Preparing for the upcoming EU Cyber Resilience Act: advice for industrial device manufacturers
An interview with EU CRA expert Thorwald-Eirik Kaljo.
Watch the interview video here or read the text version below.
What does the Cyber Resilience Act mean in simple terms?
The Cyber Resilience Act is currently a proposal for a regulation on cyber security requirements for products with digital elements or, simply put – connected devices. So, it is known as the Cyber Resilience Act. Its goal is to bolster cyber security rules to ensure more secure hardware and software products.
What are the main goals that the EU wants to achieve by adopting this Cyber Resilience Act?
The general perception is that there are plenty of products on the used market that are connected. The number is of course growing, and everybody has seen the predictions for 2030.
Many of these products have quite a low level of cybersecurity. And vulnerabilities in these products have been one of the main causes of incidents over the past few years. We have seen some very significant supply chain attacks, for example. We see the devices being more and more interconnected as well.
So the goals of the Cyber Resilience Act are to create conditions for the development of secure products by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout the product’s lifetime. And I think there were some clear objectives set out by the Commission when proposing this piece of legislation, objectives that are supported by both the Council of the European Union and the European Parliament.
So one objective is a lifecycle element, another to fit this whole product security topic into a wider cybersecurity government’s framework, and finally to ensure transparency for the consumers, and for manufacturers themselves, when using the products.
One of the reasons for coming out with this piece of legislation is to avoid fragmentation and the legislative patchwork throughout the EU, since Member States had started to take individual steps to create separate pieces of legislation at the national level. So this is why we need to avoid fragmentation and harmonize this area across the EU.
How does the Cyber Resilience Act affect industrial equipment manufacturers?
It of course has a strong impact on these actors.
From the beginning, risk-based approach to understand the criticality of different products has been chosen, and industrial device manufacturers have been selected, I’d say, over consumer devices, as the main targets of this regulation. Because, quite often, microprocessors, controllers, and general purpose operating systems are components of other consumer products or industrial products. So, they would have to be taken with stronger scrutiny before placing them on the market.
There is a list of critical products and highly critical products. Some of the industrial devices are in neither of the categories and would therefore have a lower threshold of requirements that are expected from them.
Can we state what kind of devices the Cyber Resilience Act targets?
Yes, so, as I said, there are multiple layers. And there are different methodologies that have been singled out. We are also talking about different approaches, because currently we are at the final stage of negotiations of this regulation. Meaning that the EU Commission, the Council, and the Parliament all have different methodologies.
As I represent Estonia at the Council of the EU, I’ll be able to reflect on our approach a bit more.
So we have chosen a multi-layered approach based on criticality and most of the products go in the simpler category where they would be considered as just regular connected devices, like children’s connected toys or some wearables or some of the more basic smart home devices.
There are two critical categories of products: the critical category (which includes anti-virus software, operate operating systems, microcontrollers and processors) and the highly-critical category (which includes smart meter gateways, smart cards, hardware devices with security boxes). These are quite narrow areas, I would say.
And then some of the products or areas are out of scope. Let’s say Software as a Service (SaaS), generally, is out of the scope of this regulation. Also vehicles except for tractors and motorcycles which are not covered by the respective European directive, and medical devices as well. So some of the exceptions here reflect on the very specific areas which are known to have already higher standard of cybersecurity for their products.
What can industrial equipment manufacturers do to ensure they are ready for the Cyber Resilience Act?
If I were an industrial device manufacturer, I would think about the expected product lifetime and the intended purpose of my devices, as these are some of the essential requirements in this regulation.
I would also go through the information that I’m making available for users. I would check if my product would allow for automatically installed updates. And if I could turn them on, how and when they should be turned off.
I would also go through my Software Bill of Materials (SBOM), or try to establish one and try to understand the different supplies and where the responsibility for each part of my product lies. Who should be responsible at which stage.
Then I would also be looking out for different opportunities to test my products in regards to this regulation, as the EU intends to make some funds, testbeds and sandboxes available for this regulation, especially for SMEs (Small and Medium Enterprise). So, if my company was an SME, I would know that there would be some opportunities, which would allow me to keep the pace with the bigger players.
Are there already any guidelines on how to get those products certified for the Cyber Resilience Act?
This is essentially one of the most complex subjects and also very difficult to explain and understand from the perspective of an industrial manufacturer, because you need to cross-read the regulation to understand in which category does my product fit in, and which is the exact conformity assessment procedure that I have to follow. And how does this conformity assessment look like.
So there are multiple stages for this, depending on the criticality of the product as I previously said.
One of the main elements for all the products is the use of harmonized standards. While harmonized standards is a pivotal element of this regulation, they will take time to be drafted. So probably two years for the standardization organizations to draft it.
But then there are also some simpler ways for self-assessment, for example using Annex 1 for essential cybersecurity requirements and vulnerability handling. Then, you should cross-read Regulation Article 24 and Annexes 4 and 6, which give more information about the specific category and the type of conformity assessment that the entity should go through.
Let’s say they can also go through a full quality conformity assessment which would be more suitable for, let’s say, software product producers.
And then there’s also the element of certification schemes. Currently, in the EU we have no certification scheme available. Probably the first one to come out is the EU Common Criteria scheme, which can probably be used for this regulation.
And then for the highest criticality products, they will have to go through third-party conformity assessment, which is obviously a very burdensome procedure. In most of the EU member states, we don’t even have the authorities in place who could do the conformity assessment for cybersecurity purposes. But in some member states, that already exists, such as in Finland for example.
Does the cyber resilience also affect the already existing devices that are in use in the field or in factories and etc?
No. Generally, it affects only the new products made available on the market. This is the terminology we’re using.
When does cyber resilience come into effect? What will be the transition period for device manufacturers? Does each state force the Cyber Resilience Act separately?
Yes, so, we are currently negotiating this regulation, and we are in quite an advanced phase. I expect the regulation to enter into force somewhere in the spring 2024. And if everything goes smoothly now with the negotiations, then from that point, there will be a transition period of 36 months, which will start ticking from next spring. Both co-legislators, the Council and the European Parliament have found that 24 months will not be sufficient for both the manufacturers’ and the Member States authority’s perspectives. Only the vulnerability reporting deadline will kick in earlier, 24 months from the adoption of the regulation. This means that entities are expected to share information about actively exploiting the vulnerabilities with specified authorities in their member states.
So, what comes to the enforcement of the CRA, then it should be understood that once you pass through the conformity procedure in one member state, your products should be eligible throughout the single market. The same goes for devices imported from outside the EU. They will have to pass through the same procedure in one of the member states. So from the single market’s perspective, the products should circulate freely.
There are also some exceptions, which relate to entities that are considered essential in the NIS directives’ different categories. And for these entities, member states can impose some of the stricter requirements regarding their supply chains. Also, there is a general exception for national security, where member states can ask for stricter requirements to be put in place.
How Proekspert helps industrial device manufacturers to prepare for the upcoming Cyber Resilience Act
Proekspert works on secure device connectivity and remote device control solutions on a daily basis. Our long experience with secure industrial solutions can get you on your way, no matter how simple or complex your requirements for PKI and device identity management.
It’s quite a leap to upgrade device-level security and the infrastructure for managing device identities, permissions, and licenses.
Proekspert helps device manufacturers prepare for the upcoming EU Cyber Resilience Act. Register for a free meeting where we will help you to discover how to improve your device security.
Receive our weeky newsletter! Inspiring ideas that are worth your time