Overview of NIS 2, the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA). Covers the scopes, objectives and connections between the EU’s main cyber regulations.
Cyber Resilience Act (CRA) security for connected products
The Cyber Resilience Act (CRA) is a new regulation that focuses on the cybersecurity of products with digital elements. Its scope covers all connected devices and software, including the Internet of Things (IoT) as well as hardware and software products. The CRA aims to introduce cybersecurity requirements for products, to obligate manufacturers to consider security throughout the entire product lifecycle, and to create a harmonized legal framework for product cybersecurity across the EU.
The CRA establishes a conformity assessment system that extends existing CE marking rules and, among other things, allows for certification under the Cybersecurity Act. In this context, Article 27 provides that for products for which an EU declaration of conformity or a certificate under a European cybersecurity certification scheme has been issued, it is to be assumed that they meet the fundamental requirements of the CRA insofar as the declaration or certificate covers those requirements.
Furthermore, Article 8 empowers the Commission to adopt delegated acts to determine which critical products with digital elements must obtain a European cybersecurity certificate under the Cybersecurity Act with at least the assurance level “substantial”.
Cybersecurity Act (CSA) EU-wide certification
The Cybersecurity Act (CSA) both strengthens the role of the EU Agency for Cybersecurity (ENISA) and establishes a framework for European cybersecurity certifications. It applies to ICT products, services and processes and provides for both voluntary and, in some cases, mandatory certifications.
The main objectives of the CSA are to create an EU-wide certification framework for cybersecurity, to strengthen trust in certified products and services, and to promote a higher level of cybersecurity across the EU.
The CSA plays a central role in implementing both NIS 2 and the CRA. Certification schemes developed under the CSA can be used by competent authorities to verify and confirm compliance with the requirements of both instruments.
Connections and differences between NIS 2, CRA and CSA
While NIS 2 focuses on the security of critical infrastructures and sectors, the CRA targets the security of products with digital elements. The CSA establishes an overarching framework for certification that can be relevant for both NIS 2 and the CRA.
All three instruments complement each other: NIS 2 strengthens cybersecurity at the organizational level in critical sectors, the CRA ensures the security of the products used, and the CSA provides a framework for assessing and certifying security measures.
Outlook and conclusion
NIS 2, the CRA and the CSA together form a comprehensive regulatory framework to strengthen cybersecurity in the EU. Although their scopes sometimes overlap, they address different aspects of cybersecurity. Companies and organizations should monitor all three instruments to develop and implement a holistic cybersecurity approach.
Which requirements apply to your company?
NIS 2, the CRA and the CSA affect companies at different levels: organization, products and certification. We help you classify the relevant requirements and derive concrete next steps for products, processes and evidence.
