Understanding the Cyber Resilience Act's impact on embedded devices
Embedded devices, ranging from sensors to special vehicles and medical devices, play a crucial role in modern infrastructure. Yet, their inherent connectivity exposes them to cyber threats.
The Cyber Resilience Act recognizes this vulnerability and makes sure equipment manufacturers remain responsible for cybersecurity throughout their products lifecycle.
That’s why it will introduce fines ranging from €5 to €15 million or 1-2,5% of global annual turnover. The severity of these fines will depend on many factors (nature, gravity, duration of the infringement, cooperation with authorities, prior instances of non-compliance). These penalties underscore the imperative for manufacturers to prioritize cybersecurity to avoid non-compliance repercussions.
Key actions to secure embedded devices and comply with the Cyber Resilience Act
- Secure-by-Design development and maintenance: Manufacturers must prioritize cybersecurity at all stages of the product lifecycle starting from the initial design phase. This includes implementing robust security measures, such as encryption and access controls, to mitigate potential vulnerabilities.
- Comprehensive cybersecurity documentation & risk assessment: A core obligation under the CRA is the thorough documentation of cybersecurity risks associated with embedded devices. Manufacturers must conduct comprehensive risk assessments and address potential attack surfaces to ensure the security of their products.
- Transparency & reporting on security vulnerabilities: In the event of a cybersecurity incident, manufacturers of embedded devices will need to give visibility to their customers and partners. They might also need to report to relevant authorities, such as the European Union Agency for Cybersecurity (ENISA) to mitigate the impact of security breaches.
- Continuous monitoring of CVEs and regularly apply security updates: The CRA mandates continuous management of Common Vulnerabilities and Exposures (CVEs) for embedded devices. Manufacturers must stay vigilant against emerging threats, providing timely security updates and patches throughout the product’s lifecycle to address vulnerabilities effectively.
Different requirements depending on security risk categories
The CRA classifies products based on their cybersecurity risk level, with distinct requirements for each category.
- “Unclassified or Default”. For now, security measures for these kinds of products are unspecified.
- “Class I” products, characterized by lower-risk criticality (like MCU-based devices), may require either self-assessment or third-party conformity assessments to meet CRA standards.
- In contrast, “Class II” products, deemed high-risk, necessitate mandatory third-party assessments by independent laboratories approved by the EU. MPU-based products will be in this category.
These diverse requirements emphasize the need for tailored cybersecurity strategies aligned with the specific risk profile of each product category.
Factsheet about EU Cyber Resilience Act
While the CRA presents clear guidelines for securing embedded devices, manufacturers may encounter challenges in achieving compliance, including interoperability issues and managing legacy devices. Addressing these challenges requires a proactive cybersecurity approach, integrating security measures and tooling across the product lifecycle. Collaboration with cybersecurity experts and adherence to industry best practices are essential for navigating the compliance landscape effectively.
Useful link: Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)