In an effort to increase the security level of connected devices, the
is making manufacturers, importers, and distributors responsible and liable for creating secure devices and maintaining that level of security throughout the product’s life-cycle. This is the EU's response to the wide-spread low level of cybersecurity of such devices combined with an increasing threat landscape, which caused global annual costs of more than EUR 5.5 trillion in 2021 as a result of successful attacks on connected devices and other systems.

More than 100 pages of EU regulation contain a lot of information about the upcoming requirements, thus we attempt to summarize the most relevant sections and paragraphs here from the point of view of a manufacturer, importer, or distributor of connected devices.

The following bullet points provide a quick overview of the upcoming requirements, which the Cyber Resilience Act is mandating to strengthen the cyber resilience of EU member states.

According to the draft law,

• cybersecurity becomes a mandatory companion throughout planning, design, development, production, delivery, and maintenance phases
• mature cybersecurity processes need to be implemented by manufacturers to assure product security and following set procedures in case of emergency,
• this will be accompanied by a mandatory documentation of cybersecurity risks,
• a reporting obligation for actively exploited vulnerabilities and incidents,
• a duty to monitor and mitigate vulnerabilities during the expected product lifecycle ,
• an obligation to also publish security information and how to securely install and operate devices
• the future development will be in the hands of ENISA – the European agency for cybersecurity.

‍
In the following, we point out the individual requirements and guidelines of the Cyber Resilience Act in detail.

The paper of the EU Commission postulates the claim of the Cyber Resilience Act by addressing the two major problems: The low level of cybersecurity in products with digital elements, and the inconsistent delivery of security updates to address these vulnerabilities. The second focus is on information and access to users, who often lack knowledge of existing vulnerabilities - especially for assets that are embedded in an infrastructure and rarely handled by the company's own IT.

The regulation is intended to define the guiding principles for the development of secure products with digital elements - and manufacturers and distributors alike will have to take security seriously throughout a product's lifecycle in the future. However, this also means that customers are no longer eligible as beta testers: The regulation contains the clear obligation to bring a product onto the market that is already free of exploitable vulnerabilities!

What are the steps to cyber-resilience?

The Commission's proposal provides for the new requirements to apply as early as 24 months after the regulation enters into force. Individual elements, such as the obligation to report security incidents, are enacted after 12 months already. This puts particular pressure on companies that supply connected devices - i.e., from vacuum cleaner robots to smart TVs to industrial equipment containing foreign components with microchips. Typically, these devices follow longer development cycles. Companies may currently order devices from OEM manufacturers that will be launched in the coming year.

ONEKEY is already able to comprehensively scan and understand connected device’s binary firmware for vulnerabilities violating essential requirements of the upcoming Cyber Resilience Act with its cloud-based (or on-premises installed) analysis platform. Violations are highlited and listed with the interactive online platform for easy understanding to cut fix times and effort for compliance.

ENISA takes control of the Cyber Resilience Act

In the future, manufacturers, importers, and distributors will be required to inform
- the European Union Agency for Cyber Security - within 24 hours when a security vulnerability is exploited or part of a security incident. This applies to all problems that have an impact on security:

Information obligations don’t end with ENISA – wherever users of devices are affected, they must be informed transparently and with actionable mitigation advice.
Exceeding the reporting deadlines is already subject to sanctions.

With ONEKEY's Real-Time Monitoring, customers can stay compliant with the Cyber Resilience Act by receiving immediate notifications of security vulnerabilities and incidents. The monitoring service provides the necessary information and actionable mitigation advice to inform ENISA within the required 24-hour timeframe. Additionally, ONEKEY offers a notification service that automatically sends the required information to ENISA on the customer's behalf, minimizing the risk of exceeding reporting deadlines and facing sanctions. Utilizing ONKEY's Real-Time Monitoring can help customers stay compliant and secure.

Local authorities for cyber-resilience services

However, local structures and networking for Europe-wide cooperation and enforcement of the Cyber Resilience Act still need to be created. So-called market surveillance authorities in the individual member states will be responsible for implementing and enforcing the directive in the respective member states. In Germany, this task will most likely be assigned to the German Federal Office for Information Security (BSI), other countries will allocate this to similar governmental organizations.

Regardless of future structures, ONEKEY's firmware analysis platform is already capable of reliably detecting a majority of all security vulnerabilities - up to and including the dangerous zero-day exploits. Thus, ONEKEY offers a comprehensive cyber-resilience service.

