Navigating the Cyber Resilience Act: A manufacturer's roadmap to compliance
Cybercrime has grown to become the world’s third-largest economy after the US and China, according to the World Economic Forum (WEF). Based on data from Cybersecurity Ventures, it is estimated that it will cost the world $10.5 trillion by 2025.
In response to these escalating challenges, the Cyber Resilience Act (CRA) and other directives such as NIS2, DORA, and RCE embody Europe's approach to combating the growing cybersecurity threats in our ever-evolving digital landscape.
Before diving into the details in this blog post, one thing is clear – the EU’s naming of its new act is right on trend.
"Everyone is talking about cyber and resilience these days," says Pär Torstensson, Product Manager of IoT in Nexus. “While 'cyber' often refers to computer-related matters only, 'resilience' has gained in popularity, particularly in a post-pandemic world. It represents the necessity to adapt during challenging times, in contrast to the more forceful tone associated with ‘cybersecurity.’”
Also read: Preparing for NIS2 - A checklist for affected entities
What is the aim of the CRA?
The Cyber Resilience Act (CRA) is an EU regulation currently being deliberated by the European Parliament that aims to enhance the cyber resilience of connected products with digital elements. To combat the growing cybersecurity challenges and costs, and address vulnerabilities, the Cyber Resilience Act has four specific goals:
- To ensure manufacturers improve the cybersecurity of connected products with a digital component throughout the whole life cycle;
- To create a single, coherent framework for cybersecurity compliance within the EU;
- To increase the transparency of cybersecurity practices and properties of products and their manufacturers, and
- To provide consumers and businesses with secure products ready for use.
If the EU regulation is approved in its current form, there will, for example, be CE marking for connected products with digital elements, making security requirements mandatory; – meaning products without CE marking could no longer be sold in the EU.
Who is responsible for CRA compliance?
At its core, the CRA regulation will apply to all manufacturers of connected products with digital elements that will be made available in the EU, regardless of whether they are based in the EU or not. Connected products with digital elements include any software or hardware product that has a direct or indirect logical or physical data connection to a device or network.
Until now, European cybersecurity regulations have primarily been aimed at operators, who are also the risk owners for their “critical services.” This requires operators to shoulder cybersecurity responsibilities. However, the soaring number of security incidents within the supply chain in recent years and the rise of the internet of things (IoT) has illuminated a critical issue: operators struggle to monitor the diverse hardware and software components they are responsible for. It is often because operators lack the technical expertise and rely heavily on the manufacturers for guidance. The CRA addresses this challenge by aiming to enhance the cyber resilience of EU operators by centralizing responsibility at its core - shifting a sizable portion of these responsibilities directly onto the manufacturers.
Compliance actions and timelines for manufactures
Manufacturers must ensure compliance throughout the manufacturing process, encompassing planning, development, and production stages. Additionally, importers and distributors are tasked with verifying manufacturers' compliance.
To meet legislative requirements, manufacturers must:
- Incorporate cybersecurity measures during the development and production of digital products. This includes encryption, access control, and regular security updates.
- Provide technical documentation detailing their products' security features, vulnerabilities, and potential risks.
- Collaborate on incident reporting with authorities and report incidents vulnerabilities promptly. For instance, manufacturers must notify the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of an actively exploited vulnerability. Users of the products should also be informed and, if necessary, any available measures. The manufacturer is responsible for regular safety testing and inspection of the products.
Although the Cyber Resilience Act is in its early stages, manufacturers will have a two-year window to become compliant once it is approved, while reporting obligations will apply 12 months after it enters into force (Article 57). Considering past regulations and directives, full compliance won't be mandatory until 2025 or 2026.
However, this doesn't imply that preparation should be postponed. When the General Data Protection Regulation (GDPR) was enforced in the EU, companies had to make significant changes to their operations, especially in how they handled consumer data, advertising, cookies, and more. The Cyber Resilience Act has the potential to be just as complex and revolutionary, altering the way IoT manufacturers and software providers manage security for their products.
How can Nexus help?
Nexus is your trusted partner in navigating the complex cybersecurity landscape and complying with the Cyber Resilience Act. We offer specialized expertise and guidance to ensure your products and services meet the CRA’s requirements. With our cutting-edge security solutions, built on Nexus Smart ID PKI (Public Key Infrastructure) technology, we fortify the cyber resilience of your IoT devices, ensuring compliance and safeguarding your business operations.
Published
16/02 2024