提高在欧盟提供的数字产品的安全性-了解《欧洲网络弹性法案》（CRA）

Improving the Safety and Security of Digital Products Made Available in the European Union - Understanding the European Cyber Resilience Act (CRA)

提高在欧盟提供的数字产品的安全性-了解《欧洲网络弹性法案》（CRA）

June 18, 2024 by Juhapekka Niemi | Comments

​2024年6月18日 Juhapekka Niemi |评论

"Cyber threats evolve fast, they are increasingly complex and adaptable. To make sure our citizens and infrastructures are protected, we need to think several steps ahead, Europe's resilient and autonomous Cybersecurity Shield will mean we can utilise our expertise and knowledge to detect and react faster, limit potential damages and increase our resilience. Investing in cybersecurity means investing in the healthy future of our online environments and in our strategic autonomy."

“网络威胁发展迅速，越来越复杂和适应性强。为了确保我们的公民和基础设施得到保护，我们需要考虑未来几步，欧洲的弹性和自主网络安全盾牌将意味着我们可以利用我们的专业知识和知识更快地检测和反应，限制潜在的损害，提高我们的抵御能力。投资网络安全意味着投资于我们在线环境的健康未来和我们的战略自主性。”

Thierry Breton, European Commissioner for the Internal Market 

Thierry Breton，欧洲内部市场专员

The emergence of new AI technologies, advancements in connectivity and cultural developments, such as the transformation of remote work since Covid-19 have changed the cybersecurity landscape for good. An increasing number of individuals, businesses and even governments are targeted for different types of cyber threats. According to the latest estimation, the number of connected devices is forecasted to rise to 32 billion by 2030 globally. At the same time 1 in 8 businesses have already been impacted by cyberattacks and cybercrime is estimated to cost the world $10.5 trillion annually by 2025. It is against this backdrop that the European Parliament has recognized the need for stricter and more standardized cybersecurity requirements to better protect consumers and businesses. The European Parliament approved the new Cyber Resilience Act (CRA) in March 2024 and once it completes the full legislative process, it’s expected to formally be adopted by middle/late 2024.  

​新人工智能技术的出现、连通性的进步和文化发展，例如新冠肺炎以来远程工作的转变，已经永远改变了网络安全格局。越来越多的个人、企业甚至政府成为不同类型网络威胁的目标。根据最新估计，到2030年，全球联网设备的数量预计将增至320亿。与此同时，八分之一的企业已经受到网络攻击的影响，据估计，到2025年，网络犯罪每年将给世界造成10.5万亿美元的损失。正是在这种背景下，欧洲议会认识到有必要制定更严格、更标准化的网络安全要求，以更好地保护消费者和企业。欧洲议会于2024年3月批准了新的《网络弹性法案》，一旦完成完整的立法程序，预计将于2024年年中/晚些时候正式通过

What is the Cyber Resilience Act (CRA)?  

什么是《网络复原法案》（CRA）？

The EU Cyber Resilience Act is a legal framework that requires manufacturers of hardware and software products with digital elements (PDEs) that are made available in the European Union to have a unified and thorough approach to cybersecurity throughout the product’s lifecycle. Failing to do so can result in fines and penalties up to €15 million or 2.5% of the organization’s global annual turnover for the previous fiscal year, whichever is greater.  

《欧盟网络弹性法案》是一个法律框架，要求在欧盟提供的具有数字元素（PDE）的硬件和软件产品的制造商在产品的整个生命周期内对网络安全采取统一和彻底的方法。如果不这样做，可能会导致高达1500万欧元的罚款和处罚，或该组织上一财年全球年营业额的2.5%，以较大者为准。

While the law is expected to be ratified in 2024, the enforcement date of compliance requirements will follow up to 36 months later, depending on the requirement.  

虽然该法律预计将于2024年批准，但合规要求的执行日期将在36个月后跟进，具体取决于要求。

What Types of Products Need to be Compliant with the European Cyber Resilience Act?  

哪些类型的产品需要符合《欧洲网络弹性法案》？

The CRA has a very broad scope, covering any product with digital elements (PDE), regardless of whether that digital element is the product's primary function. This includes and is not limited to:  

CRA的范围非常广泛，涵盖任何带有数字元素（PDE）的产品，无论该数字元素是否是产品的主要功能。这包括但不限于：

• Internet-connected devices (IoT)  
• 互联网连接设备（IoT）
• Operational technology like industrial control systems  
• 工业控制系统等操作技术
• Smart appliances and consumer electronics   
• 智能家电和消费电子产品
• Toys and childcare products with digital elements  
• 具有数字元素的玩具和儿童保育产品
• General purpose computing hardware and software  
• 通用计算硬件和软件
• And potentially even components like semiconductor chips  
• 甚至可能是半导体芯片等组件

There are a few exceptions for exceedingly low-risk items, but those are few and far between. The vast majority of products containing even minimal digital capabilities are covered by the CRA. The CRA also includes free and open-source software (FOSS) within its scope, albeit with differing requirements and specifications that are yet to be clarified in detail. The Qt Group is following the developments closely and will assess its FOSS CRA compliance as more information emerges. 

极低风险项目也有一些例外，但这些例外很少。CRA涵盖了绝大多数包含最低数字功能的产品。CRA还包括其范围内的自由和开源软件，尽管有不同的要求和规范，尚待详细澄清。Qt集团正在密切关注事态发展，并将随着更多信息的出现评估其FOSS CRA合规性。

 What Obligations Does the CRA Impose?  

CRA规定了哪些义务？

The CRA is a broad legislative framework, however some of the highlights in terms of obligations include:   

CRA是一个广泛的立法框架，但在义务方面的一些亮点包括：

• The CRA sets up a classification structure for products and different compliance structures depending on how critical the product is determined to be; 
• CRA根据产品的关键程度为产品建立了分类结构和不同的合规结构；
• Requirements for carrying out conformity assessments on products with digital elements;  
• 对具有数字元素的产品进行符合性评估的要求；
• Requirements for implementing cybersecurity measures such as record-keeping requirements, and vulnerability and incident handling requirements on products with digital elements  
• 实施网络安全措施的要求，如记录保存要求，以及具有数字元素的产品的漏洞和事件处理要求

Qt Group Compliancy with the EU CRA 

Qt集团遵守欧盟CRA

The Qt Framework and other products provided by Qt Group are likely to be impacted by the legislative changes. Qt Group is actively working on assessing, monitoring and implementing CRA requirements, with a focus on updates to product offering, product life cycle and required support processes. We remain committed to partnering with our customers to enable the continued compliant use of all our products across a variety of markets and geographies.  

Qt集团提供的Qt框架和其他产品可能会受到立法变化的影响。Qt集团正在积极评估、监测和实施CRA要求，重点关注产品供应、产品生命周期和所需支持流程的更新。我们仍然致力于与客户合作，使我们的所有产品能够在各种市场和地区继续合规使用。 

Please follow the “cybersecurity” tag in the Qt Group blog for further updates.  

请关注Qt集团博客中的“网络安全”标签，了解更多更新。