EU Cyber Resilience Act: What to watch out for now
What are the implications of the Cyber Resilience Act? What manufacturers, importers, and distributors need to consider now
In an effort to increase the security level of connected devices, the EU Commission's Cyber Resilience Act is making manufacturers, importers, and distributors responsible and liable for creating secure devices and maintaining that level of security throughout the product’s life-cycle. This is the EU's response to the wide-spread low level of cybersecurity of such devices combined with an increasing threat landscape, which caused global annual costs of more than EUR 5.5 trillion in 2021 as a result of successful attacks on connected devices and other systems.
More than 100 pages of EU regulation contain a lot of information about the upcoming requirements, thus we attempt to summarize the most relevant sections and paragraphs here from the point of view of a manufacturer, importer, or distributor of connected devices.
The following bullet points provide a quick overview of the upcoming requirements, which the Cyber Resilience Act is mandating to strengthen the cyber resilience of EU member states.
According to the draft law,
- cybersecurity becomes a mandatory companion throughout planning, design, development, production, delivery, and maintenance phases
- mature cybersecurity processes need to be implemented by manufacturers to assure product security and following set procedures in case of emergency,
- this will be accompanied by a mandatory documentation of cybersecurity risks,
- a reporting obligation for actively exploited vulnerabilities and incidents,
- a duty to monitor and mitigate vulnerabilities during the expected product lifecycle ,
- an obligation to also publish security information and how to securely install and operate devices
- the future development will be in the hands of ENISA – the European agency for cybersecurity.
In the following, we point out the individual requirements and guidelines of the Cyber Resilience Act in detail.
The paper of the EU Commission postulates the claim of the Cyber Resilience Act by addressing the two major problems: The low level of cybersecurity in products with digital elements, and the inconsistent delivery of security updates to address these vulnerabilities. The second focus is on information and access to users, who often lack knowledge of existing vulnerabilities - especially for assets that are embedded in an infrastructure and rarely handled by the company's own IT.
The regulation is intended to define the guiding principles for the development of secure products with digital elements - and manufacturers and distributors alike will have to take security seriously throughout a product's lifecycle in the future. However, this also means that customers are no longer eligible as beta testers: The regulation contains the clear obligation to bring a product onto the market that is already free of exploitable vulnerabilities!
What are the steps to cyber-resilience?
The Commission's proposal provides for the new requirements to apply as early as 24 months after the regulation enters into force. Individual elements, such as the obligation to report security incidents, are enacted after 12 months already. This puts particular pressure on companies that supply connected devices - i.e., from vacuum cleaner robots to smart TVs to industrial equipment containing foreign components with microchips. Typically, these devices follow longer development cycles. Companies may currently order devices from OEM manufacturers that will be launched in the coming year.
ENISA takes control of the Cyber Resilience Act
In the future, manufacturers, importers, and distributors will be required to inform ENISA - the European Union Agency for Cyber Security - within 24 hours when a security vulnerability is exploited or part of a security incident . This applies to all problems that have an impact on security:
Information obligations don’t end with ENISA – wherever users of devices are affected, they must be informed transparently and with actionable mitigation advice.
Exceeding the reporting deadlines is already subject to sanctions.
Local authorities for cyber-resilience services
However, local structures and networking for Europe-wide cooperation and enforcement of the Cyber Resilience Act still need to be created. So-called market surveillance authorities in the individual member states will be responsible for implementing and enforcing the directive in the respective member states. In Germany, this task will most likely be assigned to the German Federal Office for Information Security (BSI), other countries will allocate this to similar governmental organizations.
Importers and distributors will be treated as manufacturers
In addition, the new EU legislation no longer makes a distinction between manufacturers and importers or distributors who sell OEM goods under their own label. In the future, this will also affect Internet providers who offer routers under their own label, or electronics markets that sell products under their own brands.
Protection period under the Cyber Resilience Act
New EU legislation of the Cyber Resilience Act requires manufacturers to ensure the security and integrity of components or products and equipment for a period of five years or the intended lifecycle of a product, whichever is shorter.
IoT assets are in use not only by consumers, but also in industry - in factories, service and manufacturing - for much longer, even if the manufacturer discontinues the product after five years. The applying companies, but also the manufacturers, may extend the protection period here in order to offer customers or users even further added value and to avoid dangerous security vulnerabilities even in older products.
Three product classes
Going forward, the Cyber Resilience Act divides products into three categories. These can also be found in the factsheet of the EU Commission.
Around 90 percent of products will fall into the standard class in the future. Examples include smart speakers, video surveillance devices or other smart home devices that are not directly connected to the Internet. The remaining 10 percent of products are classified in the critical Class I and Class II categories. In the future, the EU will use criteria to determine the exact classification. These include functionality (e.g., critical software), the intended type of use (e.g., industrial control systems), and other criteria such as the extent of the impact of potential security problems. The critical Class I includes network routers, firewalls and microcontrollers, while operating systems, industrial firewalls, CPUs, etc. are classified in critical Class II.
Penalties for non-compliance to the Cyber Resilience Act
Manufacturers must undergo a conformity assessment procedure to demonstrate compliance with the security requirements. Depending on the classification, different options are available to manufacturers for this purpose:
- The manufacturer carries out the conformity assessment of products with digital elements under his own responsibility.
- Assessment by a third party: Given the even greater cybersecurity risk associated with Class II devices, the conformity assessment may be performed by a third party.
If deficiencies are identified in the process, the first step can be to order the elimination of the identified risk with further drastic escalation steps to follow. If the elimination does not meet the expectations of the authorities yet to be named, the provision of the respective product may be restricted or even banned altogether. The consequence is a sales stop up to a full recall of individual products until the standards of the Cyber Resilience Act are met.
The fines postulated in the Cyber Resilience Act are severe: they amount to up to 15 million euros or 2.5 percent of a company's annual turnover in the previous fiscal year. The higher value counts here. Larger companies with high annual turnover can expect a standard fine of 15 million or more.
Manufacturers need to act now to prepare for new Cyber Resilience Act to avoid penalties and non-compliance
The Cyber Resilience Act, once implemented, will bring significant changes to the way manufacturers operate, with new requirements for securing their networks, protecting sensitive data, and reporting cyber incidents. For manufacturers, this means they will need to review and update their existing cybersecurity practices and policies, to ensure compliance with the new regulations.
With product lifecycles often spanning multiple years, it is important for manufacturers to start now making necessary changes to their processes and systems, to ensure they are compliant with the new legislation once it is implemented. Failure to comply with the new regulations can result in significant penalties and damage to a company's reputation. By proactively addressing the requirements of the Cyber Resilience Act, manufacturers can ensure that their products are secure and that they are in compliance with the new laws.
What are the next steps for cyber resilience?
The Cyber Resilience Act proposed by the Commission will be adopted jointly by the European Parliament and the Council of Ministers. The process may involve up to three readings. So it may still take several weeks before the Cyber Resilience Act becomes reality. However, manufacturers, importers, and distributors should not rely on this – but take appropriate countermeasures as soon as possible and establish apropriate processes for testing, and responding to incidents involving their products.
ONEKEY’s security experts are at your disposal for any questions or requests concerning the Cyber Resilience Act.
Are you ready for the Cyber Resilience Act? Book your CRA Readiness Assessment today or for a quick test use the CRA Checker free of charge.
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
RELATED BLOG POST
Understanding the EU Cyber Resilience Act and achieve product cybersecurity compliance with ONEKEY’s whitepaper
ONEKEY Whitepaper: Enhance EU CRA compliance. Streamline supply chain risk management & automate compliance controls for secure device market. Download now!
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.