The Cyber Resilience Act (CRA) introduces for the first time a single European regulatory framework for the security of connected products, setting clear standards for manufacturers, importers and distributors. The aim is to ensure that every software, device and even mobile application is designed and maintained with adequate security measures to prevent vulnerabilities that could be exploited by attackers.
This regulation marks a significant change in the cybersecurity landscape, as it no longer only concerns the protection of IT infrastructures, but also includes those who develop and distribute digital products. In fact, the regulation requires manufacturers to adopt a “security by design” and “security by default” approach to ensure business continuity, data protection and the reduction of risks related to cyber-attacks.
It also imposes stricter controls on applications, requiring companies to review the security of the entire digital ecosystem.
Compliance with the Cyber Resilience Act is therefore an opportunity to strengthen business resilience and improve the protection of software, devices and mobile applications.
Who does the Cyber Resilience Act apply to?
The CRA applies to all hardware and software products connected to a network, including:
- Software and mobile applications
- IoT devices
- Industrial systems and consumer digital products
- Open-source software distributed for commercial purposes
Products that are already regulated by specific regulations, such as medical devices, motor vehicles, and aircraft systems, are exempt from the regulation.
The CRA introduces direct responsibilities for manufacturers, importers, and distributors, imposing rigorous controls on all digital products, including mobile applications, which are often exposed to critical vulnerabilities.
Requirements for producers and distributors of software and mobile applications.
For manufacturers
Producers must ensure that what they produce, including mobile apps, is free of known vulnerabilities prior to release. This requires advanced testing, threat monitoring and proactive vulnerability management. They must also provide updates and incorporate security by design. Finally, mobile apps must be protected from attacks such as reverse engineering and API compromise.
For distributors and importers
Distributors and importers must verify that products comply with CRA standards before selling them. They must review technical documentation, ensure that software does not have known vulnerabilities and comply with update obligations. They must work with vendors to report vulnerabilities and request patches. Finally, they must conduct audits to ensure continued security over time.
Managing vulnerabilities
The CRA requires a structured approach to vulnerability management, requiring continuous processes and advanced strategies. Companies must monitor vulnerabilities, release updates in a timely manner, and separate security updates from functional updates. It is essential to prevent exploits and attacks with effective measures. Finally, the resilience of mobile apps must be verified through regular testing.
What will change with the Cyber Resilience Act?
Security by Design and Security by Default
All digital products, including mobile apps, must be developed using the principles of security by design and by default. This approach ensures that protection is built in from the start, reducing the attack surface.
Proactive vulnerability management
Vendors must provide security updates in a timely and transparent manner throughout the product lifecycle. This includes: security patches, security and feature updates, and ongoing monitoring of emerging threats.
Increased transparency and awareness
The CRA promotes greater transparency about the security features of digital products. This allows users to assess the level of protection offered by the software, devices and mobile applications they use.
Compliance with the Cyber Resilience Act means:
- Comply with European regulations and reduce the risk of sanctions
- Increased resilience to targeted attacks and advanced threats
- More effective control over the security of mobile applications and connected devices
- Reducing the risk of business interruption due to cyber vulnerabilities
Mobisec supports companies with a CRA Compliance Verification package designed to
- Analyse the security of mobile applications against CRA standards
- Identify critical vulnerabilities in code, APIs and connected services
- Provide concrete solutions for regulatory compliance
Taking the right approach to the Cyber Resilience Act means turning security into a strategic asset.