With cyber threats arising from all angles, we all understand the importance of good cybersecurity. But how do we ensure that the products that we buy are safe – and remain safe? This is where the Cyber Resilience Act comes in. Soon, this new EU regulation will force companies to no longer consider cybersecurity as an afterthought, but as a core part of their product development.
In this article, we explain the Cyber Resilience Act, why it is needed, what will change for companies, and how we can prepare.
What’s the Cyber Resilience Act?
On October 10, 2024, the Council of the European Union approved the Cyber Resilience Act. The Act will come into effect in 2025, but will include a transition period of 24 months to allow organizations to adapt to the new requirements.
The Cyber Resilience Act, or CRA, is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union.
The Act aims to protect consumers and businesses that buy or use products or software with a digital component, by making inadequate security features a thing of the past. It does so by introducing mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the entire product lifecycle.
With the new regulation, manufacturers are now obliged to take security seriously throughout a product’s life cycle – forcing companies to no longer consider cybersecurity as an afterthought, but as a core part of their product development.
Why is the CRA needed?
The CRA aims to address two problems. The first one is the insufficient level of cybersecurity inherent in many products on the market, which includes the insufficient security updates for those products and their software. The second problem is the current inability of consumers and businesses to to determine the cybersecurity levels of products.
The Act aims to tackle these issues by:
- enforcing harmonized rules for the release of products or software with a digital component
- creating a framework of cybersecurity requirements for the planning, design, development and maintenance of these products, with obligations to be fulfilled at each stage of the value chain
- adding a duty of care for the entire lifecycle of these products
When the regulation comes into force, software and products connected to the internet would bear the CE marking to indicate that they comply with the new standards.
What’s changing for businesses?
The CRA covers a broad range of products, including software, Internet of Things devices, consumer electronics such as smart home devices, and industrial equipment that connects to the internet – for all parts of the supply chain. This means that if your business is involved in developing any kind of connected product, it is likely that the CRA will apply to you.
But what does that mean for your business? There’s two important consequences of the CRA framework to be aware of.
- The first is the security-by-design element: businesses will now need to integrate cybersecurity features into the design and development of their products from the very start. This means security must be a core part of the product life cycle, not an afterthought.
- The second is the post-market obligation: manufacturers will have to ensure that security is maintained throughout the life cycle of the product, including providing updates and patches to address newly discovered vulnerabilities.
This means that manufacturers cannot sell a digital product or a product with digital elements and leave customers and businesses to figure out the rest for themselves: these manufacturers remain responsible for the cybersecurity of a product throughout its lifecycle.
How do I prepare?
While you have some time to prepare, now is the time to make sure your organization is following best practices, adhering to the existing certifications introduced through the ACT, and making security a priority throughout the production process.
Preparations should include determining which products within your portfolio will fall under the framework – including any new products. For each product, determine which category they fall under and whether self-assessment, an independent conformity assessment, or certification is required. Additionally, organizations should start a Software Bill of Materials (SBOM) for all software components in the product portfolio, and create a process to monitor, fix and report vulnerabilities, aligning with existing standards such as ISO/IEC 29147:2018.
How Fox Crypto can help
As a business, cybersecurity should be a priority, being at the forefront of the development of digital products and products with digital elements.
Rather than retrofitting security solutions, the CRA emphasizes building cybersecurity into products from the ground up: the security-by-design element. Companies should integrate secure coding practices, regular software updates, and thorough testing into their development processes: all parts of a basic cyber hygiene practice. Another part of cyber hygiene, mentioned in the NIS2 framework, is that of network segmentation.
Network segmentation is a cybersecurity practice that involves dividing a computer network into smaller, distinct segments, each isolated from the others. This strategy is important because it limits the attack surface, contains breaches and improves incident response, improves access control and protects data, and enhances monitoring and detection.
One way to do so is by logical segmentation: use VLANs (Virtual Local Area Networks) to separate network traffic logically, and ensure clear boundaries between segments to prevent unauthorized access. However, where feasible, it is best to use physical separation of critical infrastructure from less sensitive parts of the network. This might involve dedicated hardware such as the Fox DataDiode.
The Fox DataDiode can help businesses comply with the CRA by:
- Ensuring one-way data flow, which blocks potential cyberattacks.
- Preventing unauthorized access and data leakage.
- Enhancing protection for critical infrastructure and legacy systems.
- Simplifying risk management and conformity assessments.
Additionally, the DataDiode ensures safe supply chain collaboration, by securing information sharing across the supply chain. This allows manufacturing companies to share sensitive data with suppliers and logistics partners – making sure that all stakeholders in the supply chain can safely work together.