./tell

The Cyber Resiliance Act, an overview

For some time now, we at ./kernel concepts have been working on the Cyber Resiliance Act (CRA for short), which was passed by the European Parliament in March 2024. In this blog, we have compiled and prepared the most important information about the CRA for you.

What is the CRA?

The Cyber Resiliance Act aims to protect customers and users of products with a digital component more reliably [1]
This is a new law which stipulates that all products placed on the market in the EU must comply with certain guidelines, depending on their risk class. To this end, every product that falls under the regulations must bear a corresponding label in order to be sold. According to the EU definition, virtually all end devices and software components are covered by the new requirements.

In terms of products for end consumers, this applies to consumer electronics, smart home components, smartphone apps and PC software, for example. In the B2B sector, many components for industrial, environmental and energy technology are covered by the regulation. e.g. sensors, control systems, systems for data processing and analysis, HMI systems, etc. Of course, this also includes medical technology.

What does the CRA mean for customers?

Not much will change for buyers of the devices for the time being. They can look forward to the new security standards for their purchases and have the opportunity to find out about existing security gaps in the products they use at any time. However, it is possible that the increased development costs will have an impact on product prices.

What does the CRA mean for companies?

This is where the list of effects becomes more extensive. Every manufacturer who sells products in the EU must ensure that their hardware and software meets the necessary safety standards when the CRA comes into force. To do this, he must acquire the relevant certificates. For all products in the standard category, the manufacturer must submit a declaration of conformity and document the measures taken in order to obtain the required CE mark. [2]

For all products to be certified that do not fall into the standard category, an inspection by an appropriate authority is required before the corresponding label can be affixed.
It is estimated that around 90 % of all products fall into the standard category. Products and software that do not perform cybersecurity-related tasks (e.g. social media apps, video games or networked household appliances) are classified here.
The majority of the remaining products are divided into two classes. Class I includes products that are classified as cyber security-relevant (e.g. anti-virus programs and network components). Class II is used for products that are also considered security-relevant and whose manipulation would have more far-reaching consequences than Class I products. Examples include industrial firewalls and SCADA systems.
In addition, there is a fourth category, which is defined in a further annex to the CRA. However, there are only a few products in this category and they are only classified in this category if they are relevant to the security of critical infrastructure. [2,3] One example of this is smart metering gateways for transmitting energy consumption data.

But the work is not done with the acquisition of the certificate. Furthermore, every company has to take care of updates for the security of its products throughout their entire service life. In addition, any security vulnerability that becomes known must be reported within 24 hours to the relevant authority [4], which will then pass on the known risks to end customers.

All these new requirements will present companies with a major challenge, which will significantly increase the working time required on each project.

What does the CRA mean for us?

We have been pursuing the concepts of “security by design” and “security by default” even before the CRA was adopted. We are developers with responsibility and it goes without saying that we focus our development on security and freedom from errors right from the planning phase. In the past, however, it has been shown that this has not been consistently pursued in every project, even after our part of the development has been completed.

This will enable us to provide even more advice in future and support our customers with their projects not only in the development phase but throughout the entire life cycle of the product.

The CRA also presents us with a major challenge. Especially in the area of documentation and evaluation of open source components as well as maintenance of patches etc., we will have to invest a lot more resources than in the past. Together with our customers, we will work out what this means for projects in practice.

Open source under the CRA

The first draft of the law was highly critical for open source development and would probably have brought it to an almost complete standstill. The problem was that the first version of the CRA always required code developers to provide their work with certificates. However, since many developers develop tools and code privately, which they make available to other developers free of charge for further use, in most cases they would not have had the capacity to comply with these guidelines. Consequently, they should have stopped development. That would be a hard blow for software development in general. In hardly any other industry do remote colleagues help each other with their work as naturally as in software development. The first version of the CRA would have made this impossible. [5]

However, a good solution was found for this. In the final legal text, those who wish to use the written software for their commercial interests are obliged to comply with the guidelines. [6]

What is the current state of affairs?

The CRA was adopted by the European Parliament in March 2024. There will be a transitional phase of 36 months until the rules come into force. We have already started to meet with some customers to plan the implementation of the new rules in our joint projects. And we recommend that other entrepreneurs also deal with the issue promptly.

Links

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
[2] https://www.security-insider.de/eu-cyber-resilience-act-cra-neue-vorgaben-vernetzte-produkte-a-da11d4f61a65be1d98a29ca7a7794c6f/
[3] https://legal.pwc.de/de/news/fachbeitraege/europaeische-kommission-verabschiedet-entwurf-fuer-cyber-resilience-act
[4] https://www.dihk.de/de/themen-und-positionen/wirtschaft-digital/dihk-durchblick-digital/cyber-resilience-act-cra–90956
[5] https://www.golem.de/news/cyber-resilience-act-grosse-auswirkungen-auf-open-source-befuerchtet-2301-171517.html
[6] https://www.golem.de/news/cyber-resilience-act-open-source-entwickler-bedanken-sich-bei-eu-fuer-einlenken-2402-181869.html