March 10, 2025
In today’s digital age, cybersecurity is paramount. The EU Cyber Resilience Act (CRA), formally known as Regulation (EU) 2024/2847, was adopted by the European Council and entered into force on December 10, 2024. This regulation sets stringent cybersecurity standards for hardware and software products with digital elements and aims to ensure that they are secure throughout their lifecycle. For companies and organizations aiming to comply with these regulations, Lucent Sky AVM offers a robust solution.
The CRA mandates that manufacturers of digitally enabled products, both hardware and software, adhere to comprehensive cybersecurity requirements. These include designing, developing, and producing products with security in mind, releasing them without known vulnerabilities, and making security updates available throughout the products’ lifetime. The goal is to enhance the overall cybersecurity posture of products available in the EU market, protecting consumers and businesses, and strengthening the security of software supply chains.
“The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products,” said Margaritis Schinas, Vice-President of the EU Commission. “The Act brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
The CRA applies to “products with digital elements” (PDEs) that are made commercially available on the EU market. PDEs include software as well as products with both software and hardware with a connection to a network or another, making CRA applicable to a broad range of standalone software and devices, such as home appliances, IoT devices, and network equipment for both consumers and enterprises.
The European Commission has classified PDEs into risk categories with various levels of compliance required. For products classified as Critical Products and Important Products Class II, manufacturers need to work with an independent certification body for compliance verification; for products classified as Important Products Class I, the manufacturers also need to work with an independent certification body unless the products already comply with a harmonized standard or use a common specifications set by the European Commission; and for products in the Default Category, manufacturers can perform self-assessment to confirm compliance with CRA cybersecurity requirements.
The CRA entered into force on December 10, 2024, and its overall applicability will commence over three years, giving companies time to implement the requirements. Most of the provisions, such as cybersecurity requirements and provisions related to CE marking, will apply from December 2027. Some provisions have a more compressed timeline - the reporting requirements for security vulnerabilities and cyber incidents will apply from September 2026.
Failing to meet these requirements can be costly. Companies failing to meet the cybersecurity requirements or the reporting requirements can be fined up to €15 million or 2.5% of their global turnover, whichever is higher. EU member state authorities can also require the withdrawal of the products from the EU market. Combined with the loss of the CE marking, noncompliance companies and products are essentially shut off from the European market.
The CRA provides two sets of essential requirements, product cybersecurity requirements and vulnerability handling process requirements, as documented in Annex I of the Act. As an application vulnerability detection and remediation solution, Lucent Sky AVM is uniquely positioned to help companies and organizations ensure their products meet these essential requirements.
Automatic vulnerability detection and remediation: Lucent Sky AVM scans source code, binary files, and software components for both known and unknown vulnerabilities, and provides automatic remediation such as Instant Fixes and dependency update guidance to efficiently remove detected vulnerabilities, ensuring that products are released without known vulnerabilities.
Integration in the SDLC: Lucent Sky AVM integrates into the software development lifecycle and works natively with common developer tools, enabling developers to identify and remediate security issues early and throughout the software development process, an important pilar in the security by design principal required by the CRA.
Securing third-party components: Lucent Sky AVM identifies software components and dependencies used by applications, creates software bills of materials, and generates dependency update guidance, helping organizations address newly discovered vulnerabilities and facilitating regular security updates to their products.
Comprehensive reporting: Lucent Sky AVM supports common industry standards such as OWASP Top 10, PCI DSS, MISRA C/C++, and is certified CWE-Compatible. Digitally signed assessment reports include details of both known and unknown vulnerabilities identified in the products and their risk, as well as software bills of materials, fulfilling the technical documentation requirements of the CRA.
Compliance with the EU Cyber Resilience Act is essential for companies looking to market their digitally enabled products in the European Union. By starting with CRA compliance into software development lifecycle now, organizations not only ensure that they are market ready for 2027 and beyond but also enhance the security and resilience of their products today.
Lucent Sky offers a comprehensive solution to help organizations efficiently meet the cybersecurity requirements of the CRA and accelerate their software security process. Schedule a call to learn more about how Lucent Sky AVM can help your organization achieve CRA compliances efficiently.