The Cyber Resilience Act (CRA) establishes a stricter set of security requirements for manufacturers, creating a more secure and trustworthy IoT ecosystem. 

By mandating robust security practices throughout the entire product lifecycle, from design and development to production and post-market support, the CRA aims to significantly reduce the vulnerability of connected devices to cyberattacks. This not only protects individual users and businesses from data breaches and disruptions, but also safeguards critical infrastructure and promotes overall stability in the digital economy.

As part of the CRA, manufacturers of IoT devices and software will have to affix the CE marking to their products in order to be able to distribute them in the European Union.

The video provides a short overview of what the CE marking is, while this article takes a deeper dive on that important part of the legislation.

First, a refresher: what are the key pillars of the CRA?

Essential Requirements:

The CRA outlines a comprehensive set of security benchmarks that manufacturers must adhere to. These requirements cover various aspects of the development process, including:

• Secure coding practices: Employing coding techniques that minimize vulnerabilities and make it more difficult for attackers to exploit weaknesses.
  Vulnerability management: Establishing a systematic approach to identifying, assessing, and patching vulnerabilities in a timely manner. This proactive strategy helps to close security gaps before they can be exploited by malicious actors.
• Risk-based testing: Conducting security assessments that prioritize the most critical components and functionalities of the device. This ensures that resources are focused on areas with the highest potential impact in the event of a cyberattack.
• Incident response: Developing a clear plan for responding to security incidents, including procedures for notifying affected users, mitigating the damage, and preventing future occurrences.

Harmonized Standards:

The Act promotes the use of consistent EU-wide cybersecurity standards. This aims to eliminates ambiguity and simplifies compliance for manufacturers across member states. 

While there are currently no Harmonized Standards for the CRA, the European Joint Research Center and ENISA have released a study in an attempt to identify the most relevant existing cybersecurity standards for each CRA requirement.

This study can be accessed here and is a good starting point to understand the CRA’s requirements in practical terms.

Market Surveillance:

National authorities will have enhanced powers to monitor the market for non-compliant products. This includes the ability to conduct inspections, request information from manufacturers, and take enforcement actions against products that pose a cybersecurity risk. The increased focus on market surveillance is intended to ensure a level playing field for compliant manufacturers and to deter companies from cutting corners on security.

What Does This Mean for CE Marking?

The CE marking signifies a product’s compliance with essential requirements of the Cyber Resilience Act.

While the CRA is not yet fully integrated into the CE marking process (for instance, no third-party certifying body has been announced as of August 2024), compliance with the CRA will become a prerequisite for obtaining a CE mark in the future, and thus, secure access with to the European market.

This aligns with the EU’s evolving approach to product safety, recognizing that cybersecurity is now a critical aspect of ensuring a product’s overall safety and fitness for purpose.

Manufacturers are advised to begin familiarizing themselves with the CRA’s requirements. By proactively incorporating these security measures into their product development processes, manufacturers can ensure a smoother transition when CE marking becomes a requirement (36 months following the Act’s entry into force).

What Can Manufacturers Do Now?

• Proactive Security: Don’t wait for the final regulations to be set in stone! Implement a “security-by-design” philosophy from the very beginning of the development process. This means embedding security considerations into every stage of product development, from selecting secure hardware components to writing secure code and implementing robust access controls. By prioritizing security from the outset, manufacturers can significantly reduce the risk of vulnerabilities being introduced later in the development lifecycle.

• Vulnerability Management: Establish a robust process for identifying, assessing, and patching vulnerabilities throughout the product’s lifecycle. This includes having a clear plan for how vulnerabilities will be discovered (through internal testing, external security audits, or bug bounty programs), a system for prioritizing and evaluating vulnerabilities based on their severity and potential impact, and a process for developing and deploying timely patches to address identified vulnerabilities. By proactively managing vulnerabilities, manufacturers can minimize the window of opportunity for attackers to exploit them.

• Transparency is Key: Maintain comprehensive technical documentation that details the security posture of your product and its software components. This documentation should include information about the types of security measures implemented, the security testing that has been conducted, and the process for reporting and addressing vulnerabilities. By providing clear and accessible information about the security of their products, manufacturers can build trust with customers and regulators alike.