Penetration TestJan Kahmen5 min read

Cyber Resilience Act (CRA): More Protection for Networked Devices

The Cyber Resilience Act (CRA) aims to oblige manufacturers of connected devices to ensure that their products are adequately secured.

Table of content

The Cyber Resilience Act (CRA) aims to oblige manufacturers of networked devices to ensure that their products are adequately secured. Specifically, this means that all devices produced and sold for the European market must bear the CE mark. This mark guarantees that the device meets EU-wide security requirements.

This should prevent or at least make it more difficult for connected products to be attacked in the future. In the past, there have been repeated cases in which hackers have exploited security vulnerabilities in connected devices to penetrate private networks or steal sensitive data.

To ensure compliance with the new rules, member states are obliged to set up national authorities to oversee and enforce the Cyber Resilience Act. Companies that fail to comply with the regulations face severe penalties.

The EU Council decision has been welcomed by data protection and consumer advocates, who see it as an important step towards greater security in the digital space. Industry associations, such as the Association of the Internet Industry (eco), have also expressed their support for the new regulations.

However, there are also critical voices. Free market economy supporters complain that the Cyber Resilience Act interferes too much with entrepreneurial freedom and makes it more difficult to manufacture and sell networked devices.

However, the Cyber Resilience Act is an important step towards a secure and reliable digital market. Only with uniform security standards and stricter regulations can we effectively protect ourselves against cyber attacks. And for consumers, this also means greater security when dealing with networked devices.

New Cyber Security Regulation: Valid in 3 years

Recently, a new regulation was published in the Official Journal that will have a wide range of effects on the market. The regulation will come into force 20 days after publication. However, there will be a transitional period of three years before all products on the market have to meet the new cyber security requirements. By November 2027 at the latest, all products must have a CE marking to document that they comply with the regulations. But in just 21 months, other obligations will apply, such as the reporting requirement for exploited IT vulnerabilities.

The regulation aims to give consumers and companies more security when dealing with networked devices. In the future, the familiar CE mark will also stand for cybersecurity.

##Important Aspects of the CRA

  • Cybersecurity from the outset: Manufacturers must check their products for possible security risks as early as the development phase and minimize these.
  • Secure by Design and Secure by Default: Products should be designed to be secure by design and have secure settings by default.
  • Software Bill of Materials (SBOM): Manufacturers must create a detailed list of the software components used in their products.
  • Declaration of Conformity: Manufacturers must demonstrate that their products meet all CRA requirements.
  • Vulnerability reporting requirement: Manufacturers must report serious security vulnerabilities through a central platform.
  • Longer support period: Manufacturers must provide security updates for their products for a period of at least five years.

The focus here is on the security of products with digital elements and a data connection. Manufacturers are encouraged to develop and design these in accordance with the essential requirements for cybersecurity. Household appliances, computer hardware, consumer electronics, software and cloud solutions are among the wide range of products affected.

Compulsory Measures: New Rules for Manufacturers and Retailers

From now on, manufacturers, importers and retailers are legally obliged to ensure the security of their products. In the future, products with the common CE mark must also be protected against possible IT attacks. A central reporting office is to be informed about potential incidents and regular security updates must be offered.

European technical legislation is thus implementing the “security by design” principle. This means that responsibility for the cyber security of products and applications lies with the manufacturer from the outset and must be assumed throughout the entire life cycle.

The CRA does not have to be transposed into national law by the member states. Parliament already gave its consent to the Council in March.

Sources

EU Council launches Cyber Resilience Act - Heise

EU Cyber Resilience Act - EU

Cyber Resilience Act - BSI

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment:

Arrange appointment