In an era marked by the rise of IoT devices, device makers face an escalating challenge in safeguarding their products against cyber threats.
The Cyber Resilience Act (CRA), emerges as a regulatory game changer, fortifying cybersecurity across the European Union. But what exactly are the ramifications of the CRA for device makers, and how does compliance look?
The Cyber Resilience Act (CRA): An Overview
The CRA, conceived to bolster cybersecurity within the EU, mandates profound changes for device makers. Seeking to promote a landscape where connectivity and cybersecurity go hand in hand, the CRA will push many OEMs to reevaluate their security measures.
It imposes strict cybersecurity requirements on digital products and demands meticulous self-assessment by manufacturers, with certain product categories even requiring external validation.
The CRA’s scope extends to all products interconnected with other devices or networks unless they are already covered by certain other EU regulations. Within that wide net are three further sub-classes, which focus on the criticality of the product.
To help you prepare for implementation, we describe these categories in further detail, as well as what you will need to do to comply.
Manufacturers’ Four Key Obligations
1. Secure by design manufacturing
Under the CRA, OEMs must now ensure that cybersecurity is taken into account during the planning, design, development, production, delivery, and maintenance phases of their product lifecycle.
Known vulnerabilities must be accounted for and it must be possible to reset the product to its default state. Data protection measures, such as encryption, must also be a part of secure by design development.
2. All cybersecurity risks are documented
Cybersecurity risk assessments are now mandatory, and OEMs must show consideration of potential attack surfaces and release products without known exploitable vulnerabilities.
Manufacturers must document and mitigate relevant common vulnerabilities and exploits (CVEs) at every stage of the lifecycle.
You will also be required to provide clear and understandable instructions for your digital products.
3. Manufacturers must report security incidents
Nobody likes to broadcast bad news, but under the CRA, OEMs may have no choice.
Not only will manufacturers be obliged to report vulnerabilities or other cybersecurity-related incidents, but they will also have a tight deadline for doing so.
The new legislation could theoretically give device makers just 24 hours to warn The European Union Agency for Cybersecurity (ENISA) of any cybersecurity incidents, 72 hours for a follow-up, and a maximum of one month to provide a detailed report.
This makes proactive monitoring of devices crucial to remain compliant with the CRA.
4. CVEs and Updates must be handled for the product’s lifetime
New CVEs appear all the time. Not only are hackers ever vigilant but support for your OS can fade, while drivers and board support packages can also become redundant.
Under the CRA, OEMS are responsible for managing these exploits for the product’s entire lifecycle.
Similarly, you will also be expected to make general security updates available to customers for the same period. Put simply, you can’t just build secure, you have to stay secure.
Which products are covered by the CRA?
The level of your responsibilities, and liabilities, under the CRA depends on the type of product you are developing. OEMs are responsible for most products’ compliance. However, more critical devices may require third-party assessments. This legislation divides products into three categories:
- Unclassified or Default – These devices, with no critical cybersecurity vulnerabilities, permit the manufacturer to self-report their compliance with all aspects of the CRA.
- Class I – OEMS may self-report under the CRA for low-risk critical products that comply with other EU cybersecurity standards. Where such standards do not exist or are not applied, OEMs must undertake third-party conformity assessments.
- Class II – Mandatory third-party assessments are required for high-risk products.
Regardless of the product class, the scope of device-makers’ responsibilities remains the same; you need to design, build, and maintain secure devices for as long as they are on the market.
Compliance Timelines and Fines
While the finer details of the CRA are expected to be agreed upon this year, there will be a grace period for OEMs. The anticipated enforcement in late 2025 will signal a pivotal juncture for device makers. This phased transition affords stakeholders an essential window to adapt seamlessly to the evolving regulatory landscape.
Non-compliance with the CRA carries weighty consequences. Fines, ranging from €5 to €15 million or 1-2.5% of global annual turnover, whichever is greater, underscore the importance of regulatory adherence.
The severity of these fines hinges on many factors, such as the nature, gravity, and duration of the infringement, cooperation with authorities, and prior instances of non-compliance. Understanding and avoiding these penalties is imperative for any successful IoT strategy.
How Can Witekio Help?
In this new turbulent landscape, Witekio emerges as a steadfast partner, equipped to guide device makers through the labyrinth of IoT security standards and frameworks. No matter where you are in your project timeline, Witekio can help. Tap into our wealth of experience, spanning over 20 years, by leveraging our embedded architecture and security consultation services. Together we will craft a tailored security blueprint that integrates CRA-compliant principles from day one, ensuring your device’s security isn’t just an afterthought.
Already have a device on the market that needs fortification? Our IoT security solutions address vulnerabilities and implement critical measures like secure boot, communication integrity, and device authentication. But we don’t stop there. With our Long-term Maintenance (LTM) service, enjoy proactive monitoring, regular CVE scans and updates, and scheduled patches to keep your device resilient over time.
The CRA, with its far-reaching implications, demands a strategic approach, and Witekio stands ready to help guide you through these rough seas. Get in touch today to find out how Witekio can help you prepare for the Cyber Resilience Act and keep your device at peak performance for longer.