EU-Regulation (Bild: Freepik)
Posted on by juergen.kroder@fb-pro.com

Cyber ​​Resilience Act: Why the CRA doesn’t work without System Hardening

Like many other regulations, the Cyber ​​Resilience Act is very extensive and complex. There is one essential measure you absolutely must not forget when implementing it.

Safe products – right from the factory

You’ve probably already heard of the European Union’s Cyber ​​Resilience Act (CRA). Perhaps you’re thinking, “Not another cybersecurity regulation!” or “I hope the Cyber ​​Resilience Act doesn’t affect me!”

But let’s be honest: It’s not very helpful to bury your head in the sand. There are already numerous IT security laws, standards, and regulations … and there will certainly be more to come. This is understandable, as the world is becoming increasingly connected and therefore more vulnerable. It’s therefore essential to strengthen the resilience of nations and individual companies as much as possible.

The Cyber ​​Resilience Act addresses precisely this need: It was adopted on October 23, 2024, and will enter into force with a transition period until the end of 2027.

“All products sold in the EU that contain digital elements must comply with the requirements of the CRA. This includes not only low-cost consumer products but also B2B software and complex high-end industrial systems,”

… explains the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik / BSI). The aim is to make digital products sold to both individuals and businesses significantly more secure. And we think that’s a good thing!

What is the most important principle of the CRA?

“Secure by Default” is no longer just a “nice to have”! Until now, the burden of security rested almost exclusively on the end user. Anyone buying a device often had to delve deep into configuration menus to painstakingly correct insecure factory settings. The Cyber ​​Resilience Act is forcing a paradigm shift: Manufacturers are legally obligated to ship products with a secure configuration.

BSI defines this as follows:

“According to the configuration principle ‘Secure by Default,’ the default settings of networked products must contribute to increasing their security, e.g., by prohibiting weak default passwords, by automatically installing security updates, etc.”

This means that the liability of companies that place software and hardware on the market will be tightened. The European Parliament and the Council state this in the preamble (Recital 31):

“That Directive sets out liability rules for defective products so that injured persons can claim compensation when a damage has been caused by defective products. It establishes the principle that the manufacturer of a product is liable for damages caused by a lack of safety in their product irrespective of fault (strict liability). Where such a lack of safety consists in a lack of security updates after the placing on the market of the product, and this causes damage, the liability of the manufacturer could be triggered.”

How can the stringent CRA requirements be implemented?

The Cyber ​​Resilience Act sets out several guidelines. For example, Recital 38 states:

“In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential cybersecurity requirements should be set out for such products. Those essential cybersecurity requirements, including vulnerability management handling requirements, apply to each individual product with digital elements when placed on the market [..]”

Furthermore, numerous fundamental cybersecurity requirements are defined. Products with digital elements must …

✅ be provided without known exploitable vulnerabilities.

✅ be launched with a secure default configuration.

✅ protect the confidentiality of stored, transmitted, or otherwise processed personal or other data.

✅ be designed, developed, and manufactured in such a way that they offer the smallest possible attack surface – even at external interfaces.

✅ be provided with (automatic) updates to address vulnerabilities.

All manufacturers must also provide comprehensive documentation of how they ensure the security of their products. This includes risk analyses, security concepts, and a complete list of all software components used.

What does all this have to do with System Hardening?

The CRA doesn’t explicitly mention System Hardening. However, many of the requirements it lists are standard measures for hardening individual applications as well as large IT landscapes. The goal is always to significantly and continuously reduce the attack surface. This is achieved, among other things, by disabling unnecessary services, implementing strong passwords, and updating systems to the status “state of the art technology“.

This means that by securing your systems according to current standards like the CIS Benchmarks, you create a solid foundation for complying with the Cyber ​​Resilience Act. And that’s not all! Standards like ISO 27001, the NIS2 Directive, and industry-specific regulations like DORA require very similar measures to those of the CRA.

With a professional and sustainable System Hardening, you can meet multiple requirements of various cybersecurity laws and regulations at once.

Conclusion

The Cyber ​​Resilience Act provides a comprehensive regulatory framework designed to strengthen the cybersecurity of products with digital components. System Hardening and Secure Configuration are key elements for minimizing the attack surface and increasing product security. Because manufacturers are obligated to deliver their hardware and software portfolios “Secure by Default” and manage vulnerabilities throughout the entire product lifecycle.

Do you have any further questions?

Would you like to learn more about System Hardening? Or would you like to find out how you can professionally implement System Hardening in your company using tools like AuditTAP and Enforce Administrator? Contact us!

💬 Get in touch!

Image: Freepik

Leave a Reply