Security Regulations: EU's Cyber Resilience Act
Quite often we buy things that have digital elements to them. Think about a new smartphone, or in an industrial environment, an IoT device. But most people don’t think about the security risks these items can bring with them. The Cyber Resilience Act (CRA) should bring change to this.
Quite often we buy things that have digital elements to them. Think about a new smartphone, or in an industrial environment, an IoT device. But most people don’t think about the security risks these items can bring with them. The Cyber Resilience Act (CRA) should bring change to this.
What does the CRA cover?
The Cyber Resilience Act applies to “any software or hardware products and its remote data processing solutions, including the software or hardware components to be placed on the market separately”. So, we can state that the CRA will apply to the hardware and software products their entire lifecycle, both from manufacturers, distributors, and importers.
Hardware and software products often have a low level of security implemented in them thus having a big number of vulnerabilities. These vulnerabilities can be exploited by people with malicious intents to use the products as not intended. Besides that, there mostly isn’t much information on the security safeguards that are in place in a product. The CRA will tackle these 2 problems. Manufacturers will have to take security into the lifecycle of their products, from the design phase through the obsolescence phase. They can do this by testing their own product more thoroughly to ensure they release product(s) with fewer vulnerabilities in them.
Furthermore, they will also have to be a lot more transparent in disclosing their security features in the product. To make sure that there is a regulated baseline for all products, a new framework will be set up. By using this framework manufacturers can show they are compliant to the CRA.
Manufacturers/distributors and importers that are not compliant can get fined up to 15 million euro or 2,5% of the total yearly worldwide revenue, whichever is higher.
Which products are covered?
The Act splits the covered products in 3 categories:
- Class I
- Class II
- Unclassified or Default
Products in the Default class are products without critical cybersecurity vulnerabilities. Products in Class I or II are split, based on their level of risk (f.ex.: is the product used in sensitive environments).
When will this Act be effective?
Momentarily the CRA is a proposal, a draft law, so this still must be approved by the European Parliament and Council. After the approval, manufacturers will have 2 years to comply with the Cyber Resilience Act.
How can we help you?
As a security partner, spotit will continue to monitor this on an ongoing basis and communicate about this again in case of changes. Keep an eye on our website and social media to stay tuned!