25 Oct Cyber Resilience Act the key component of the new cyber legislation in the EU
Cyber Resilience Act the key component of the new cyber legislation in the EU
Interview with Hugo Cornelis & Frank Vanbever – Part I
From microwaves to electric bikes, products and software that contain a digital element are ubiquitous in our daily lives. However, the security risks associated with these technologies are often less apparent to users. The Cyber Resilience Act (CRA) proposed by the European commission and approved by the European parliament sets out cybersecurity requirements for “products with digital elements” placed on the EU market. CRA is set to enter into force in the second half of 2024 as soon as the European Council approves it. Manufacturers will have to comply with the CRA to receive CE certification of their products which is required to market your products in the EU. This requirement comes into effect 3 years after the CRA is approved by the European Council, which is expected to be late 2027. The CRA forces manufacturers to take security seriously as an integrated part of a product’s life cycle rather than an afterthought. This is a big step forward for the EU, and it will be an example for other countries to follow.
We asked our colleagues, senior embedded developer, Hugo Cornelis and Frank Vanbever their thoughts on CRA.
Why is CRA implemented? Why is it important?
Cyber crime causes serious financial damage to businesses in all types of industries in our society. According to Statista the cost of cybercrime was $8.15 trillion in 2023 globally. It is estimated that losses will continue to increase in the future.
Over the years, the EU has been addressing this problem through the development of a series of legislations to protect privacy and improve security. Firstly, as an answer to fight cyber crime, the European Union adopted the General Data Protection Regulation (GDPR) in 2016. GDPR governs how the personal data of individuals in the EU may be processed and transferred. GDPR has had an enormous impact on all organisations. Its impact on companies in the IT sector has been even more profound. Additional solutions to fight cyber crime are the EU implementation of NIS2 and CRA. The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. It ensures a culture of security across sectors that are vital for our economy and society and that rely heavily on ICT, such as the energy, transport, water, banking, financial and healthcare markets. For example organisations that provide telecom services, such as Proximus, must comply with NIS2.
Unlike NIS2 which applies to services, the CRA applies to physical products. Its importance is appreciated from the observation that digital hardware and software products are prime targets for cyberattacks. In a connected environment, a cybersecurity incident in one product can compromise an entire organisation or supply chain, often even spreading beyond internal market borders within minutes. A first objective of the CRA is to mitigate these risks.
Before making the products available in the EU, manufacturers must carry out a conformity assessment and affix the CE marking to their product. Products will have to be designed with cybersecurity in mind, ensuring it meets all necessary requirements. This includes having a security policy in place, a designated point of contact, guaranteed follow-up on security issues, and providing documentation for the end user on secure usage practices and potential risks. The CE marking reassures users of the product’s security, while providing additional resources such as documentation and a point of contact to provide further support. In other words, the CRA offers numerous assurances for the end user. As such, the ultimate intention of the CRA is to protect the end user.
What does it mean for companies?
The CRA puts a lot of responsibility on manufacturers, impacting their business and manufacturing processes. Companies will be forced to provide a valid point of contact, ensure that manuals include detailed security documentation beyond ordinary user instructions, and thoroughly analyse their products for possible security incidents and mitigation strategies. The CRA mandates that security considerations be integrated throughout the production process, from design and development to testing and releases, covering both hardware and software. All these steps must be meticulously documented, including specific chapters on security considerations. There will certainly be a significant cost in improving the security-by-design model for many businesses. Companies will have 36 months to adapt to the new requirements of CRA.
What are the implications for the Embedded Software industry?
Connected embedded devices fall under a special category because they incorporate both hardware and software, often using open source software (OSS). There are two key considerations: firstly, the open source nature of both software and hardware. While OSS has already significantly impacted society, Open Hardware is expected to have a similar impact in the next 5 to 10 years. Secondly, OSS is highly innovative and widely used, with, as an example, OSS Linux being the most widely used operating system globally, operating Amazon’s and Facebook’s most critical services 24/7. OSS is already everywhere, often without users knowing it. The first version of the CRA didn’t take the culture of OSS into consideration: Despite its high quality, OSS is typically developed using small incremental steps, which does not easily map to company processes, and consequently to the requirements of safety or security standards, including the first versions of the CRA.
For the CRA specifically, OSS communities, such as the Linux Foundation, have advocated for recognition, leading to a revised version of the CRA submitted in December 2023, which now takes important aspects of the OSS culture into its framework. The EU Commission thereby acknowledged the significant societal impact of OSS and the negative consequences on innovation when not properly taking into account the cultural aspects of OSS.
Also other well-known open source foundations such as the Debian Project raised legitimate concerns about the CRA. For instance, the Debian Project points out that requiring manufacturers to report software vulnerabilities to a central body could create a single point of failure. If this central database is compromised, it could expose critical information to malicious actors. The Debian Project emphasises the importance of avoiding this problem by advocating for a more distributed database and thereby ensuring there is no single point of failure, a strategy they are known for and follow rigorously.
A special session was organised at the FOSDEM 2024 conference to bring representatives from the EU and the wider open source community together. The feedback from these sessions proved fruitful in informing the further development of the CRA in a way that supports the vibrant worldwide open source landscape while also ensuring consumer protections. These sessions were recorded and are available on the FOSDEM website.
Companies in diverse markets, such Boeing in avionics and Huawei in telecommunications, recently started to show an increasing interest in the general relationships between OSS Linux and safety and security standards. This has resulted in the foundation of the ELISA project with the aim to make it easier for companies in general to build and certify Linux-based applications.
to be continued….