Reducing Common Vulnerabilities and Exposures (CVEs) in Software Development
- cybersecurity becomes a mandatory companion throughout planning, design, development, production, delivery, and maintenance phases
- mature cybersecurity processes need to be implemented by manufacturers to assure product security and following set procedures in case of emergency,
- this will be accompanied by a mandatory documentation of cybersecurity risks,
- a reporting obligation for actively exploited vulnerabilities and incidents,
- a duty to monitor and mitigate vulnerabilities during the expected product lifecycle ,
- an obligation to also publish security information and how to securely install and operate devices
- the future development will be in the hands of ENISA – the European agency for cybersecurity.
What are the steps to cyber-resilience?
The Commission's proposal provides for the new requirements to apply as early as 24 months after the regulation enters into force. Individual elements, such as the obligation to report security incidents, are enacted after 12 months already. This puts particular pressure on companies that supply connected devices - i.e., from vacuum cleaner robots to smart TVs to industrial equipment containing foreign components with microchips. Typically, these devices follow longer development cycles. Companies may currently order devices from OEM manufacturers that will be launched in the coming year.ENISA takes control of the Cyber Resilience Act
In the future, manufacturers, importers, and distributors will be required to inform ENISA - the European Union Agency for Cyber Security - within 24 hours when a security vulnerability is exploited or part of a security incident . This applies to all problems that have an impact on security: Information obligations don’t end with ENISA – wherever users of devices are affected, they must be informed transparently and with actionable mitigation advice. Exceeding the reporting deadlines is already subject to sanctions.Local authorities for cyber-resilience services
However, local structures and networking for Europe-wide cooperation and enforcement of the Cyber Resilience Act still need to be created. So-called market surveillance authorities in the individual member states will be responsible for implementing and enforcing the directive in the respective member states. In Germany, this task will most likely be assigned to the German Federal Office for Information Security (BSI), other countries will allocate this to similar governmental organizations.Importers and distributors will be treated as manufacturers
In addition, the new EU legislation no longer makes a distinction between manufacturers and importers or distributors who sell OEM goods under their own label. In the future, this will also affect Internet providers who offer routers under their own label, or electronics markets that sell products under their own brands.Protection period under the Cyber Resilience Act
New EU legislation of the Cyber Resilience Act requires manufacturers to ensure the security and integrity of components or products and equipment for a period of five years or the intended lifecycle of a product, whichever is shorter. IoT assets are in use not only by consumers, but also in industry - in factories, service and manufacturing - for much longer, even if the manufacturer discontinues the product after five years. The applying companies, but also the manufacturers, may extend the protection period here in order to offer customers or users even further added value and to avoid dangerous security vulnerabilities even in older products.Three product classes
Going forward, the Cyber Resilience Act divides products into three categories. These can also be found in the factsheet of the EU Commission. Around 90 percent of products will fall into the standard class in the future. Examples include smart speakers, video surveillance devices or other smart home devices that are not directly connected to the Internet. The remaining 10 percent of products are classified in the critical Class I and Class II categories. In the future, the EU will use criteria to determine the exact classification. These include functionality (e.g., critical software), the intended type of use (e.g., industrial control systems), and other criteria such as the extent of the impact of potential security problems. The critical Class I includes network routers, firewalls and microcontrollers, while operating systems, industrial firewalls, CPUs, etc. are classified in critical Class II.Penalties for non-compliance to the Cyber Resilience Act
Manufacturers must undergo a conformity assessment procedure to demonstrate compliance with the security requirements. Depending on the classification, different options are available to manufacturers for this purpose:- The manufacturer carries out the conformity assessment of products with digital elements under his own responsibility.
- Assessment by a third party: Given the even greater cybersecurity risk associated with Class II devices, the conformity assessment may be performed by a third party.
Manufacturers need to act now to prepare for new Cyber Resilience Act to avoid penalties and non-compliance
The Cyber Resilience Act, once implemented, will bring significant changes to the way manufacturers operate, with new requirements for securing their networks, protecting sensitive data, and reporting cyber incidents. For manufacturers, this means they will need to review and update their existing cybersecurity practices and policies, to ensure compliance with the new regulations. With product lifecycles often spanning multiple years, it is important for manufacturers to start now making necessary changes to their processes and systems, to ensure they are compliant with the new legislation once it is implemented. Failure to comply with the new regulations can result in significant penalties and damage to a company's reputation. By proactively addressing the requirements of the Cyber Resilience Act, manufacturers can ensure that their products are secure and that they are in compliance with the new laws.What are the next steps for cyber resilience?
The Cyber Resilience Act proposed by the Commission will be adopted jointly by the European Parliament and the Council of Ministers. The process may involve up to three readings. So it may still take several weeks before the Cyber Resilience Act becomes reality. However, manufacturers, importers, and distributors should not rely on this – but take appropriate countermeasures as soon as possible and establish apropriate processes for testing, and responding to incidents involving their products. ONEKEY’s security experts are at your disposal for any questions or requests concerning the Cyber Resilience Act. Are you ready for the Cyber Resilience Act? Book your CRA Readiness Assessment today or for a quick test use the CRA Checker free of charge. PROTECT YOUR BUSINESS - TALK TO A SECURITY EXPERT NOW!About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
RELATED BLOG POST
Understanding the EU Cyber Resilience Act and achieve product cybersecurity compliance with ONEKEY’s whitepaper
ONEKEY Whitepaper: Enhance EU CRA compliance. Streamline supply chain risk management & automate compliance controls for secure device market. Download now!
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.