Cyber Resilience Act requires product adaptations

The EU Cyber Resilience Act came into force on December 10, 2024. This places new obligations on manufacturers of "products with digital elements". "Companies that are subject to the EU Cyber Resilience Act (CRA) should hurry to adapt their products to the requirements of the CRA," says Jan Wendenburg, CEO of the Düsseldorf-based cybersecurity company Onekey. He points out that the first CRA regulations will apply from September 2026 and all others from December 11, 2027. "From this date, all networked products must fully comply with the cyber security requirements of the Cyber Resilience Act," clarifies Jan Wendenburg. Manufacturers, importers and retailers are equally challenged: Without CRA conformity, the CE mark may not be awarded, and thus the affected products may no longer be sold in the EU.

The European Commission's Cyber Resilience Act, which was adopted on December 10, 2024, is the most comprehensive regulation to date on the cyber security of connected products in Europe. For all manufacturers of devices "with digital elements", i.e. all smart products, whether for industry, consumers or businesses, time is of the essence, as the new security requirements must already be taken into account during product development. "In view of the product life cycles, which generally span many years, the topic of CRA should therefore be given top priority in order to be able to continue selling on the EU market in the future," advises Jan Wendenburg.

"Security by design" for CRA compliance

Key elements for CRA compliance are the principle of "security by design" as well as continuous risk assessment and vulnerability remediation. In addition, the EU CRA requires a Software Bill of Materials (SBOM) to make software components traceable and to identify risks in the supply chain at an early stage. The CRA categorizes products into three security classes: Critical, Important and Other. Corresponding requirements must be met in each class. The security of the supply chain is particularly relevant here, as vulnerabilities in third-party and open source components can jeopardize the integrity of the overall system. The implementation period of 24 or 36 months since coming into force on December 10, 2024 poses major challenges for manufacturers, as product developments often take years. In order to meet the requirements of the CRA, companies should implement cybersecurity best practices as quickly as possible. In addition to the CRA, other regulatory frameworks such as RED II (EN 18031) and IEC 62443-4-2 must also be taken into account. Special compliance tools can help to meet current and future requirements by enabling a quick, simple and therefore efficient cybersecurity assessment of product software. One example of this is the patent-pending Compliance Wizard from Onekey.

"Companies that adapt their product strategy in good time not only secure their market approval in the EU, but also their competitiveness. Product lifecycle cybersecurity, proactive compliance and supply chain transparency are becoming indispensable success factors for all manufacturers on the EU market," explains Jan Wendenburg.

The new requirements of the Cyber Resilience Act

In order to meet the new requirements, companies must be able to identify security vulnerabilities in their products and continuously monitor the product life cycle. This means that every software version must be tested and - as long as it is active - continuously monitored for possible new vulnerabilities. New vulnerabilities must be continuously assessed and, if necessary, reported and/or measures taken to repair them.

The CRA requirements cover the entire life cycle of smart products - from planning and development through to operation and subsequent decommissioning. Manufacturers are obliged to offer security updates for their products for a period of at least five years. If the product is used for a shorter period, this period can be shortened accordingly. "In many industrial sectors, however, product lifetimes of 10 or 20 years or even longer are not uncommon. This means that monitoring, maintenance, vulnerability management and patch strategies must also be maintained over a correspondingly long period," says Jan Wendenburg, explaining the challenges.

"The implementation of the Cyber Resilience Act poses considerable practical challenges for manufacturers," explains Jan Wendenburg. He cites specific examples: "In industrial manufacturing, where control and production systems are used for decades and regular security updates are required to ensure compliance. In the IoT industry, such as smart household appliances, constant maintenance of the software bill of materials is also necessary in order to quickly identify and rectify potential vulnerabilities." Companies need to work closely with their suppliers and use third-party software testing tools, such as binary analysis solutions, to ensure security monitoring upon receipt of goods and throughout the product lifecycle. "Only automated processes and tools for vulnerability and compliance analysis make it possible to meet the new legal requirements in an economically viable and efficient manner," says Jan Wendenburg.

Source: Onekey

CRA and Switzerland

The provisions of the Cyber Resilience Act also affect Swiss companies, particularly if they wish to export products with digital components to the EU. Network devices such as routers and switches, industrial control systems and software products are affected. Swiss companies wishing to export such products or other products with digital elements to the EU are obliged to meet the requirements of the CRA and must provide corresponding proof of conformity. According to information from the Federal Office for Cybersecurity BACS, the majority of products are considered "non-critical". This means that a self-declaration is sufficient as proof of conformity. However, for products such as intelligent door locks, alarm systems, wearable medical devices and the like, the requirements for conformity are higher and require an assessment by a third party.

red. / swisscybersecurity.net / Redguard AG