The CRA: Strengthening Cybersecurity Across the EU
Cyber Resilience Act (CRA) is a pivotal European regulation, enhancing cybersecurity standards for digital products. This legislation aims to safeguard users and businesses from cyber threats, ensure market competitiveness, and foster innovation in the cybersecurity field. In this article, we delve into the CRA’s essential features, its advantages and potential challenges, and the implications for manufacturers and distributors of digital products. Discover how the CRA aims to fortify digital security and resilience throughout the European Union.
2024 Articles Cyberculture Legal information
October 7, 2024
2024 Articles Cyberculture
September 9, 2024
2024 Cyberculture
August 25, 2024
2024 Cyberculture
August 17, 2024
2024 Cyberculture
August 13, 2024
2024 Cyberculture
August 13, 2024
2024 Cyberculture
August 6, 2024
2024 Cyberculture DataShielder
July 16, 2024
Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.
Explore our Cyberculture section for detailed information on the Cyber Resilience Act CRA, authored by Jacques Gascuel, a pioneer in contactless, serverless, databaseless sensitive data security solutions. Stay up to date and secure with our frequent updates.
The Cyber Resilience Act: a European regulation to strengthen the cybersecurity of digital products
The Cyber Resilience Act (CRA) is a European regulation that imposes cybersecurity standards on digital products. It aims to protect users and businesses from cyber threats, harmonise the digital internal market and support innovation in cybersecurity. In this article, we’ll walk you through the key features of the CRA, its pros and cons, and its implications for manufacturers and distributors of digital products.
Introduction au Cyber Resilience Act (CRA)
The EU proposed the Cyber Resilience Act in 2022 to set uniform safety standards for products with digital components, such as internet-connected devices, software and online services. These products can be exposed to cyberattacks that affect their availability, integrity and confidentiality. The CRA aims to protect users and businesses from these risks, by requiring common rules for market entry and cybersecurity measures throughout the product lifecycle. It also establishes a CE marking system to indicate compliance with cybersecurity standards. Moreover, the CRA distinguishes critical products, which have higher obligations according to their level of criticality. The CRA is part of the 2020 EU Cybersecurity Strategy, which seeks to enhance the EU’s collective resilience against cyber threats and foster a secure and trustworthy digital environment for all.
The CRA was approved by the Council and the Parliament in november 2023, and will enter into force in 2024, 20 days after its publication in the Official Journal of the EU. However, it will not be applicable until 2027, to allow a transition period for existing products and software. Moreover, the CRA will be revised every five years, to adapt to technological developments and stakeholder needs.
In this subject, we will explain the main provisions of the CRA, its pros and cons, and its impact on the digital market and society. So,the CRA aims to increase the security and resilience of digital systems in the EU, by imposing strict and binding requirements for the design, development and maintenance of digital products. It also introduces a CE marking system for digital products, ensuring their compliance with established cybersecurity standards.
Strengthening the EU’s Cybersecurity Framework: The Provisional Agreement on the Cyber Resilience Act
A Milestone for a Secure Digital Single Market
The Council presidency and the European Parliament have struck a landmark agreement on the proposed Cyber Resilience Act (CRA), taking a major step forward in fortifying the European Union’s cybersecurity landscape. This critical legislation outlines EU-wide cybersecurity requirements for digital products, addressing the urgent need for a harmonized approach to securing connected devices before they reach consumers.
Hailed as a crucial step by Spanish Minister of Digital Transformation José Luis Escrivá, the agreement emphasizes the essential need for a basic cybersecurity level for all connected devices sold within the EU, ensuring robust protection for both businesses and consumers.
Key Features and Amendments of the Agreement
The provisional agreement preserves the core principles of the European Commission’s proposal, focusing on several key areas:
- Rebalancing Compliance Responsibility: Manufacturers now take primary responsibility, handling tasks like risk assessments, conformity declarations, and cooperation with authorities.
- Vulnerability Handling: The agreement mandates processes for manufacturers to ensure ongoing cybersecurity and outlines specific obligations for importers and distributors as well.
- Transparency and Consumer Protection: Measures are introduced to enhance transparency regarding the security of both hardware and software for consumers and businesses, empowering informed decision-making.
- Market Surveillance Framework: A robust framework will enforce the regulations, ensuring compliance and safeguarding the EU’s digital space.
