Cyber resilience is a constant topic of concern in technology and cybersecurity, as it approaches security from the standpoint of assuming that attacks are inevitable rather than solely attempting to prevent them. Layered cybersecurity is crucial to ensure comprehensive defense against a wide range of threats. Cyber resilience has long been a necessity for hardware and software components, but developments in recent years have led to larger and more complex attack surfaces, increasingly sophisticated attacks, and growing vulnerabilities.
While many security measures, tools, and regulations have been designed at least in part to ensure cyber resilience, the European Union’s Cyber Resilience Act (CRA) is the first comprehensive regulation for ensuring cyber resilience in the manufacturing of products with digital components. Going into effect soon, the CRA outlines a framework for ensuring that these products are developed and produced with essential cyber requirements in mind to bolster cyber resilience.
The Growing Need for Cyber Resilience
The changing digital landscape and threat trends have led to an environment that demands cyber resilience regulations. The acceleration of artificial intelligence and machine learning (AI/ML) capabilities, the increasing sophistication of threats, staffing and skills shortages, the growth of cybercrime as a service, the complex geopolitical environment, supply chain and third-party risks, insider threats, and evolving technologies all contribute to this.
These factors can create new vulnerabilities and render older security measures ineffective. Traditional steps largely focus on protecting against known threats and can be effective in preventing certain risks, but not providing comprehensive protection or ensuring cyber resilience against attacks that cannot be prevented. Critical infrastructure and essential devices need to be designed and built with cyber resilience in mind in order to protect against growing threats.
IoT devices pose a great deal of risk in digital environments where cyber resilience is not prioritized. The manufacturing sector has made significant advances in recent years, innovating methods and incorporating new technologies, but this has created new challenges that must be addressed. Not only can critical operations be directly impacted by IoT attacks, but any insecure device can be a potential point of infiltration for threat actors to carry out further malicious activity.
What Does the EU Cyber Resilience Act Entail?
Recently published in the Official Journal of the European Union, the CRA outlines comprehensive standards for the security of products with digital components, with a focus on devices with internet connections. It is designed to “ensure robust cybersecurity for products with digital elements and integrated remote data processing solutions,” like those developed by manufacturers that are crucial to the functionality of the product.
The CRA establishes conditions that will enable users to make more informed security-based decisions when choosing and utilizing products with digital elements. These conditions include improved transparency standards regarding support for these products.
Member states are forbidden to obstruct the market availability of products that are in compliance with the law. They also cannot enforce additional requirements for harmonized matters, though they are permitted to set extra requirements for procuring or using these products. They must also take essential cybersecurity measures into account and ensure that products are procured with requirements like vulnerability management in mind, evaluating the abilities of manufacturers to manage cybersecurity.
The act comes into effect on December 10th of this year, with a timeline of a few years for organizations to understand and implement the new mandated measures. Requirements regarding security incident reporting will start on September 11th, 2026, while most other provisions of the CRA will apply beginning on December 11th, 2027.
The CRA is the first “horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements,” filling a regulatory niche where there has been a pressing need. Regulating the manufacturing of these products at the Union level is important in order to account for the abundance of cross-border interaction and use. Establishing and holding all members to a standardized regulatory framework reduces legal uncertainty for all involved parties.
The CRA cites the need for “objective-oriented and technology-neutral” security requirements for all products with digital elements. Manufacturers must ensure that all of these products, including those that are connected to other devices indirectly, are developed and produced with essential cybersecurity requirements in consideration.
Considerations for Upcoming Implementation
It is important to understand the CRA in order to properly take steps to ensure smooth implementation and compliance with its requirements by the time they come into full effect. Member States are responsible for ensuring that sufficient resources are available to staff the authorities and bodies appropriately, as necessitated in the regulation for market surveillance and compliance assessment. They must employ measures to “enhance workforce mobility” and make the workforce “more resilient and inclusive.”
Manufacturers must ensure that they employ staff with the right cybersecurity skills to establish and maintain compliance with the CRA. They must also take steps to ensure that the CRA requirements are observed when components from third parties are integrated into their products.
Different products and manufacturers will require different measures to carry out their due diligence, depending upon several factors, including the level of risk associated with a component. Due diligence can include actions like checking the manufacturer’s conformity to the law, verifying whether the component has the CE marking already, and ensuring that the component is regularly updated.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.