Site Search

Menu

Insights

Menu

Asset Management

Menu

EU Funding

Menu

PwC's Short Reads

Menu

Sustainability

Menu

Tax & Legal

Menu

Technology

Menu

Transportation & Logistics

Featured

Malta Annual review 2023 - Explore our Key Performance Indicators

Performance of the Economy

Menu

Careers

Menu

Graduate & Experienced Careers

Featured

Student Opportunities at PwC Malta

Our People at PwC

Menu

About us

Menu

Doing Business in Malta

Menu

Our Purpose, Values and Culture

Featured

Malta Annual Review 2023 - Building on a strong foundation

Have you subscribed to our latest Thought leadership?

Loading Results

The Cyber Resilience Act
Cyber Resilience Act
  • Publication
  • April 18, 2024

What is the Cyber Resilience Act?

With cyber security being at the forefront of this rapidly evolving digital landscape, the EU has emphasised the importance of improving overall cyber security to safeguard products with digital elements (both hardware and physical) against cyber threats. As a result, the European Commission has published a draft of the Cyber Resilience Act (CRA) which is the first ever EU-wide legislation introducing unified cyber security requirements for manufacturers and developers of products with digital elements, covering both hardware and software.

To ensure the goal of the legislation is met, compliance with cyber security requirements and practices will be required for in-scope products with digital elements. This legislation aims to enhance cyber security maturity across the entire product lifecycle, from development to decommissioning, by enforcing obligations on companies to conduct risk and vulnerability assessments and ensure continuous deployment of security updates for their digital products falling within the legislation's scope.

Cyber security

Who will be impacted by the Cyber Resilience Act?


Both EU and non-EU companies manufacturing or selling products with digital elements in the European market will be affected by the CRA, which mandates enhanced cyber security measures throughout the entire lifecycle of their products.

Which products are affected by the EU Cyber Resilience Act?

The scope of the CRA includes “products with digital elements whose intended or reasonably foreseeable use involves direct or indirect logical or physical data connection to a device or network”.  Here are some examples of products with digital elements:

Hardware

Software

  

Smartphones

Operating Systems

  

Laptops

Password Managers

  

CPUs

Photo Editing 

  

Routers

Audio and Video Editing

  

Switches

Word Processing

  

Firewalls

Anti-virus / Anti-Malware

  

Hard Drives

Endpoint Protection

  

Microcontrollers 

Games

  
Digital elements

What are the categories of products affected by the EU Cyber Resilience Act?


Critical Class “I”

Products that provide functions critical to the cyber security of other products or provide functions significantly affecting a large number of other products belong in this category. Examples of products belonging to this category cited in Annex III of the CRA are:

  • Standalone and embedded browsers;

  • Password managers;

  • Mobile device management software;

  • Physical network interfaces.

Critical Class “II”

Products that provide both a critical cyber security function and significantly affect a larger number of products that belong in this category.  Examples of products belonging to this category cited in Annex III of the CRA are:

  • Operating systems for servers, desktops, and mobile devices;

  • Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;

  • Public key infrastructure and digital certificate issuers;

  • Firewalls, intrusion detection and/or prevention systems intended for industrial use.

Default Category

It comprises 90% of the products covered by the legislation, these items with digital elements hold basic security relevance, encompassing common consumer electronics like smartphones or laptops. Products not classified as Critical Class I or Class II are included in this category.

What products are exempted from the EU Cyber Resilience Act?

Products that are required to comply with current EU cyber security regulations are exempt from the EU Cyber Resilience Act. Here are a few examples of the existing EU cyber security regulations that fall under this exemption:

  • (EU) 2017/745 for Medical Devices;

  • (EU) 2019/2144 for Motor Vehicles;

  • (EU) 2018/1139 for Products affected by Aviation Rules;

  • Directive 2014/90 EU for Marine Products.

Cyber security regulations


When will the CRA be released and enforced?


Scheduled for official release this 2024, this act will undergo phased implementation starting in 2025, culminating in full applicability by 2026. Oversight and enforcement will be conducted by authorities within EU member states and by the European Union Agency for Cybersecurity (ENISA).

What are some key obligations that Companies should prepare for under the EU Cyber Resilience Act?

Manufacturers and developers of products with digital elements, covering both hardware and software, will be required to comply with the legislation by following certain cyber security requirements which aim to improve the overall cyber security to safeguard products with digital elements against emerging cyber threats. Here are some of the key obligations that companies can expect under the CRA, including but not limited to the following:

Mandatory Risk Assessments

Throughout the product development process and its lifecycle, there will be a mandatory requirement to conduct comprehensive risk assessments. This would include evaluating and mitigating cyber security risks associated with the product across its entire lifecycle.

Vulnerability Management

Companies are expected to deliver products that are secure from known vulnerabilities. This requires implementing vulnerability management practices to promptly identify and address security weaknesses.

Security Updates

It is required to provide free security updates following the product's release, meeting customer expectations. This will be crucial for ensuring that products remain resilient against emerging threats.

Compliance

Adhering to the act may require meeting standardised requirements, such as those outlined in IEC 62443, or engaging external auditing authorities, depending on the product's risk classification.
< Back

< Back
[+] Read More

Given the global significance of the European market, it is anticipated that the CRA will influence the cyber security of products worldwide. As products with digital elements become subject to the CRA in the European market, growth in overall cyber security maturity across the product life cycle is expected which is aimed at benefiting both companies and customers.

How can we help?

At PwC Malta, Our Cyber Security team is made up of a pool of resources with local and international experience in Cyber Security Governance, Risk and Compliance (GRC), Cyber Strategy and Technology Consulting, Threat and Vulnerability Management, Penetration Testing and Red Teaming, and Threat Intelligence. Our team is knowledgeable in the best practices in these domains, has experience working in both public and private sectors, and is supported by specialists with digital, audit and business skills and experience.

For more information visit our webpage or reach out to our Cyber Security team leaders below.

Contact us

Michel Ganado

Michel Ganado

Digital Services Leader, PwC Malta

Tel: +356 2564 7091

Linkedin Follow Email
Andrew Schembri

Andrew Schembri

Digital Services Partner, PwC Malta

Tel: +356 79211355

Linkedin Follow Email
Kirsten Cremona

Kirsten Cremona

Senior Manager, Digital Services, PwC Malta

Tel: +356 7975 6911

Email
John Napier

John Napier

Lead Offensive Security Consultant, Advisory, PwC Malta

Tel: +356 2564 4219

Email
Follow us
Today's Issues Cyber Security Data & Analytics Environmental, Social & Governance Risk & Regulation Technology Upskilling Where next for all sectors?
Services Advisory Audit & Assurance Digital Services Finance and Corporate Managed Services PwC's Academy Risk & Regulation Tax & Legal Other
Sectors Asset Management Banking Gaming Insurance Manufacturing Local Family Business Private Clients
Insights Asset Management Banking EU Funding Financial Crime Gaming General IFRS Insurance Malta Budgets Local Family Business PwC's Short Reads Sustainability Tax & Legal Technology Transportation & Logistics VAT Workforce
Careers Graduate & Experienced Careers Opportunities for Expatriates Student Careers
About us Annual Review Code of Conduct Corporate Responsibilities Doing Business in Malta Diversity at PwC Events Human Rights Statement Our Purpose, Values and Culture Our Offices PwC's Alumni Programme PwC NextGen The Hub Third Party Code of Conduct

© 2019 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.