Co-legislators have also proposed adjustments, including:
- Simplified Product Classification: A streamlined approach for classifying regulated digital products, facilitating easier compliance and understanding.
- Product Lifetime Determination: Manufacturers must specify the expected lifespan of digital products, with a minimum five-year support period, unless shorter use is anticipated.
- Reporting Obligations: A focus on reporting actively exploited vulnerabilities and incidents, enhancing the role of national authorities and ENISA in managing cybersecurity threats.
Looking Forward: Implementation and Impact
With the provisional agreement in place, technical work continues to finalize the regulation’s details. The compromise text will be presented for endorsement by member states, marking a critical moment in the EU’s journey towards a cohesive and secure digital ecosystem.
The CRA is set to apply three years after enactment, providing manufacturers with ample time to adapt. Additionally, specific support measures for small and micro enterprises have been agreed upon, including awareness-raising, training, and assistance with testing and compliance procedures.
The Path to the Cyber Resilience Act
This provisional agreement marks the culmination of a journey that began with the Council’s 2020 conclusions on the cybersecurity of connected devices, emphasizing the need for comprehensive legislation. Reflecting the urgency expressed by Commission President von der Leyen in 2021 and subsequent Council conclusions, the CRA proposal submitted by the Commission in September 2022 aims to complement the existing EU cybersecurity framework, including the NIS Directive and the EU Cybersecurity Act.
This agreement represents a significant milestone in the EU’s commitment to enhancing cybersecurity resilience, marking a new era of digital product security and consumer protection across the Union.
Business Requirements and Responsibilities
Under the CRA, manufacturers and distributors of digital products are required to ensure the compliance of their offerings from the moment they are placed on the market and throughout their lifecycle. This involves actively monitoring for vulnerabilities and working closely with security researchers to identify and fix potential vulnerabilities within 90 days of discovery.
Cooperation and Sanctions
Another cornerstone of the CRA is the enhanced cooperation between EU Member States and the European Commission to monitor the application of the Regulation. In the event of non-compliance, companies risk severe penalties, up to 10% of their annual global turnover. This underlines the EU’s commitment to ensuring a high level of digital security.
Application and Exclusions of the CRA
The CRA applies to a wide range of digital products, with the notable exception of those already regulated by other EU legislation, such as medical devices or vehicles. Its aim is to close legislative gaps and strengthen coherence in the field of cybersecurity.
Conclusion and Outlook
Following its approval by the Council of the EU and the European Parliament, the CRA is scheduled to enter into force in early 2024. Manufacturers then have 36 months to comply with the new rules. This initiative marks an important step towards a more secure and resilient European Union in the face of digital threats.
Benefits of the Cyber Resilience Act for the Digital Ecosystem
The Cyber Resilience Act (CRA) is envisaged not only as a regulatory framework, but also as a lever for improving cybersecurity at the European Union level. It brings several significant benefits, both for users and for the digital economy as a whole.
Strengthening Consumer and Business Protection
One of the main strengths of the CRA is its ability to raise the level of security for consumers and businesses. By imposing high and constantly updated cybersecurity standards, the regulation ensures that digital products purchased or used offer optimal protection against cyber threats. This helps to create a safer digital environment for all.
Harmonization of the Digital Internal Market
The CRA plays a crucial role in harmonising cybersecurity rules across the EU. By eliminating the fragmentation and divergence of national laws, it facilitates the free movement of digital products within the Single Market. This is essential to support economic integration and boost intra-European trade in digital solutions.
Driving Innovation in Cybersecurity
Finally, the CRA is a driver of innovation in the cybersecurity sector. By increasing demand for secure digital products, it encourages investment in research and development. This dynamic creates valuable opportunities for European companies, allowing them to stand out as leaders in the field of cybersecurity on the global stage.
In sum, the benefits of the CRA are manifested in enhanced protection for users, regulatory harmonisation beneficial to the European single market, and increased support for innovation in the cybersecurity sector. Through these measures, the CRA aims to establish a solid foundation for a safe, competitive and innovative digital ecosystem in the European Union.
Analysis of the Challenges Posed by the Cyber Resilience Act
The Cyber Resilience Act (CRA), while aiming to strengthen digital security within the European Union, raises concerns about its potential impact on various aspects of the digital landscape. These drawbacks deserve special attention to understand the challenges associated with the implementation of this legislation.
