The European Cyber Resilience Act (CRA) is a legal framework that defines cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union.
With this regulation, manufacturers are now obligated to take cybersecurity seriously throughout the entire lifecycle of a product.
Digital hardware and software products are among the most common targets for successful cyberattacks.
In an interconnected environment, a cybersecurity incident in a single product can rapidly affect an entire organization or supply chain, and even spread beyond internal market borders within minutes.
Before the CRA, different regulations and initiatives at the EU and national levels only partially addressed cybersecurity-related issues and risks. This created a fragmented and complex legislative landscape within the internal market.
This fragmented structure led to legal uncertainty for both manufacturers and users, and placed an unnecessary burden on companies to comply with multiple, often overlapping, requirements for similar product types.
The Cyber Resilience Act aims to provide a comprehensive approach to address these problems by ensuring clarity and consistency in cybersecurity regulation
The Borderless Security Risks of Digital Products
The cybersecurity of digital products has a strong cross-border dimension, as products manufactured in one country are often used by organizations and individuals across the European Union.
The CRA addresses two major problems:
-
The low level of cybersecurity in products with digital elements
This is reflected in widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.
-
Lack of user awareness and access to information
Users often cannot assess or compare the cybersecurity properties of products, nor use them securely due to insufficient information.
Under certain conditions, any product with digital elements—whether integrated into or connected to a broader electronic information system—can serve as an attack vector for malicious actors.
As a result, even hardware and software considered less critical may serve as entry points for compromising a device or network, enabling attackers to gain privileged access or move laterally across systems.
Examples of Products with Digital Elements
End-user devices:
- Laptops
- Smartphones
- Sensors and cameras
- Smart robots
- Smart cards
- Smart meters
- Mobile devices
- Smart speakers
- Routers
- Switches
- Industrial control systems
Software products:
- Firmware
- Operating systems
- Mobile applications
- Desktop software
- Video games
Hardware and software components:
- Central processing units (CPUs)
- Graphics cards (GPUs)
- Software libraries
Examples of Cyberattacks Exploiting Security Vulnerabilities in Digital Products
Pegasus Spyware:
An advanced spyware that exploited vulnerabilities in mobile phones to infiltrate devices without users’ knowledge. It gained access to private messages, cameras, and more.
WannaCry Ransomware:
A global ransomware attack that exploited a vulnerability in the Windows operating system, affecting tens of thousands of computers in over 150 countries. It locked users out of their systems and demanded ransom payments.
Kaseya VSA Supply Chain Attack:
An attack via Kaseya’s network management software, which impacted over 1,000 companies through a malicious software update disguised as legitimate.
These examples demonstrate that security vulnerabilities in digital products can affect not only individual users but also organizations and global supply chains.
Conclusion
The security of digital products is not just a technical requirement but a critical aspect of user trust, corporate reputation, and legal compliance.
The Cyber Resilience Act imposes a responsibility on manufacturers to build a more secure and transparent digital ecosystem.
At Girin, we take this responsibility seriously. We prioritize cybersecurity across all our software and hardware components, ensuring protection throughout every stage of a product’s lifecycle.
We are diligently working to fully comply with international regulations like the CRA, with the goal of ensuring customer safety and contributing to a more secure and sustainable digital world.
