Enhancing EU security through the Cyber Resilience Act

Organisations selling technology-related goods and services in the EU marketplace are having to take account of a raft of Acts and Directives that place requirements on the way they operate and the security of their products. Among these are the Network and Information Security Directive 2 (NIS2), the EU AI Act, the Cyber Solidarity Act, the Critical Entities Resilience Directive and the Cyber Resilience Act (CRA).

The CRA was approved by the European Parliament and Council in October 2024 and will be fully applicable by 11 December 2027. Before then, however, there are a number of milestones for adoption of various elements related to the standard, including a mandatory requirement to report vulnerabilities and significant security incidents to national authorities and the European Union Agency for Cybersecurity (ENISA), starting from 11 September 2026.

Why is the CRA needed?

The CRA applies to all products with digital elements, which are becoming more common in the consumer and business markets. This differentiates it from NIS2, which applies to entities.

There can be security vulnerabilities in any software or hardware, meaning that any product with a digital element is a weak point that cyber criminals can exploit to carry out an attack, and this has become a concern for the EU. In addition, many products are now interconnected, even if they appear to be for standalone use. Products covered by the CRA therefore range from simple toys and components to networked robotic tools, autonomous vehicles and spacecraft.

What does the CRA cover?

According to the European Commission (EC): ”The Cyber Resilience Act introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.”

Manufacturers are obliged to ensure that:

• Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phases
• All cybersecurity risks are documented
• Actively exploited vulnerabilities and incidents are reported
• Vulnerabilities are handled effectively for the duration of the support period
• Clear and understandable instructions are provided for the use of products with digital elements
• Security updates are made available to users for the time the product is expected to be in use.

There are four different categories of products covered by the CRA, which ultimately determines whether they can be ‘self-assessed’ by their manufacturer against specified standards or will need to be assessed by a third party. It’s expected that around 10% of products will fall into the latter group, being subdivided into Important Products Class I and II, and Critical Products.

The list of products that fall under Class I includes many types of software including operating systems, plus hardware such as routers, switches and microprocessors. Class II products include, for example, firewalls and hypervisors, while Critical Products include hardware devices with security boxes, smart meter gateways and smartcards.

Supply chains can be long and complicated, so it’s essential that manufacturers and developers of software and hardware, including components, know their existing and target client sectors. How a component is going to be used may determine the level of assessment required and it is possible some manufacturers may choose not to sell into certain sectors or to specific organisations where the final product or environment is classified as Critical, to avoid the burden of additional assessment.

Space sector

Some sectors are specifically excluded from the CRA’s remit due to their specialised nature and existing sector-specific regulations. This includes products developed or modified for national security or defence purposes. The CRA does, however, cover the space sector (when not exclusively military).

The main principles addressed in the CRA are cybersecurity by design and cybersecurity by default, and this applies as much in the space sector as elsewhere. For example, payload developers must identify all the threats in the design, including supply chain vulnerabilities and risks through physical access. Everything must be documented and up to date, and there need to be ways to enable security updates for the whole life cycle of the product or for at least 5 years.

Security considerations need to be embedded in every stage of a space programme or mission’s life cycle, from design through development, deployment, operation and decommissioning. In essence, this is no different from all other products covered by the CRA, but with so many companies likely to be involved in the supply chain, space is possibly one of the most complicated sectors in which to ensure full compliance with the new regulation.

Nevertheless, the space industry is almost certainly implementing security by design already and meeting minimum cybersecurity regulations. Organisations may, however, need to introduce some more processes and paperwork because they will need to act on vulnerabilities if they are made aware of them by suppliers and report on any they incur.

It’s important to note that it is the organisation that introduces a product to the EU market – be they manufacturer, distributor or importer – that has responsibility for CRA compliance. Therefore, if a company builds a satellite using modules from outside the EU, they will need to factor that compliance activity into their procedures.

Post-sale requirements

The requirements of the CRA don’t stop once a product has been delivered. Instead, they will need to be compliant for a period after they are sold.

Under the CRA, companies have to provide security updates for their digital products for a minimum of 5 years or the product’s expected lifetime, whichever is shorter. Technical documentation must be continually updated during the support period as a minimum and, along with declarations of conformity, be available for 10 years after a product has been placed on the EU market.

Manufacturers must report any actively exploited vulnerabilities and severe security incidents to their appointed national Computer Security Incident Response Team (CSIRT) and ENISA within 24 hours. They may then need to provide further information within 72 hours and a final report within 14 days for vulnerabilities or within one month for severe incidents.

They must also inform any impacted users – and, where appropriate, all users – in a timely manner of an actively exploited vulnerability or severe incident and, where necessary, provide details about risk mitigation and any corrective measures that they might deploy to mitigate the impact.

If products are found to be non-compliant, the relevant authorities could insist that they be made compliant, restrict their availability or order that they be withdrawn from the market or even recalled. There may also be financial penalties.

The aim is to ensure swift action to address vulnerabilities and mitigate the impact of security incidents, thereby improving the overall cybersecurity posture of products in the EU market.

Towards a more secure tomorrow

For the space industry, the future EU Space Act will also impact security requirements, with resilience through tailored cybersecurity requirements being one of its three key pillars. But it is likely the EC will want to avoid stifling the EU space sector by introducing another regulation that makes it overly complicated to do business.

The upshot is that while compliance with the CRA is likely to require separate, focused risk assessments and associated changes to products and processes, it is essential that all organisations, including those in, or selling into, the space sector, shift towards seeing cybersecurity as a fundamental part of how they operate.

Find out more

This is an extract from the latest issue of OpenSpace magazine. Subscribe to read other in-depth articles on space weather and civil security from space, plus an interview with the Director of the Spanish Space Agency.