Impact on Vulnerability Disclosure
A major criticism is the possible reluctance of security researchers to report discovered vulnerabilities. The fear of sanctions or legal action, due to failure to comply with deadlines or procedures dictated by the CRA, could deter these key players from sharing their findings, thus limiting collective efforts to strengthen cybersecurity.
Effects on Free and Open-Source Software
The CRA is also suspected of slowing down the development and adoption of free and open-source software. The latter, known for their security and transparency, could be subject to disproportionate and onerous compliance requirements. These risks hindering innovation and the use of these valuable resources in the digital ecosystem.
Standardization of Disclosure Models
Another sticking point is the potential reduction in the effectiveness and diversity of vulnerability disclosure models. The one-size-fits-all and rigid approach advocated by the CRA may not be appropriate for all situations, requiring flexibility to adapt to the specifics of each case.
Potentially disproportionate penalties
The penalties envisaged by the CRA for non-compliance are considered by some to be excessive. The prospect of severe financial penalties could jeopardize the economic viability of digital manufacturers and distributors, as well as their ability to innovate. This approach could, therefore, have negative repercussions for the entire digital sector.
In sum, although the CRA aims to establish a strengthened security framework for the European Digital Space, it is crucial to assess and address its possible negative impacts. Careful consideration of these issues will allow the regulation to be adjusted and refined so that it effectively supports cybersecurity without hindering innovation or collaboration in the digital domain.
Cyber Resilience Act Compliance Guide for the Digital Industry
The Cyber Resilience Act (CRA) is a major initiative by the European Union to increase cybersecurity across its Member States. Compliance with this regulation requires a series of targeted and structured actions, applicable to both manufacturers and distributors of digital products.
Actions Required for Digital Product Manufacturers
- Conducting Cyber Risk Assessments: The first step involves analyzing and documenting the risks associated with the products. This includes identifying threats, vulnerabilities, impacts, and protective measures, with this information regularly updated.
- Application of the CE Marking and Information to Users: Products must bear the CE marking, a symbol of their compliance with EU safety standards. It is essential to provide comprehensive information on the cybersecurity characteristics of products, including conditions of use and maintenance.
- Security Updates: Manufacturers must establish and maintain procedures for updating the security of products, ensuring the ability of products to receive and install these updates. Proactive communication about the need for and availability of updates is crucial.
- Vulnerability Reporting: Discovered or reported vulnerabilities must be reported within 90 days. It is important to communicate corrective actions to users using appropriate channels and adhering to the principles of responsible disclosure.
- Cooperation with Cybersecurity Authorities: Collaboration with competent authorities, participation in audits and provision of the necessary documents for compliance verification are key elements.
Obligations of Digital Product Distributors
- Product Conformity Verification: Distributors must ensure that the products marketed comply with the requirements of the CRA, including the CE marking. They must also provide adequate information about the cybersecurity of the products.
- Security Update Information and Support: Distributors are responsible for notifying users of security updates and assisting them with their installation. Communication about vulnerabilities and remediation is also required.
- Audit and Cooperation with Authorities: Submission to controls, cooperation with competent authorities and provision of the necessary information to demonstrate compliance are essential.
Importance of Compliance
Failure to comply with CRA guidelines can result in significant penalties, including fines of up to 10% of annual worldwide turnover. The adoption of internal compliance and governance mechanisms is therefore crucial to avoid such consequences.
CRA compliance is not only a legal imperative but also an opportunity to improve the security and resilience of the European digital ecosystem. With these measures, the digital industry makes a significant contribution to data protection and user trust in digital technologies.
Which products are covered by the Cyber Resilience Act?
General definition of the products concerned
The CRA applies to all products with digital elements that are directly or indirectly connected to another device or network, with the exception of those already covered by other EU rules, such as medical devices, aviation or cars. The CRA aims to fill gaps and ensure consistency in existing cybersecurity legislation.
Distinguishing between critical and non-critical products
The CRA applies to a wide range of products with digital components, such as internet-connected devices, software and online services. However, not all products are subject to the same level of scrutiny and obligations. The CRA distinguishes between critical and non-critical products, based on the level of risk they pose to users and society.
The scope of the CRA
The CRA covers all products that have a digital component and that are connected directly or indirectly to another device or network. This includes all connected hardware (computers, phones, household appliances, cars, toys, virtual assistive devices, etc.) as well as systems such as VPNs, antivirus, password managers, software essential to the management of cloud services, or the operating systems of the aforementioned hardware.
