature during communication establisment and use integrity check value (ICV) also called message authentication code (MAC) during data transfer.

Standardization request 16

European standard(s) and/or European standardisation deliverable(s) on essential cybersecurity requirements for identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers.

Identity management implies the use of identity management tools in some way typically by use of public-key certificates within a public-key infrastructure (PKI). Authentication in a communication system with communication between system without necessarily human involvement requires digital signatures using a robust digital signature cryptographic algorithm. In a communication between two system from different vendors a detailed specification for which digital signature crypto graphic algorithm to be used and how it is used. Use of password, including multi-factor password is not viable in this environment. Access control typically requires use of attribute certificates also in a PKI environment.

Typically, a communication system with communication between systems also called machine-to-machine communication (M2M) the combined set of standardization requests 6, 7 and 16 needs to be satisfied by a secure communication system.

Standardization request 24

European standard(s) and/or European standardisation deliverable(s) on essential cybersecurity requirements for public key infrastructure and digital certificate issuance software.

This request is somewhat different from other requests. PKI is not specified in an European standard. Public-key infrastructure (PKI) but is already in details specified by Rec. ITU-T X.509 | ISO/IEC 9594-8 and best practice is already described in Rec. ITU-T X.508 | ISO/IEC 9594-12. These two specifications also include security requirements.

The two specifications are under continuous development. The webmaster is the project editor of these specifications both within ITU-T and ISO/IEC.

Item 24 is mentioned under veritical standards, but X.509 poviding the famework for PKI is actually a horizontal standard.

The request mentions digital certificate. There is nothing in PKI called a digital certificate. There are two types of certificates, public-key certificate and attribute certificate.