Why we need the Cyber Resilience Act

The European Union (EU) is still working out some of the implementation details of the Cybersecurity Act (CSA) enacted in 2019. So, what was the rationale for passing yet another cybersecurity measure, the Cyber Resilience Act (CRA), in the spring of 2024? The short answer: the CSA was never meant to be the endpoint.

The CSA was not comprehensive and compliance was voluntary — the expectation that the EU would need to do more was always on the cards. The CRA complements the earlier CSA in some ways and supplements it in others, but, most significantly of all, conformance is mandatory with substantial penalties possible for non-compliance.

To understand the value of the new CRA and how it relates to the CSA, we will review in this article the environment for cybercrime and cybersecurity, the purpose and scope of the CSA, observe where the CSA comes up short, discuss some of the key provisions of the CRA, and look at how this affects technology vendors.

Tablet with padlock to depict device security and CRA

The beginning of network security

Data communications networks have always been subject to attack. At the beginning of the digital era, each organisation was solely responsible for its network security. In fact, cybersecurity started with security experts consulting with each other and meeting informally to exchange information about attacks and countermeasures.

With the establishment of the public internet and its rapid expansion, malicious hacking activity quickly grew pervasive and became relentless, perpetrated by everyone from individuals and hacking collectives creating chaos for fun and/or profit to government agencies engaging in espionage. As we all know, cyberspace is now both militarised and weaponised.

While informal information sharing remains useful, uncoordinated efforts at cybersecurity were doomed to be inadequate. The industry and world governments eventually agreed that formal, unified responses to cybercrime were necessary.

The founding of ENISA

Companies dedicated to providing cybersecurity services and products (for example, commercial firewalls) were soon founded, with jurisdictions around the world beginning to adopt rules and regulations, and cross-industry cybersecurity task forces formed.

The most pertinent example here is when the EU established the European Union Agency for Cybersecurity in 2004, more commonly known as ENISA (the European Network and Information Security Agency).

ENISA was founded to provide practical advice and solutions for the public and private sectors in EU countries and for EU institutions. It was set up to help devise national cybersecurity strategies, and contribute to the development of cybersecurity policies and laws, among other activities.

Cybersecurity technology

The number of cyber-attacks keeps rising. While the industry continues to deflect the vast majority of attacks, those that have been successful have caused a notable amount of damage, with results ranging from the theft of valuable information to knocking out entire segments of networks, impeding supply chain operations, healthcare delivery, air transportation, and much more. 

See a comprehensive overview of the Cyber Resilience Act, understand the impact of non-conformity and explore Avnet Silica's supplier partner solutions for CRA compliance.

SEE CRA OVERVIEW

The Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security in our 'We Talk IoT' podcast.

Listen now

Over the decades, the industry has worked to create both software- and hardware-based security technologies to secure data communications networks. It has also publicised best practices from all sorts of angles, from monitoring data as it’s transmitted, to training employees against being tricked into giving hackers access to protected networks.

The EU and the regulatory approach to cybersecurity

In the years following the creation of ENISA, the EU announced a series of strategic cybersecurity objectives, including a formal strategic plan in 2013. The 2013 Cybersecurity Strategy stated the EU’s cybersecurity objectives were to:

  • increase cyber resilience,
  • reduce cybercrime,
  • develop cyber defence policies and capabilities,
  • develop industrial and technological cybersecurity resources, and
  • establish an international cyberspace policy aligned with core EU values.

An important next step for the EU was its adoption in 2016 of the General Data Protection Regulation (GDPR), which established protections for European citizens’ personal data. Importantly, the GDPR introduced penalties for failing to do so — or, in essence, for inadequate cybersecurity.

ENISA itself has noted that the Cybersecurity Strategy is more of a vision than a measurable target. There remained numerous shortcomings in EU cybersecurity, which ENISA enumerated in 2018:

  • There is an absence of measurable objectives and scarce reliable data. Outcomes are rarely measured and few policy areas have been evaluated.
  • The legislative framework remains incomplete. Gaps in EU law can make it difficult for legislation to reach its full potential.
  • There is insufficient investment in cybersecurity.
  • Weaknesses in cybersecurity governance abound in the public and private sectors across the EU.
  • Inconsistent approaches among EU member states leads to policy incoherence.
  • Improving information exchange and coordination between the public and private sectors remains a challenge.
  • Digital systems have become so complex that preventing all attacks is impossible. The response must be more rapid detection and response.
  • Technology development outpaced the ability of legislation to keep up.

Clearly, regulating cybersecurity would be an exceedingly complex endeavour.

The Cybersecurity Act

Starting with the absence of measurable objectives and lack of reliable data, it was obvious even at the time the CSA was being written that it would be impossible to create legislation that would address all known concerns — the CSA was by design and intent an intermediate measure that would need to be followed up with additional legislation.