For the sake of clarity, the draft CRA provides a list of affected products and software. However, this list is not exhaustive and may be updated by the Commission to take into account technological developments.
The classification of critical products
As you will discover by reading further, this CRA regulation makes a distinction between a general category of products containing digital elements, and those considered “critical”. The latter category represents 10% of the objects covered by this regulation. While critical products are those which, if compromised, would have significant impacts on the security of property and people as well as society.
In summary, this regulation is subdivided into critical products and two other classes according to the level of criticality of the risks. Thus, depending on the class to which they belong, software or hardware will be subject to more or less strict supervision and obligations.
The obligations for different classes of products
To streamline the understanding of the impact of the Cyber Resilience Act (CRA) on product classes, let’s take a look at this simplified guide. This is a table that succinctly classifies products according to their criticality under CRA regulations. As a result, this has the advantage of highlighting the specific obligations as well as their impacts on manufacturers and their potential effects on the market. Therefore, this has the effect of presenting this information in a clear and organized manner. We also aim to facilitate the smooth adaptation process for stakeholders to this Cyber Resilience Act regulation. So prepare now to take this information into account to effectively improve and anticipate your strategies. Anticipate your compliance with its new and evolving European cybersecurity standards.
Table 2: CRA Obligations by Product Class
Product Class |
Obligations |
Impact on Manufacturers |
Market Effects |
Most Critical |
- Certification by an independent body before market entry.
|
- Incurs significant costs and delays.
|
- May hinder innovation and competitiveness, especially in electronics and embedded systems.
|
Intermediate |
- Self-assessment and declaration of conformity by manufacturers.
|
- Reduces administrative burden and time to market.
|
- Demands high responsibility and transparency.
|
Less Critical |
- Compliance with essential requirements, no formal certification needed.
|
- Ensures basic security levels without excessive costs.
|
- Enhances trust in less critical digital products.
|
Key Insights:
- First, the Cyber Resilience Act classifies products based on their impact on cybersecurity and imposes specific compliance obligations on them.
- This is why the most critical products are subject to strict certification processes.
- In fact, this affects market dynamics. Whereas, intermediate and less critical classes follow simplified compliance pathways. This balances security needs and market viability.
- Finally, this concise overview facilitates informed decision making and strategic planning for market positioning and observation.
Navigating the Cyber Resilience Act (CRA): A Quick Guide
Hardware Security Module with the CRA
Under the Cyber Resilience Act (CRA), Hardware Security Modules (HSMs) play a crucial role in securing Europe’s digital infrastructure. Indeed, they are the Guardians of the cryptographic keys. They are in fact the pillars of data security and digital transactions. Without question, HSMs are essential tools to meet the strict requirements of the CRA.
Definition of HSMs
Hardware and digital security modules (HSMs) play a crucial role in securing cryptographic processes. They generate, protect, and manage encryption, decryption, digital signature, and certification keys. Their importance for the protection of sensitive data and digital trust classifies them as critical products according to the Cyber Resilience Act (CRA).
Features of the HSM Hardware
Hardware HSM comes in the form of a physical device, ensuring high security against physical and logical attacks. It can be integrated into a computer system such as a PCI card or an external enclosure. These devices are evaluated and certified according to international safety standards, such as FIPS 140 and Common Criteria EAL4+, attesting to their reliability and robustness.
Benefits of Digital HSM
At the same time, digital HSM offers a software solution that provides security comparable to that of a hardware HSM. With virtualization and advanced encryption, it can be deployed on servers, cloud environments, or mobile devices. Certifications, such as FIPS 140-2 Level 1 or Common Criteria EAL2+, validate the compliance of these software solutions with rigorous security standards.
Cyber-resilience regulation certification process in force
In accordance with the requirements of the CRA, HSMs, whether physical or digital, must obtain certification from an independent body before they are placed on the market. This certification assures users that the devices meet high standards of security and protection of sensitive information.
Importance of HSMs in Cybersecurity
Hardware and digital HSMs are critical components of an organization’s security infrastructure. They secure the exchange of information by providing a reliable and certified method of protection for critical data. By facilitating secure management of cryptographic keys, HSMs build digital trust and support regulatory compliance.
