Legal regulation on cyber resilience This threatens companies due to the EU's Cyber Resilience Act

Related Vendor

Wuxi InfiMotion Technology Co., Ltd.

With the EU's Cyber Resilience Act (CRA), the industry is faced with one of the strictest sets of regulations. Everything containing a microchip will then be strictly obligated. Here are the details.

Manufacturers, importers, and also traders of products with digital elements, meaning everything that contains a microchip, will be obliged to adhere to a series of strict measures under the CRA (Cyber Resilience Act). To date, however, there are hardly any established processes for this, says Onekey, a specialist in product cybersecurity. The Cyber Resilience Act will, among other things, prescribe a cyber risk assessment before a product is even launched, as an example. All manufacturers should already start integrating the upcoming requirements into product development, as developing new products and variants often takes many months or even years. Therefore, Onekey has presented the first compressed guide that summarizes the upcoming regulations, essential measures, and practical advice for their implementation for the industry.

Always needing to be one step ahead of cybercriminals

In addition to security measures against unauthorized access, companies will also be required to engage in software vulnerability and patch management, according to the statement. And this is before damages from hacker-exploitable vulnerabilities occur. In essence, this means that developers always have to be one step ahead of hackers to ensure this. Throughout the entire product lifecycle, manufacturers must effectively manage product vulnerabilities, conduct regular tests, and show comprehensive patch management. Additionally, there's an obligation to maintain clear documentation.

This also includes maintaining a Software Bill of Materials (SBOM), which details all software products contained in a device or system, including hidden ones, as Onekey emphasizes. Depending on the product and installed components, this could mean hundreds of different assemblies with their own microchip and thus hidden risks. Organizational structures must also be created to perform certain tasks and responsibilities of the CRA on behalf of the organization. This includes, for example, the role of the contact point for market surveillance authorities, as reported.

The CRA forces the redesign of established processes

In addition to documentation obligations, due to the CRA, companies must also regularly update the data on their products and retain the data for up to 10 years after the product has been placed on the market. This shows that the pressure is high – even if the EU Commission delays the law somewhat. Products and components – including those from third-party suppliers – must therefore be examined for vulnerabilities. Manufacturers and importers must document this examination and provide the necessary capacities for the information obligations.

For the industry, this means a rethinking of established development and production processes. Those who do not act in time risk high fines from the authorities, according to Onekey. As a specialist in product cybersecurity, the company operates one of the world's largest automated analysis platforms to examine products with digital elements for vulnerabilities that hackers could exploit.

Additionally, Onekey offers a 45-minute online seminar focused on the legal basis and its implementation. The seminar titled "Understanding the EU Cyber Resilience Act and achieve product cybersecurity compliance" will take place on Thursday, March 9, at 11:00 AM CET. Click here to register.