India has just signed two important trade deals. One the mother of all deals with EU and now the father of all deals with USA. Additionally the budget has also provided some push to exporters of tech products Both may aid and assist growth of exports of tech products.
These developments could incentivise new manufacturing investments in Cyber Products who may look for prosperous export opportunities to harness EU markets both directly and through US.
Amidst these positive developments we need to also keep in mind that this year that EU passed a Cyber Security regulation namely the EU Cyber Resilience Act 2024 (EU-CRA) which becomes partly operative during 2026 and fully operative from December 11, 2027. The act will impact exporters of Cyber products to the EU Market and require them to incorporate certain compliance measures. Penalty for non compliance could reach upt0 Euro 15 million or 2.5% of global annual turnover.
EU-CRA applies to all economic operators placing digital products on the EU market, regardless of where the company is headquartered.
That means Indian manufacturers, software producers, and suppliers whose products are sold in the EU must comply with CRA requirements. They must embed robust cybersecurity practices into product lifecycles if they want continued access to the EU market.
The requirements of CRA pushes manufacturers towards “Proactive Cyber Security Engineering” during the software development.
CRA may require mandatory third-party conformity assessment audits in respect of certain critical products such as smart cards, Critical infrastructure components etc. In other cases, self assessment and documentation may be essential.
The CRA Compliance by design approach may require threat modelling at design stage and adoption of secure coding standards.
Secure Coding Standards try to prevent vulnerabilities like SQL injection, Cross-site Scripting, Buffer overflow etc.
Under the DGPSI-AI framework for developers, we had indicated the following implementation specification
“The AI developer shall document a Risk Assessment of the model indicating its susceptibility to third party security compromise and the potential harm to the user or data principals whose personal data may be processed as well as the society at large.” (MIS-4 ; DGPSI-AI for AI developers)
“The AI model shall be audited by an independent third party auditor using an acceptable audit standard” (MIS-11:DGPSI-AI for AI Developers)
Under these specifications, if any AI developer or any exporter who is embedding AI into his products, it would be considered necessary to add a CRA Compliance assessment.
While this is a Governance burden for the Exporters to manage, it can also be looked upon as an opportunity for professionals to develop services towards improving the compliance to Cyber Resilience Act.
It is time we explore opportunities in this direction.
We also request the MeitY to develop a note for “Digital Exporters” on EU-CRA Compliance.
FDPPI recently developed the DGPSI-GDPR as a compliance framework for GDPR compliance under an indigenously developed framework.
Now it is time to work on the compliance of EU-CRA compliance also….
Naavi