In short, both hardware and digital HSMs are indispensable tools in the modern cybersecurity landscape. Their role in securing cryptographic keys and encryption processes is vital for data protection and trust in digital systems. The mandatory certification emphasizes their importance and ensures that they comply with the highest safety standards.
Hardware Security Modules (HSMs) Under the Cyber Resilience Act
Definition and Features of HSMs
HSMs are specialized devices designed for the secure management of cryptographic keys, crucial for data encryption and transaction security. These modules embody the core principles of the CRA, providing foundational security capabilities across critical and less critical sectors.
Fixed HSMs
Embedded within infrastructural setups, fixed HSMs offer enduring security solutions. These devices are pivotal in safeguarding essential services, from energy distribution to financial transactions, aligning with the CRA’s high-security benchmarks.
Removable HSMs
Offering versatility, removable HSMs, such as USB HSMs, enable secure key management across varied operational contexts. They facilitate a balance between security and mobility, catering to diverse needs within the CRA framework.
NFC HSMs
Merging NFC technology with HSM security, NFC HSMs introduce a new paradigm in contactless transaction security. Although categorized as non-critical, their adherence to CRA standards exemplifies the act’s comprehensive approach to cybersecurity, spanning from retail to access control applications.
NFC HSM and the Cyber Resilience Act (CRA): A Closer Look at Secure Technology
NFC HSM (Near Field Communication Hardware Security Module) represents a technological fusion. It integrates a hardware security module with Near Field Communication (NFC) technology like those manufactured by the Freemindtronic company in Andorra. They also have the particularities of being patented, of operating without a server, without a database and without the user needing to identify themselves or create an account to use them. They are not connected by default. This device provides secure, on-demand wireless interaction between devices over short distances, further protecting the data exchanges they encrypt.
They represent a significant advancement in secure short-range wireless communication by integrating near-field communication (NFC) with the robust security of hardware security modules (HSM). These devices provide enhanced protection of cryptographic keys and sensitive data, facilitating secure, contactless transactions and interactions with ease and flexibility.
Features and Advantages:
- Enhanced Security: Embedded HSMs safeguard against external threats, ensuring the integrity of cryptographic keys and sensitive data.
- Secure Authentication: NFC technology supports mutual authentication, minimizing fraud and counterfeiting risks.
- Ease of Use: Simplified transactions through touch, eliminating manual data entry.
- Versatility: Can be integrated into a wide array of devices and applications.
Applications:
- Contactless Payments: Devices equipped with NFC HSM technology facilitate fast and secure transactions, enhancing user convenience and safety.
- Access Control: These systems manage entry to secure areas, safeguarding physical and digital assets by regulating access to buildings and sensitive data.
- Tracking and Traceability: NFC HSMs play a crucial role in supply chain management, enabling the authentication and monitoring of goods, ensuring their integrity from origin to destination.
- Electronic Tickets: Ideal for storing digital tickets for transportation, events, and other services, streamlining the user experience while ensuring security.
- Contactless Hardware Secrets Manager: A novel application where NFC HSMs manage passwords, encryption keys, secret keys, PIN codes, and 2FA credentials, offering a secure and convenient solution for managing digital identities and access rights across various platforms.
These examples underscore the versatility and security enhancements provided by NFC HSM technology, aligning with the objectives of the Cyber Resilience Act to foster a secure and resilient digital environment across the EU.
Exemplifying CRA Compliance: Freemindtronic’s NFC HSM
Incorporating Freemindtronic’s NFC HSM as a case study offers an insightful lens through which to view the Cyber Resilience Act’s (CRA) implications for digital product security. Freemindtronic’s approach exemplifies adherence to the CRA through its innovative security measures and compliance practices.
Exemplifying CRA Compliance: Freemindtronic’s NFC HSM
As we delve into the CRA’s extensive requirements and scope, practical examples like Freemindtronic’s NFC Hardware Security Modules (HSMs) illuminate how digital products are aligning with heightened security standards.
Meeting CRA’s Fundamental Compliance Demands:
- Risk Assessment: Freemindtronic has not just conducted a thorough risk evaluation but has also embedded stringent risk management practices from inception through to development, manufacturing, and usage of NFC HSMs. This includes countermeasures against both invasive and non-invasive threats, reflecting the CRA’s directive for integrated risk management.
