.png)
.png)
.png)
.png)
-2025.jpg)
Overview of EU Cyber Resilience Act
1. Introduction
On 10 December 2024, a new EU regulation on horizontal cybersecurity requirements for products with digital elements, the EU Cyber Resilience Act (refers to “CRA” below) officially took effect. This legislation aims to strengthen cybersecurity standards for all digital products placed on the EU market, consolidating existing cybersecurity regulatory frameworks and imposing stringent cybersecurity requirements on digital products, including software. The CRA is closely linked to other EU regulations such as the NIS2 Directive, EU AI Act, and the GDPR. It marks a solid step forward by the European Union in building a safer and more transparent digital environment.
The CRA will be fully implemented on 11 December, 2027, with certain obligations applying earlier, including the manufacturers' security incident reporting obligation, which will take effect from 11 September, 2026, and Member State’s notification obligation for conformity assessment bodies which will apply from 11 June, 2026.
2. Applicable Products and Exceptions
The CRA applies to any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the EU market separately (product with digital elements, refers to “PDEs” below). Excepted products including medical devices, motor vehicles, PDEs developed exclusively for national security or military purposes, or products specifically designed to process classified information.
The CRA splits covered PDEs into three categories. Class I and Class II are the main categories regulated by CRA and they are together classified as Critical PDEs, while Class II is considered to impose higher risks than Class I. The remaining PDEs which are not covered in the Class I and Class II is “Unclassified or Default”.
a) Unclassified or Default
b) Class I (23 categories)
c) Class II (15 categories)
Risk Level: Class II > Class I > Unclassified or Default
|
Unclassified or Default (Low Risk) |
No list for Unclassified or Default products. However, this category almost including 90% of the PDEs which are not listed in Class I and Class II, such as photo editing, word processing, smart speakers, games, hard drives, etc. |
|
Class I (Medium Risk) |
Class I including 23 categories of critical PDEs such as: Identity management systems software, standalone and embedded browsers, password managers, network interfaces, firewalls and microcontrollers. |
|
Class II (High Risk) |
Class II including 15 categories of higher risk critical PDEs such as: Operating systems for servers, desktops and mobile devices, public key infrastructure and digital certificate issuers, industrial firewalls, CPUs and secure elements. |
3. Main Obligations
The EU Cyber Resilience Act will apply to manufacturers, importers and distributors, together refer to economic operators. Manufacturers must design, develop, and produce PDEs in accordance with the essential cybersecurity requirements in CRA. Importers shall ensure that manufacturers are compliant with the essential requirements and importers must only place PDEs on the EU market that comply with the essential requirements. Distributors shall ensure that PDEs have a conformity marking (“CE marking”) and that the manufacturers and importers have complied with their necessary essential requirements.
4. Dahua’s Compliance Measures
Dahua fully embraces the regulation, strongly supporting its aims, mission, and values. We adhere strictly to global standards and certifications, and our product security practices are designed to meet these benchmarks and have further enhanced our efforts by:
1) Cybersecurity by Design and Risk Assessments
Dahua is dedicated to enhancing Secure Software Development Life Cycle (sSDLC) by regulating and optimizing processes through comprehensive security activity maturity assessments throughout product development life cycle:
a) Product definition phase: taking security and privacy baselines as the core requirements. Dahua conducts risk assessment and formulates appropriate requirements and strategies based on the risk assessment results. The baseline is based on (and implements) the security and privacy design principles, with authentication, authorization, audit, confidentiality, integrity, availability, and privacy as security elements for architecture design, forming a systematic AIoT product security framework covering physical security, system security, application security, data security, network security, and privacy protection.
b) Product design phase: focus on security principles including minimizing attack surfaces and default security etc., incorporating the concepts of "Security by Design”, “Security by Default”, “Privacy by Design” and “Privacy by Default".
c) Product development phase: strictly adherence to secure coding practices, along with static code analysis and defect repair, ensuring compliance with open-source control standards.
d) Acceptance phase: includes rigorous security activities such as various types of scanning and penetration testing.
e) Pre-release: verifies consistency of security requirements with security design, and checks satisfactory implementation of security measures and completeness of security data.
f) Throughout the product lifecycle: continuous training on security principles and tools throughout the development lifecycle increases staff awareness and capabilities.
