asvin GmbH
On October 10, 2024, the Council of the European Union adopted the European Cyber Resilience Act (CRA). It was published in the Official Journal of the European Union on November 20, 2024, and will apply from December 11, 2027, with some provisions at an earlier stage.
The Council adopted the new law on cybersecurity requirements for products with digital elements (PDEs) with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market.
The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.
What is the CRA?
The CRA is a comprehensive legal framework that establishes cybersecurity requirements for hardware and software products with digital elements sold in the European Union market. It addresses two critical issues:
- The lack of adequate security measures in many PDEs, including provisions for updates and vulnerability management.
- The need for consumers to have access to information that enables them to choose and use cyber-secure products effectively.
Who is Affected?
The CRA’s reach extends to various stakeholders in the digital product ecosystem:
– Manufacturers of PDEs, including hardware and software components
– Importers placing PDEs on the EU market
– Distributors, such as retailers
– Consumers and businesses using PDEs
Products covered under the CRA include a wide range of devices and software, from laptops and smartphones to industrial control systems and IoT devices.
Key Requirements
The CRA imposes several crucial obligations on manufacturers and other supply chain participants:
- Secure by Design: Products must be developed within a secure development lifecycle (SDLC).
- Vulnerability Handling: Manufacturers must implement processes for managing vulnerabilities, including regular updates and patches.
- Incident Reporting: Actively exploited vulnerabilities must be reported to ENISA within 24 hours.
- Documentation: Manufacturers must maintain comprehensive technical documentation and an up-to-date Software Bill of Materials (SBOM).
- User Instructions: Clear information on cybersecurity risks and features must be provided to users.
Why the CRA Matters
The CRA represents a significant leap forward in cybersecurity regulation for several reasons:
- Harmonization: It creates a unified set of cybersecurity standards across the EU, reducing compliance complexity for businesses.
- Consumer Protection: By mandating security measures and transparent information, the CRA empowers consumers to make informed decisions about the products they use.
- Global Influence: As a comprehensive cybersecurity framework, the CRA is likely to influence product development and security practices worldwide, especially for companies wishing to access the EU market.
The EU Cyber Resilience Act marks a pivotal moment in the ongoing battle against cyber threats. By setting clear standards and expectations for digital product security, the CRA aims to create a safer digital environment for all Europeans while fostering innovation and competitiveness in the tech industry. As we move towards implementation, businesses should start preparing now to ensure compliance and leverage the opportunities this new regulatory landscape presents.
DOSS alignment with CRA
In several crucial areas, the DOSS (Design and Operation of Secure IoT Supply Chain) initiative complements the goals of the Cyber Resilience Act (CRA):
Secure-by-design technique: The CRA’s emphasis on making sure goods are developed with cybersecurity in mind is directly supported by DOSS’s focus on creating a secure-by-design methodology for IoT devices.
Supply chain security: With the use of an integrated “Supply Trust Chain” that links all relevant stakeholders, the initiative makes it easier to monitor IoT devices from production to decommissioning. This is consistent with the CRA’s emphasis on supply chain transparency and security.
Digital twin for security modeling: To model IoT infrastructures and detect possible attack scenarios, the project makes use of an AI-assisted cybersecurity digital twin. The CRA’s emphasis on risk assessment and management is consistent with this proactive strategy.
Device Security Passport (DSP): DOSS presents a machine-readable document that includes hardware and software bills of materials together with other security-related product information. This complies with the CRA’s documentation standards, including the requirement for SBOMs.
Research will assess known descriptors of a device like the Software Bill of Material (SBOM), Hardware Bill of Material (HBOM), the Manufacturer Usage description (MUD file), vulnerability disclosure report (VEX), as well as the use of certificates, their levels, the compliance with standards and regulations.
Compliance validation: To meet the CRA’s conformance assessment needs, the project incorporates an Architecture Security Validator to guarantee adherence to industry standards and regulatory regulations.
Vulnerability management: In keeping with the CRA’s emphasis on vulnerability handling and reporting, DOSS includes procedures for locating and fixing vulnerabilities.
The DOSS project is well-positioned to assist firms in fulfilling several CRA criteria by tackling these areas, especially in the areas of supply chain management and IoT security.