08 Nov Cyber Resilience Act the key component of the new cyber legislation in the EU part II
Cyber Resilience Act the key component of the new cyber legislation in the EU
Interview with Hugo Cornelis & Frank Vanbever – Part II
From microwaves to electric bikes, products and software that contain a digital element are ubiquitous in our daily lives. However, the security risks associated with these technologies are often less apparent to users. The Cyber Resilience Act (CRA) proposed by the European commission and approved by the European parliament sets out cybersecurity requirements for “products with digital elements” placed on the EU market. CRA is set to enter into force in the second half of 2024 as soon as the European Council approves it. Manufacturers will have to comply with the CRA to receive CE certification of their products which is required to market your products in the EU. This requirement comes into effect 3 years after the CRA is approved by the European Council, which is expected to be late 2027. The CRA forces manufacturers to take security seriously as an integrated part of a product’s life cycle rather than an afterthought. This is a big step forward for the EU, and it will be an example for other countries to follow.
We asked our colleagues, senior embedded developer, Hugo Cornelis and Frank Vanbever their thoughts on CRA.
What is the impact of CRA on embedded devices?
The impact on embedded devices is significant. The initial version of the CRA placed considerable responsibility on OSS developers, despite many OSS projects often being developed by volunteers after their work hours and without commercial intent. This responsibility seems misaligned, as hobbyists typically see their work as a shared passion project, driven by the open source software processes. This culture has been the driving force behind OSS and has been proven extremely successful over the last few decades by revolutionising the methodologies to develop, build and maintain software.. Restricting this creativity and innovation is not CRA’s intent, but the concerns raised by the OSS communities seem legitimate. EU legislators have aimed to balance the need for security with the innovative nature and culture of OSS, a balance expected to extend to open source hardware in the coming years.
The CRA mandates that companies classify each product as either a “default product” or a “critical device” of which two classes exist. The European Commission classifies 90% of products as default products. An example of a default product is a baby monitor, for which security is important but these products aren’t deemed critical. “Default products” are products that cannot cause life-threatening situations, be exploited for denial of service attacks, or target other systems if they malfunction. Manufacturers must conduct their own security analysis and ensure that default products comply with the CRA. Companies must obtain a CE marking for the product and, if selling in the EU market, perform a self-assessment to ensure their designs are secure, their development processes are security-focused, and their release and market strategies, as well as their documentation, prioritise security.
The most critical devices include such devices as internet routers for critical infrastructure, where self-assessment isn’t sufficient. These require third-party evaluations to review the design, development, testing, and release processes, and to provide approval and recommendations for CE marking. This process significantly impacts companies by increasing overhead. For software products, the time dedicated to security may be as high as 20%, making these products correspondingly 20% more expensive.
The CRA is part of a broader effort by European legislators to incrementally enhance security and safety guarantees for digital life and internet use, which is significantly influenced by OSS communities.
Considering the likely impact of CRA enforcement on their production processes, companies need to start preparing now by evaluating the impact of the CRA on their operations and consulting legal advisers to ensure proper self-assessment and implementation of the CRA requirements in the coming years.
Any business attempting to bypass these regulations will face significant sanctions or fines up to the higher of either administrative fines up to €15 million or 2.5 percent of their global annual turnover from the previous fiscal year. Additionally, providing incorrect, incomplete, or manipulated information to market surveillance authorities can incur fines of €5 million or 1 percent of global annual turnover from the previous fiscal year, whichever is greater. These substantial penalties are designed to ensure compliance among manufacturers.
The CRA also requires manufacturers to provide security fixes for the expected lifetime of their product. This needs to be clearly communicated to the user. The manufacturer is free to decide on the lifetime of the product but there is a mandatory minimum of 5 years. The European Market Surveillance authorities can also compel a manufacturer to provide support for a longer period than stated if the support period differs too much from the actual lifetime of the product, or if competing products provide considerably longer support periods. This requirement has serious implications on the update mechanisms and release strategy a manufacturer employs.
How can companies prepare for the CRA?
A company may choose to implement the CRA by simply adhering to the rules it prescribes for each step in its production or manufacturing process. However, this approach may restrict potential growth. A better way to implement the CRA seems to associate it with an overall strategy for innovation. A specific example of such a strategy would be establishing an OSS program office (OSPO), similar to those at Porsche or Boeing. Such an OSPO allows monitoring security aspects on a wider scale, to leverage the knowledge of entire communities, to mitigate risks early and to integrate patches and fixes early in the software development cycle. This is commonly referred to as ‘shift to left’ and is commonly associated with a substantial reduction in production costs. It helps a company in effective use of OSS while maintaining its core focus on innovation. The key question is how such an office should be set up and operated.
Key responsibilities for the OSPO include:
o Monitoring relevant OSS projects: Continuously track which OSS packages are important, their legal implications, and their impact on safety and security programs and products.
o Building bridges: The OSPO connects a company with relevant OSS communities to create a natural interaction with these communities both to ensure a smooth implementation of new OSS infrastructure when it is needed and to provide direction to existing projects and programs.
o Internal Communication: The OSPO communicates with the executive management entities of the company to advise on strategy for future software development.
Mind can assist companies in two primary ways:
For Larger Companies
o Advice and Guidance: Mind can help establish and structure the OSPO, determine necessary documentation and communication levels, and ensure compliance with the CRA and other relevant legislation like NIS2. Mind can advise on handling OSS, identifying critical OSS packages, and addressing potential vulnerabilities affecting their products or services.
o Security Audits: Mind can conduct security audits based on the CRA’s guidelines, help document security elements of products and provide tangible, actionable insights.
For Smaller Companies
o Service Role: Mind can take on the role of an OSS program office and manage OSS responsibilities on behalf of the company. This includes ensuring compliance with the CRA, managing security considerations, and maintaining necessary documentation.
The CRA has heightened awareness of OSS within companies, reflecting a growing long-term trend in the industry. Companies increasingly recognize the importance of OSS and the need to integrate it securely into their operations. As an OSS supplier with many years of experience Mind is an ideal partner for helping companies continue to leverage the Open Source communities now and of the future.