Reuters recently ran a story confirming the EU had agreed to cybersecurity rules and the text for a new law to govern all products designed with digital elements, which includes mobile apps. The law is known as the Cyber Resilience Act (CRA). 

Verimatrix first wrote about this topic in early 2023 when we published our whitepaper, “Security First: The European Union’s Cyber Resilience Act and Its Pending Impact on the Mobile App Development Ecosystem.

This is really big news for several reasons. But more about that in a moment. Let’s look a bit more into what the EU just approved.

EPP Group introduces CRA for unified digital security standards

The EPP Group, the largest bloc in the European Parliament, stated that under the CRA, all digital devices and software will now face unified cybersecurity standards. This encompasses hardware such as laptops and mobile phones, as well as the apps running on them.

The CRA lays out steep penalties for non-compliance, with fines up to €15 million, or 2.5% of a company’s total global turnover, for major violations. These are on par with sanctions under Europe’s stringent General Data Protection Regulation (GDPR) on data privacy.

In 2023 alone, GDPR fines exceeded €1.6 billion ($1.8 billion), surpassing the total fines of the previous three years combined.

Now that political agreement has been reached, the Cyber Resilience Act will go through the EU legislative process in 2024 before entering into force. A phased transition period will give the industry time to adapt. The final legal text will be published in early 2024.

CRA regulations to reshape mobile app security landscape in Europe

Back to our big news comment from earlier, we believe the coming CRA rules will impact all companies that depend substantially on mobile applications to access European consumers via digital devices. That’s a huge market, meaning organizations can’t afford to ignore the coming changes. Mobile application security will soon transform from an optional measure into a firm requirement. 

Much like in the lead-up to GDPR in 2018, the next year will be crucial for awareness-building and preparation. 

Application developers will need to familiarize themselves with forthcoming CRA rules and begin devising compliance plans. Mobile security vendors will similarly initiate major educational outreach efforts targeted at developers. They will also likely begin adjusting their solutions to help clients meet the strict new European standards. Integrating cybersecurity into the app design process will shift from a discretionary choice to a mandated priority.

As a trusted French cybersecurity provider, Verimatrix stands ready to be your guide in this changing regulatory landscape. We offer a diverse suite of battle-tested security options applicable to Android, iOS, and desktop application developers seeking CRA-readiness. This includes zero-code mobile app shielding technologies that seamlessly layer on advanced protections such as code obfuscation. We also provide sophisticated cryptographic toolkits for maximum control over in-app cyber defenses through custom key management and code signing capabilities.

Verimatrix’s multi-award-winning solutions are the trusted choice for Cyber Resilience Act compliance. As new details on CRA enforcement emerge, our experts are here to answer any questions about fortifying your mobile app security. By taking proactive preparation today, mobile app development teams and publishers can feel confident their innovations will continue delighting customers across the European continent for the foreseeable future.