One of the primary goals of the CSA was to solidify ENISA’s role as a coordinating body for European industry, legislative bodies, and law enforcement. It also mandated an EU-wide certification mechanism for information and communication technology (ICT) products and services. ENISA was also given the responsibility of supporting the development and enhancement of national and Union computer security incident response teams (CSIRT).

Participation in any of this would be voluntary. Even after having its role bolstered by the CSA, ENISA remained an advisory and consulting body. Regulations that mandate any kind of cybersecurity measures, such as GDPR, remain rare.

Treating cybersecurity as optional

Network equipment vendors, who are among the most keenly aware of the risks of cyber attacks, have long built security features into their products. It should be noted that no one has been given any authority to force customers of network equipment to use built-in security.

Then there are manufacturers of devices that can attach to networks, including a vast and growing number of disparate products — network attached storage (NAS), drones, traffic lights, handheld game systems, HVAC systems, surveillance cameras, and more.

Not all OEMs design security into their products and, if they do, they might not incorporate the most effective security technology. Even then,, they might not update installed products to be resistant to new attacks.

In all fairness, security measures have a cost, and it is not always economically justifiable to add security to some connected products, especially consumer items, for the same reasons that few people secure their garden sheds as well as they secure their homes: it is hard to justify spending as much to protect flower pots and rakes as one might spend on protecting one’s family and valuables.

Furthermore, even when security technology is embedded in consumer products, consumers as a group have demonstrated they cannot be relied upon to want to use the security measures available to them, and those who do might be stymied by poor instructions, or a lack of any instructions at all.

The Cyber Resilience Act

The ongoing stream of cybersecurity failures makes it readily apparent that cybersecurity must be improved.

The most recent step the EU has taken was to enact the CRA. The biggest difference from the CSA is that compliance with the CRA is mandatory. Penalties for failure are similar to those of the GDPR, up to €15 million or 2.5% of global revenue — whichever is the greater total.

The objectives of this legislation are to create conditions that would:

  • help ensure digital products are placed on the market with fewer vulnerabilities,
  • ensure manufacturers take security seriously throughout a product’s life cycle, specifically by providing sufficient updates for installed products, and
  • to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Those might also be visions but, unlike the CSA, the CRA has some objectives that constitute measurable targets. These include:

  • Ensuring that manufacturers improve the security of products with digital elements, starting with the design and development phases and continuing through the entire lifecycle.
  • Helping to establish a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
  • Encouraging the transparency of security properties of products with digital elements.
  • Enabling businesses and consumers to use products with digital elements securely.

What comes next?

Regulations will come into effect from 2027.

As soon as possible, manufacturers should analyze their product design processes and determine if and how they will need to adapt those processes to incorporate cybersecurity technology.

Everything that connects to the network, or might connect to the network, is subject to CRA regulations, meaning the number of products subject to the CRA is enormous. As observed above, however, not all digital products embody equal risks.

The CRA creates four categories of products. Products that represent lower risks if hacked are subject to less stringent requirements, while those that are integral to data network operation or cybersecurity are subject to the most severe requirements.

While semiconductor products are incredibly varied, ranging from simple sensors to profoundly sophisticated processors, most are sorted into stricter categories. The text of the CRA itself has few explicit references to semiconductors, but one example is the assignment of “Application-specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities” [bolded and italicized in the original] to the strictest category, Class I.

In addition, every manufacturer will now be responsible for three categories of documentation. The first is conformity documentation, which declares compliance with regulations. Manufacturers can rely on third parties to certify conformance, but they can also self-certify. Technical documentation for every product subject to the CRA is also a requirement. Finally, user manuals that provide clear instructions for taking advantage of cybersecurity features will be required for every product subject to the CRA. Manufacturers must prepare to generate this documentation. While many do some of this as a matter of course, others may be unaccustomed to creating such documentation and will have to adapt.

The CRA finally makes some cybersecurity measures mandatory, but a quick glance at ENISA’s list of cybersecurity shortcomings up above will reveal that the CRA is not a fully comprehensive cybersecurity solution.

We can expect the CRA to be supplemented, just as the CSA was.

NEED CRA SUPPORT? CONTACT OUR EXPERTS

About Author

 

Romain Tesniere
Romain Tesniere

Romain Tesniere is Avnet Silica's Solution Selling Business Development Manager for Connectivity & Security. Romain is an expert in device security, management and provisioning and has, therefore, driven much of Avnet Silica's plans and activities surrounding the Cyber Resilience Act. He has also spoken at many events across EMEA about the impact of the CRA and what companies can do to ensure their products are CRA compliant.

 

We Talk IoT Podcast

Episode 55: Securing the Future: Understanding the Cyber Resilience Act


This episode of the We Talk IoT Podcast covers an exciting and crucial topic: the Cyber Resilience Act. With us are two guests who are experts in their fields: Guillaume Crinon, Director of IoT Business Strategy at Keyfactor, and Romain Tesniere, Business Development Manager at Avnet Silica. Guillaume and Romain bring a wealth of knowledge and experience in IoT security and business strategy, making them the perfect guides to help us navigate this important legislation.

The Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security.