Building a Digital Fortress: How the EU Cyber Resilience Act Strengthens Cybersecurity
By Gabriel Panza. Read: 3 minutes
The internet is an unpredictable ever-growing web, and Europe is building its own fortress to protect itself against cyber threats. The EU Cybersecurity Act of 2019 (CSA) was the first legislative catalyst to digitally protect Europe. The act created the EU Cyber Agency (ENISA) and created a certification system for secure digital products. Despite this, the CSA had some significant blind spots.
While the CSA was a valuable first step, it proved to be insufficient to tackle the multifaceted cybersecurity challenges the EU faces. The existing framework of national legislation hindered a unified digital market, and the voluntary nature of the certification system resulted in a lack of adoption. This harmed smaller organizations, which became more vulnerable to cyber threats. More importantly, the CSA missed the bigger picture: modern cyber threats are not just about individual products; they are about the inherent systemic vulnerabilities within the digital world. The CSA in particular, fails to address modern threats that exploit weakness across multiple linked devices and systems rather than isolated products.
The recently adopted Cyber Resilience Act in 2024 (CRA) offers a more comprehensive approach to cybersecurity, addressing the limitations of the previous Cybersecurity Act. Shifting away from a product-centered approach, the CRA focuses on building a system-wide resilience by ensuring the security of digital products' entire lifeform, from design to disposal. This established somewhat of a “secure by design” principle, emphasizing that vulnerabilities are disposed of. Additionally, the CRA offers increased transparency by mandating manufacturers to disclose product security features. This allows consumers to make more informed decisions and companies to gain more trust in the digital marketplace. Ultimately, everybody wins in this approach.
Lastly, the CRA emphasizes the importance of risk assessment in helping organizations proactively identify vulnerabilities. For example, manufacturers must give early warnings of vulnerabilities within 24 hours and full notifications within 72 hours. This facilitates quicker responses to potential threats. Additionally, manufacturers must patch up these vulnerabilities with no delay.
Some criticize the CRA for its potential to ban technology based on misuse and vulnerability rather than actual harm caused. Moreover, the CRA gives a vague definition of “breach of fundamental rights,” which creates an unclear line between permissible and prohibited digital technology. Despite these criticisms, the CRA has created a significant leap in developing protection against cyber attacks.
The CRA is a game-changer, affecting everyone in the EU, from device manufacturers to software developers to those like us who use digital products daily. With its goal to make an EU digital fortress, resilience against ever-evolving cyberattacks is strengthened across the digital product lifecycle. It is not a silver bullet, and challenges remain, particularly concerning its impact on innovation and implementation. However, the CRA represents a good step forward from the CSA and towards a digitally safer Europe.
