In our first article, we covered the objectives of the Cyber Resilience Act, identified which organisations will be affected and the expected timeline for compliance. In case you have not had the chance you can read the article Approaching the EU Cyber Resilience Act
In this follow-up article, we dig deeper into the actual requirements of the act, focusing on the essential cybersecurity requirements. The act aims to enforce core security tenets such as confidentiality, integrity, and availability, combined with secure by design and secure by default principles. However, the requirements are not straightforward in terms of implementation and might require certain trade-offs by manufacturers.
While the regulation does account for occasional exceptions, this article primarily addresses the most common scenarios. It is not intended to be an exhaustive or universally applicable guide, but rather a general overview of the act’s technical cybersecurity requirements.
The regulation starts off with the overall expectation that “products shall be designed, developed, and produced in a way that ensures an appropriate level of cybersecurity based on the risks”.