Cyber Resilience Act Enters into Force, Bringing with It New Responsibilities and Opportunities for Digital Trust Vendors

On December 10, 2024, the Cyber Resilience Act (CRA) will officially enter into force, following its adoption by the Council on October 10, 2024 and 20 days after its publication in the Official Journal of the European Union on November 20, 2024. The CRA’s purpose is to improve the resiliency of Europe’s digital ecosystem and foster enhanced trust in digital products, mandating manufacturers, distributors, and importers to abide by stringent cybersecurity requirements when bringing Products with Digital Elements (PDEs) to the European Union (EU) marketspace. To ensure their products are eligible for sale within the EU and to avoid non-compliance fines, organizations are mandated to implement CRA’s requirements into all applicable PDEs 3 years after its entry into force on December 10, 2027. However, prior to this date, rules regarding assessment bodies and some manufacturers’ reporting obligations come into effect in June and September 2026, respectively.

Under the CRA, PDEs encompass all “products with digital elements” made available within the EU market, including both hardware and software products, as well as remote processing solutions so far as they are expected or reasonably foreseen to require a data connection, logical or physical, to device or networks within the CRA’s scope. Given the Act’s wide-ranging material remit, it encompasses various digital trust solutions, including identity management systems and hardware, Public Key Infrastructure (PKI), tamper-resistant microprocessors and microcontrollers, smart meter gateways, and Hardware Security Modules (HSM), allocating vendor responsibilities based on the risk classification of their products from “important” to “critical.” In this way, the CRA largely targets Original Equipment Manufacturers (OEMs), complemented by the NIS 2 Directive, which focuses on service provider responsibilities. Further, due to its broad territorial scope, the CRA applies to all economic operators across the supply chain that plan to sell, distribute, or import PDEs within the EU’s economic borders, extending beyond digital trust vendors in the European marketplace to all vendors globally that operate economically in the EU.

Yet, despite the new, far-reaching responsibilities placed on digital trust vendors by the CRA, the Act simultaneously creates new opportunities for such vendors for revenue generation through the renewed emphasis it places on identities, authenticated software, and strong cryptographic security. Based on the cybersecurity requirements outlined in Annex 1, manufacturers are obligated to maintain a Software Bill of Materials (SBOM), detailing the software dependencies and component parts of a given product, thus generating demand for software signing tools that authenticate and verify software across the supply chain. Additionally, manufacturers must maintain their PDEs for a minimum duration of 5 years after sale, including providing free security fixes and updates. Given the cost implications involved with manually updating various PDEs and their components, Over-the-Air (OTA) software and firmware updates are set to dominate, widening the prospective customer base for digital trust vendors with regard to PKI, as well as code and software signature. The advantage will be with those organizations that offer robust firmware update mechanisms, including secure boot, and that boast resilient reset to default operations, supported by a strong Root of Trust (RoT).

To ensure comprehensive compliance with the CRA’s requirements and to capitalize on the opportunities provided by the CRA, digital trust vendors should:

• Begin Their Compliance Journey as Soon as Possible: While the final deadline for implementing the CRA is not until 2027, prioritizing compliance on product roadmaps is key, given the length of development and sales cycles and the requirements that the CRA imposes throughout the development and deployment lifecycle.
• Examine Adjacent Standards to Optimize Implementation: Existing standards, including the BSI’s IT Security Label and the Matter smart home standards, are aligned with the CRA’s requirements and using these in conjunction with the Act will help clarify action plans for implementation. For example, the BSI IT Security Label details how to construct a SBOM.
• Treat the Process of Compliance as Continuous and Ongoing, Rather Than a Checkbox Exercise: With vendors liable to maintain the security of all PDEs in the Act’s scope for at least 5 years, vendors should consider how their products and the marketspace are expected to evolve. In particular, the prospect of post-quantum computing will stimulate demand for enhanced product memory and processing power capabilities. On the other hand, when promoting digital trust products to help ease the implementation of the CRA, forward-thinking approaches that integrate post-quantum cryptography, quantum resistant RoT, and quantum-secure boot mechanisms will provide a competitive advantage to vendors seeking to differentiate their products within the digital trust market.
• Consider the Cost Implications and Ensure Adequate Resources Are Allocated to Support the CRA’s Implementation: While mandatory product updates may enhance sustainability and reduce long-term costs, given the continuous nature of CRA implementation, compliance with the Act will require sustained investment in terms of human, technological, and financial resources. Relying on security-by-design and secure-by-default development models will inherently maximize product resiliency and thus reduce implementation costs in the medium term.