The Cyber Resilience Act (CRA) will fundamentally change the market for IT products and devices with digital elements. This is because the IT security features of products will become a decisive criterion for market access in the EU in future. The Federal Office for Information Security (BSI) has now been appointed by the German government as the notifying and market surveillance authority vis-à-vis the European Commission.
This gives the BSI new tasks: As a notifying authority, the BSI will assess and notify third-party organisations so that they can independently test IT products for the requirements of the CRA. As a market surveillance authority, the BSI can check IT products for cyber security on a random or targeted basis and impose sanctions and fines (up to EUR 15 million or 2.5% of global turnover from the previous financial year) in the event of violations. In this role, the BSI is also given the option of withdrawing products with digital elements from the market if they do not fulfil the requirements of the CRA.
BSI President Claudia Plattner: "The CRA is a game changer for the security of digital products! We are raising the cyber security level of numerous devices in Europe. The BSI will fulfil its role very conscientiously and ensure that citizens can use their IT products with a sense of security."
As a market surveillance authority, the BSI can take active and reactive action within the framework of the CRA. Active means that products can be inspected without cause as part of the market surveillance strategy. Reactively, the BSI can respond to information from third parties and analyse the causes and effects of incidents, defects or vulnerabilities and take appropriate measures.
Everything you need to know about the CRA on the BSI website
In order to be allowed to operate as a conformity assessment body under the CRA and test products, test centres must fulfil the requirements listed in Art. 39 of the CRA. The necessary procedures for CRA notification will be developed by the BSI in the coming months.
The BSI has provided extensive information for the CRA, which is being continuously expanded.