Importers and distributors will be treated as manufacturers

In addition, the new EU legislation no longer makes a distinction between manufacturers and importers or distributors who sell OEM goods under their own label. In the future, this will also affect Internet providers who offer routers under their own label, or electronics markets that sell products under their own brands.

To help companies without their own security experts or in case of non-available resources, ONEKEY offers turnkey concepts and implementations for product security and related risk management. This will enable any type of company to prepare early for the upcoming legal product security regulations.

Protection period under the Cyber Resilience Act

New EU legislation of the Cyber Resilience Act requires manufacturers to ensure the security and integrity of components or products and equipment for a period of five years or the intended lifecycle of a product, whichever is shorter.

IoT assets are in use not only by consumers, but also in industry - in factories, service and manufacturing - for much longer, even if the manufacturer discontinues the product after five years. The applying companies, but also the manufacturers, may extend the protection period here in order to offer customers or users even further added value and to avoid dangerous security vulnerabilities even in older products.

Using ONEKEY’s automated product security analysis platform, the firmware of a product can be continuously monitored against the provisions of the Cyber Resilience Act - not just by original manufacturers, but also by importers or distributors and even companies that only using IoT devices. The software security and its compliance can be made transparent - regardless of the manufacturer. ONEKEY’s automated security and compliance analysis is available for everyone from product design and development to post production phase.

Three product classes

Going forward, the Cyber Resilience Act divides products into three categories.

Around 90 percent of products will fall into the standard class in the future. Examples include smart speakers, video surveillance devices or other smart home devices that are not directly connected to the Internet. The remaining 10 percent of products are classified in the critical Class I and Class II categories. In the future, the EU will use criteria to determine the exact classification. These include functionality (e.g., critical software), the intended type of use (e.g., industrial control systems), and other criteria such as the extent of the impact of potential security problems. The critical Class I includes network routers, firewalls and microcontrollers, while operating systems, industrial firewalls, CPUs, etc. are classified in critical Class II.

Penalties for non-compliance to the Cyber Resilience Act

Manufacturers must undergo a conformity assessment procedure to demonstrate compliance with the security requirements. Depending on the classification, different options are available to manufacturers for this purpose:

• The manufacturer carries out the conformity assessment of products with digital elements under his own responsibility.
• Assessment by a third party: Given the even greater cybersecurity risk associated with Class II devices, the conformity assessment may be performed by a third party.

‍
If deficiencies are identified in the process, the first step can be to order the elimination of the identified risk with further drastic escalation steps to follow. If the elimination does not meet the expectations of the authorities yet to be named, the provision of the respective product may be restricted or even banned altogether. The consequence is a sales stop up to a full recall of individual products until the standards of the Cyber Resilience Act are met.

The fines postulated in the Cyber Resilience Act are severe: they amount to up to 15 million euros or 2.5 percent of a company's annual turnover in the previous fiscal year. The higher value counts here. Larger companies with high annual turnover can expect a standard fine of 15 million or more.

Manufacturers need to act now to prepare for new Cyber Resilience Act to avoid penalties and non-compliance

The Cyber Resilience Act, once implemented, will bring significant changes to the way manufacturers operate, with new requirements for securing their networks, protecting sensitive data, and reporting cyber incidents. For manufacturers, this means they will need to review and update their existing cybersecurity practices and policies, to ensure compliance with the new regulations.

With product lifecycles often spanning multiple years, it is important for manufacturers to start now making necessary changes to their processes and systems, to ensure they are compliant with the new legislation once it is implemented. Failure to comply with the new regulations can result in significant penalties and damage to a company's reputation. By proactively addressing the requirements of the Cyber Resilience Act, manufacturers can ensure that their products are secure and that they are in compliance with the new laws.

ONEKEY’s unique hybrid offering of an automated security analysis platform, combined with experts advice, will help product manufacturers to prepare early. This will ensure that upcoming regulations will be met in time by having security processes and monitoring implemented.

What are the next steps for cyber resilience?

The Cyber Resilience Act proposed by the Commission will be adopted jointly by the European Parliament and the Council of Ministers. The process may involve up to three readings. So it may still take several weeks before the Cyber Resilience Act becomes reality. However, manufacturers, importers, and distributors should not rely on this – but take appropriate countermeasures as soon as possible and establish apropriate processes for testing, and responding to incidents involving their products.

ONEKEY’s security experts are at your disposal for any questions or requests concerning the Cyber Resilience Act.
Are you ready for the Cyber Resilience Act? Book your
today or for a quick test use the CRA Checker free of charge.