- Security Implementations: With patented multi-security functions such as segmented key authentication and customizable trust criteria, alongside post-quantum considered AES-256 encryption in NFC HSM memories, Freemindtronic exceeds the CRA’s requirements for advanced security measures.
- Vulnerability Disclosure: Freemindtronic’s immediate vulnerability disclosure mechanism, especially through its website, aligns with the CRA’s demand for timely vulnerability reporting to authorities, despite over seven years without detected vulnerabilities in NFC HSM products.
- Regulatory Cooperation: Freemindtronic’s proactive partnership with Andorran regulatory bodies, including the National Cybersecurity Agency of Andorra (ANC), signifies a commitment to enhancing security collaboratively, as encouraged by the CRA.
Freemindtronic’s NFC HSM Features Enhancing CRA Compliance:
- Serverless and Database-Free Operation: This minimizes potential attack vectors, aligning with the CRA’s focus on cybersecurity risk reduction.
- User Anonymity and No Account Creation: By operating anonymously without user identification or account creation, It embodies a contactless plug-and-play principle, making it physically impossible to identify the NFC HSM users. Freemindtronic supports the CRA’s emphasis on user privacy and data protection.
- End-to-End Anonymization: Freemindtronic’s NFC HSMs are not active by default, given their battery-less design. They are inert products that become active for less than a second during the use of the secret contained within the NFC HSM. Secrets used on the phone or computer are not stored in the systems; everything is conducted ephemerally in volatile memory. This approach is in strict adherence to the CRA’s data protection and confidentiality principles.
- Innovation Patent Protection: Freemindtronic’s security solutions, underpinned by innovation patents, set a high compliance standard with the Cyber Resilience Act.
Industry Advantages:
- Simplified Compliance Process: Freemindtronic’s NFC HSMs provide a pre-compliance solution that simplifies adherence to CRA regulations, saving time and resources for businesses.
- Enhanced Data Security: Freemindtronic sets a security benchmark for sensitive data and cryptographic keys, embodying the CRA’s aim to standardize protection across digital products.
- Adaptability to Diverse Applications: The flexibility of Freemindtronic’s NFC HSMs showcases the adaptability of security solutions to meet various application needs within the CRA framework.
By showcasing Freemindtronic’s NFC HSMs, we highlight how innovative security technologies can not only meet but surpass the rigorous expectations of the CRA. This insight into Freemindtronic’s compliance strategy offers a practical perspective on adhering to CRA guidelines, reinforcing the regulation’s role in boosting the cybersecurity posture of digital products within the EU.
Key Features of the CRA at a Glance
In summary, the Cyber Resilience Act aims to strengthen the cybersecurity of products sold within the European Union.
This concerns a very large number of products, such as Internet-connected devices, software and online services.
Indeed, manufacturers and distributors will be required to comply with the various requirements of this European CRA regulation. In particular, they will have to carry out risk assessments on their products, implement security measures and inform users.
Thus, the Cyber Resilience Act should offer many advantages. This is characterized by increased user security. But it should also promote trust and the digital economy and help accelerate European innovation in the cybersecurity sector. However, the downside is that the ARC will impose certain challenges, such as increased costs for manufacturers and distributors, increased regulatory complexity and potential fragmentation of the single market.
Overall, the CRA constitutes an important piece of legislation that will have a major impact on the European cybersecurity landscape. It is important that all stakeholders are aware of the ARC requirements and take steps to comply with them.
The table below provides a summary of the CRA’s key features.
Table 1: Summary of the Cyber Resilience Act (CRA)
Finally, this table above constitutes a simple summary of the main characteristics of the CRA. So you have a more complete visual understanding of the Cyber Resilience Act.
In conclusion on the European cyber-resilience act regulation
In conclusion, the Cyber Resilience Act (CRA) represents a significant step forward in the European Union’s efforts to strengthen cybersecurity and protect consumers in the digital age. While challenges remain, the CRA has the potential to create a more secure and resilient digital ecosystem for all. As the regulation comes into effect and evolves over time, it will be crucial to monitor its impact and adapt it as needed to ensure its continued effectiveness in a rapidly changing technological landscape. Ultimately, the success of the CRA will depend on the collective efforts of governments, businesses, and individuals to embrace its principles and work together to build a more secure and trustworthy digital world.
Sources
Here are some official sources which confirm this information: