What are the implications of the Cyber Resilience Act? What manufacturers, importers, and distributors need to consider now
In an effort to increase the security level of connected devices, the EU Commission’s Cyber Resilience Act is making manufacturers, importers, and distributors responsible and liable for creating secure devices and maintaining that level of security throughout the product’s life-cycle. This is the EU’s response to the wide-spread low level of cybersecurity of such devices combined with an increasing threat landscape, which caused global annual costs of more than EUR 5.5 trillion in 2021 as a result of successful attacks on connected devices and other systems.
More than 100 pages of EU regulation contain a lot of information about the upcoming requirements, thus we attempt to summarize the most relevant sections and paragraphs here from the point of view of a manufacturer, importer, or distributor of connected devices.
The following bullet points provide a quick overview of the upcoming requirements, which the Cyber Resilience Act is mandating to strengthen the cyber resilience of EU member states.
According to the draft law,
In the following, we point out the individual requirements and guidelines of the Cyber Resilience Act in detail.
The paper of the EU Commission postulates the claim of the Cyber Resilience Act by addressing the two major problems: The low level of cybersecurity in products with digital elements, and the inconsistent delivery of security updates to address these vulnerabilities. The second focus is on information and access to users, who often lack knowledge of existing vulnerabilities – especially for assets that are embedded in an infrastructure and rarely handled by the company’s own IT.
The regulation is intended to define the guiding principles for the development of secure products with digital elements – and manufacturers and distributors alike will have to take security seriously throughout a product’s lifecycle in the future. However, this also means that customers are no longer eligible as beta testers: The regulation contains the clear obligation to bring a product onto the market that is already free of exploitable vulnerabilities!
The Commission’s proposal provides for the new requirements to apply as early as 24 months after the regulation enters into force. Individual elements, such as the obligation to report security incidents, are enacted after 12 months already. This puts particular pressure on companies that supply connected devices – i.e., from vacuum cleaner robots to smart TVs to industrial equipment containing foreign components with microchips. Typically, these devices follow longer development cycles. Companies may currently order devices from OEM manufacturers that will be launched in the coming year.
In the future, manufacturers, importers, and distributors will be required to inform ENISA – the European Union Agency for Cyber Security – within 24 hours when a security vulnerability is exploited or part of a security incident . This applies to all problems that have an impact on security:Information obligations don’t end with ENISA – wherever users of devices are affected, they must be informed transparently and with actionable mitigation advice.Exceeding the reporting deadlines is already subject to sanctions.
However, local structures and networking for Europe-wide cooperation and enforcement of the Cyber Resilience Act still need to be created. So-called market surveillance authorities in the individual member states will be responsible for implementing and enforcing the directive in the respective member states. In Germany, this task will most likely be assigned to the German Federal Office for Information Security (BSI), other countries will allocate this to similar governmental organizations.
In addition, the new EU legislation no longer makes a distinction between manufacturers and importers or distributors who sell OEM goods under their own label. In the future, this will also affect Internet providers who offer routers under their own label, or electronics markets that sell products under their own brands.
New EU legislation of the Cyber Resilience Act requires manufacturers to ensure the security and integrity of components or products and equipment for a period of five years or the intended lifecycle of a product, whichever is shorter.
IoT assets are in use not only by consumers, but also in industry – in factories, service and manufacturing – for much longer, even if the manufacturer discontinues the product after five years. The applying companies, but also the manufacturers, may extend the protection period here in order to offer customers or users even further added value and to avoid dangerous security vulnerabilities even in older products.
Going forward, the Cyber Resilience Act divides products into three categories. These can also be found in the factsheet of the EU Commission.
Around 90 percent of products will fall into the standard class in the future. Examples include smart speakers, video surveillance devices or other smart home devices that are not directly connected to the Internet. The remaining 10 percent of products are classified in the critical Class I and Class II categories. In the future, the EU will use criteria to determine the exact classification. These include functionality (e.g., critical software), the intended type of use (e.g., industrial control systems), and other criteria such as the extent of the impact of potential security problems. The critical Class I includes network routers, firewalls and microcontrollers, while operating systems, industrial firewalls, CPUs, etc. are classified in critical Class II.
Manufacturers must undergo a conformity assessment procedure to demonstrate compliance with the security requirements. Depending on the classification, different options are available to manufacturers for this purpose:
If deficiencies are identified in the process, the first step can be to order the elimination of the identified risk with further drastic escalation steps to follow. If the elimination does not meet the expectations of the authorities yet to be named, the provision of the respective product may be restricted or even banned altogether. The consequence is a sales stop up to a full recall of individual products until the standards of the Cyber Resilience Act are met.The fines postulated in the Cyber Resilience Act are severe: they amount to up to 15 million euros or 2.5 percent of a company’s annual turnover in the previous fiscal year. The higher value counts here. Larger companies with high annual turnover can expect a standard fine of 15 million or more.
The Cyber Resilience Act, once implemented, will bring significant changes to the way manufacturers operate, with new requirements for securing their networks, protecting sensitive data, and reporting cyber incidents. For manufacturers, this means they will need to review and update their existing cybersecurity practices and policies, to ensure compliance with the new regulations.
With product lifecycles often spanning multiple years, it is important for manufacturers to start now making necessary changes to their processes and systems, to ensure they are compliant with the new legislation once it is implemented. Failure to comply with the new regulations can result in significant penalties and damage to a company’s reputation. By proactively addressing the requirements of the Cyber Resilience Act, manufacturers can ensure that their products are secure and that they are in compliance with the new laws.
The Cyber Resilience Act proposed by the Commission will be adopted jointly by the European Parliament and the Council of Ministers. The process may involve up to three readings. So it may still take several weeks before the Cyber Resilience Act becomes reality. However, manufacturers, importers, and distributors should not rely on this – but take appropriate countermeasures as soon as possible and establish apropriate processes for testing, and responding to incidents involving their products.
ONEKEY’s security experts are at your disposal for any questions or requests concerning the Cyber Resilience Act.Are you ready for the Cyber Resilience Act? Book your CRA Readiness Assessment today or for a quick test use the CRA Checker free of charge.
ONEKEY is a leading European specialist for automated security & compliance analysis for manufacturing (OT) and Internet of Things (IoT) devices. Using automatically generated “Digital Twins” and “Software Bill of Materials (SBOM)” of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically remedied. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use, 24/7 throughout the product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL, are using this platform today – For research institutions and non-profit organizations, the ONEKEY platform is available at discounted terms & conditions.
euromarcom public relations GmbH
+49 611 973 150