Insights for the upcoming EU Cyber Resilience Act (CRA)
Since the EU CRA has created a lot of questions for device manufacturers, we held a seminar at the Teknologia fair and shared our knowledge regarding the matter.
Watch the seminar video of the presentation from the fair or read the text version below.
EU Cyber Resilience Act overview and discussion
Hello! My name is Terry London. I’ve been with Proekspert for around 16 years. And I am here to give you some new information about the upcoming EU CRA.
What is the EU CRA?
The European Cyber Resilience Act is meant to unify cybersecurity rules for hardware and software products across the European Union. The problem it addresses is the fact that the number of connected devices is constantly growing, and, at the same time, attacks against those connected devices are growing as well – almost exponentially.
The main goal here, for the EU, is to protect end users – to have easier-to-understand and up-to-date security on the devices users rely on. Also, the EU is trying to avoid a situation where each EU country creates its own rules, which would result in a mess in the entire market.
We can also say that the CRA is meant to make product developers more responsible for their product security. It’s not a bad thing at all. Bu, there seems to be a lot of confusion among device manufacturers due to a lack of clear information about requirements and the release date.
Here is the link to the draft document on the European Commission’s web page. This is from September of last year. This is the only official source.
The current situation among device manufacturers
We have had lots of discussions about CRA with our clients and other companies that manufacture industrial devices.
Here’s how we perceive the situation.
- Many companies are aware of the CRA – painfully aware.
- However, only some are developing hardware security functionalities for their devices.
- And only a very few are developing software infrastructure for their devices.
Their approach has been to wait until they see what the requirements are going to be.
Latest updates about the EU CRA
We didn’t want to wait. And we did our research.
We went straight to the source at the European Commission. And here is our Interview with a Cyber and Digital Affairs Councilor. Get the link with the QR code, or find the video on our web page, Proekspert.com
New insights about the EU CRA
Here is what we learned from the interview:
- Despite the hesitation that surrounded the draft half a year ago, the act will probably be released in the spring of 2024. Of course, there will be a transition time of three years. After three years, companies that release certain critical products must start certifying their products.
- Vulnerability reporting – After two years, companies must start reporting known vulnerabilities in their software and hardware products.
- One big question was whether the requirements apply to already existing products, as well. The answer is no. The CRA will apply only to new products released after the transition period.
- We also know that some new types of products won’t be covered. These are SaaS and open-source software (and also automotive, and medical devices, as was already known).
- Finally, we got some updates on how products will be divided into categories by criticality levels.
Criticality levels and certification requirements
This is rough simplification, but we can say that CRA divides hardware and software products into three different criticality levels. Each level has its own assessment requirement.
- Common products like smart home devices require only in-house self-assessments by manufacturers.
- Critical products like microcontrollers and general-purpose operating systems require third party validation.
- The third group is called highly critical products. These products require certification by authorized certification service providers. Examples of such products are smart cards and hardware devices with security boxes (something similar to what we demonstrated in our booth at the Teknologia fair).
Requirements for device manufacturers
Here are the very general requirements that device manufacturers face.
- Get products certified
- Third party validation
- Compile software Bills of Materials (SBOM)
- Define software suppliers
- Define who is responsible for which software modules and software lifetime stages
- Ensure secure software updates
- Define the intended purpose and requirements of products
- Provide security updates over the product’s lifetime
- Report product vulnerabilities – the details behind this are unclear
Our suggestions today
- For certification audits. Even if we don’t know exactly how the certification and third party validation is going to be officially organized, you can start with simple things. Map and document your product functionalities, because internal auditing is the main part of preparing for certifications anyway, and it is always a relatively time-consuming process. This will help you be more prepared when the requirements by the CRA are officially released.
- For SBOM
- Go through your third party software packages and document what you have and who supports these with new updates.
- Define who is responsible for your different software modules across different product development stages.
- Use modern software development principles and tools. Maintain code repositories that help keep a product’s technical documentation up to date.
- For security updates
- Review the risks you must protect your devices against. This gives you an understanding of what security measures to prepare.
- Plan how you will provide security updates. Is it remotely OTA or in a local network, for example? Then you’ll know what technology you need for securing your devices.
- Additional recommendations
- What we know is that the EU cares about the competitiveness of SMEs. They plan to release special support programs for SMEs, including sandboxes to test your products with regards to the CRA.
- Plan ahead on how to prepare for the EU CRA.
How can Proekspert help?
Consulting – We are up to date on the CRA and have been building software solutions for 30 years.
- SFWU solution – A solution for high-level device security on an embedded level.
- Device Identity Management infrastructure (PKI) – A solution for managing devices with unique identities.
- Remote device connectivity – A solution for managing remote devices over the cloud.
You can also download slides from the seminar here:
Receive our weeky newsletter! Inspiring ideas that are worth your time