EU Cyber Resilience Act

What is the EU Cyber Resilience Act?


The European Cyber Resilience Act (CRA) is a legal framework outlining the cybersecurity requirements for hardware and software products with digital elements being sold in the European Union market.

The Cyber Resilience Act addresses two significant problems

  1. How few products with digital elements currently have adequate security measures in place (including provisions for updating and addressing vulnerabilities as they’re discovered)

  2. The lack of consumer understanding and access to information which prevents users from choosing cyber-secure products and using them in a secure manner.

The act aims to safeguard businesses and consumers by introducing mandatory cybersecurity measures that extend protection throughout the product lifecycle. CRA improves upon previous initiatives taken at European Union and national levels, including NIS, that only partially addressed cybersecurity risks.

In order to comply with the Cyber Resilience Act, manufacturers must declare conformity with security mandates (prioritizing security-by-design requirements throughout the product’s lifecycle) and provide technical documentation supporting their declaration. In addition a conformity mark must be added to the product, and any actively exploited vulnerabilities must be reported to ENISA within 24 hours.


Examples of products with digital elements covered under the act


  • End devices: laptops, phones, smart speakers, sensors and cameras, routers, switches, smart robots, industrial control systems

  • Software: firmware, applications, operating systems, video games

  • Components (both hardware and software): software libraries, computer processing units, video cards

Cars, medical devices, in vitro products, and certified aeronautical equipment are exempt, as each is controlled through separate regulatory frameworks tailored to the product/industry.


MergeBase and the EU Cyber Resilience Act?


As cybersecurity experts, we implement the most robust security standards and will be able to comply with the EU Cyber Resilience Act as/when it applies to us.


How can MergeBase help you comply with the EU Cyber Resilience Act?


If your business must comply with the European Cyber Resilience Act, MergeBase can help.

The CRA mandates that products must be “designed, developed, and marketed with a competent level of cybersecurity measures in mind,” and any security incidents or actively exploited vulnerabilities reported to ENISA within 24 hours of identification. MergeBase’s continuous monitoring capabilities and complete DevOps coverage provide round-the-clock insights into potential security issues across your product lifecycle, alerting your team quickly to any problems. (These alerts can be customized to meet your internal “known vulnerability policy” if desired.)

The in-platform developer guidance supports your dev team by offering advice on patches and compatibility to speed up the remediation process, while our industry-leading accuracy results in less time wasted chasing false positives.

MergeBase’s complete SBOM suite also makes it easier to produce and maintain documentation on your software, or upload and monitor the software bill of materials for any external software your company uses to improve security measures.

To learn more, contact the team or start a free trial to test MergeBase for yourself.