Improving the Safety and Security of Digital Products Made Available in the European Union - Understanding the European Cyber Resilience Act (CRA)

"Cyber threats evolve fast, they are increasingly complex and adaptable. To make sure our citizens and infrastructures are protected, we need to think several steps ahead, Europe's resilient and autonomous Cybersecurity Shield will mean we can utilise our expertise and knowledge to detect and react faster, limit potential damages and increase our resilience. Investing in cybersecurity means investing in the healthy future of our online environments and in our strategic autonomy."

Thierry Breton, European Commissioner for the Internal Market 

The emergence of new AI technologies, advancements in connectivity and cultural developments, such as the transformation of remote work since Covid-19 have changed the cybersecurity landscape for good. An increasing number of individuals, businesses and even governments are targeted for different types of cyber threats. According to the latest estimation, the number of connected devices is forecasted to rise to 32 billion by 2030 globally. At the same time 1 in 8 businesses have already been impacted by cyberattacks and cybercrime is estimated to cost the world $10.5 trillion annually by 2025. It is against this backdrop that the European Parliament has recognized the need for stricter and more standardized cybersecurity requirements to better protect consumers and businesses. The European Parliament approved the new Cyber Resilience Act (CRA) in March 2024 and once it completes the full legislative process, it’s expected to formally be adopted by middle/late 2024.  

What is the Cyber Resilience Act (CRA)?  

The EU Cyber Resilience Act is a legal framework that requires manufacturers of hardware and software products with digital elements (PDEs) that are made available in the European Union to have a unified and thorough approach to cybersecurity throughout the product’s lifecycle. Failing to do so can result in fines and penalties up to €15 million or 2.5% of the organization’s global annual turnover for the previous fiscal year, whichever is greater.  

While the law is expected to be ratified in 2024, the enforcement date of compliance requirements will follow up to 36 months later, depending on the requirement.  

What Types of Products Need to be Compliant with the European Cyber Resilience Act?  

The CRA has a very broad scope, covering any product with digital elements (PDE), regardless of whether that digital element is the product's primary function. This includes and is not limited to:  

• Internet-connected devices (IoT)  
• Operational technology like industrial control systems  
• Smart appliances and consumer electronics   
• Toys and childcare products with digital elements  
• General purpose computing hardware and software  
• And potentially even components like semiconductor chips  

There are a few exceptions for exceedingly low-risk items, but those are few and far between. The vast majority of products containing even minimal digital capabilities are covered by the CRA. The CRA also includes free and open-source software (FOSS) within its scope, albeit with differing requirements and specifications that are yet to be clarified in detail. The Qt Group is following the developments closely and will assess its FOSS CRA compliance as more information emerges. 

 What Obligations Does the CRA Impose?  

The CRA is a broad legislative framework, however some of the highlights in terms of obligations include:   

• The CRA sets up a classification structure for products and different compliance structures depending on how critical the product is determined to be; 
• Requirements for carrying out conformity assessments on products with digital elements;  
• Requirements for implementing cybersecurity measures such as record-keeping requirements, and vulnerability and incident handling requirements on products with digital elements  

Qt Group Compliancy with the EU CRA 

The Qt Framework and other products provided by Qt Group are likely to be impacted by the legislative changes. Qt Group is actively working on assessing, monitoring and implementing CRA requirements, with a focus on updates to product offering, product life cycle and required support processes. We remain committed to partnering with our customers to enable the continued compliant use of all our products across a variety of markets and geographies.   

Please follow the “cybersecurity” tag in the Qt Group blog for further updates.