2) Vulnerabilities Management and Incident Reporting
Dahua Product Security Incident Response Team (PSIRT) has been established to solve cybersecurity issues using security vulnerability reporting, announcement/notice and cybersecurity knowledge sharing with global users, providing more robust and secure products and solutions.
Dahua attaches great importance to vulnerability management, and establishes a complete vulnerability management process with reference to ISO/IEC 30111, ISO/IEC 29147 and other standards, ensuring that vulnerabilities can be fixed in time and improving product security in a transparent and open manner.
Dahua PSIRT monitors global cybersecurity incidents and provides 24/7 emergency response services to global users.
3) Product Secure by Default Configuration
By further consolidating its overarching security framework into corporate standards and implementing it through the security engineering assurance system, Dahua ensures that users benefit from out-of-the-box default security safeguards.
a) Products have no default accounts upon shipment, requiring users to create accounts during deployment.
b) Adhering to the principle of minimal disclosure, only basic services are enabled by default.
c) Products support resetting to the original factory settings, which will delete user data by default without compromising the product’s security performance.
4) Data Security and User Right Protection
Dahua products follow data minimization principles, by collecting strictly essential data for functionality. Through implementing the Privacy Impact Assessment (PIA), each data field's collection ensures a clear legal basis and functional necessity.
Dahua devotes to establish comprehensive data security protection throughout the entire product lifecycle based on cryptographic technologies to prevent data leakage, tampering, and destruction, including the process of data collection, transmission, storage, usage, sharing, display, copying, and deletion.
a) Leveraging PKI infrastructure and signature algorithms to enable data signing and verification, ensuring the data integrity.
b) Using digital envelope technology to ensure that data transmitted through networks can only be decrypted and read by authorized users.
c) Ensuring secure data transmission through frame encryption and channel encryption technologies.
d) Using Key Management Server (KMS) to safeguard keys used for encrypted video storage.
e) Deploying firewalls, whitelists, and other measures to prevent unauthorized access.
At Dahua, we are committed to delivering products and services that comply with various standards, including applicable laws in the regions where we operate and industry best practices. We place individual fundamental and legal rights at the core of our business operations. For example, we embed appropriate features or technologies in our products to allow users to exercise their rights, such as deleting data or deactivating accounts.
Dahua continues to introduce innovative security technologies, striving to enhance product security capabilities. We provide global users with security alerts and real-time emergency response services to better protect users’ safety and rights.
5) Product Impact Management and User-centered Security Support
Dahua products adhere to the principle of minimization and necessary data collection, by disabling unnecessary services, closing non-essential ports, and limiting attack surface to enhance security. Dahua Product Security Incident Response Team (PSIRT) monitors global cybersecurity incidents and provides around-the-clock emergency response services to users worldwide.
We offer transparent documentation, best practices, guidelines, white papers to help our users operate securely. Through security vulnerability reporting, announcements, notifications, and cybersecurity knowledge sharing, we address cybersecurity challenges and deliver robust and secure products and solutions.
The details of Dahua’s cybersecurity practice can be found on our official website at https://www.dahuasecurity.com/aboutUs/trustedCenter.
5. Dahua’s Compliance Commitment
As a world-leading video-centric AIoT solution and service provider, Dahua attaches great importance to security compliance and will continue to closely monitor the developments of the EU CRA to ensure our products and solutions fully comply with the regulation's requirements. We devote to provide users with products that meet industry-leading standards in security, performance, and user experience. Adhering to a user-centric approach, we fully protect the legitimate rights and interests of our users and offer comprehensive support services. Should you have any questions regarding the EU CRA, please do not hesitate to contact us.
Dahua Technology
