Smart doorbells, connected cars, baby monitors, refrigerators: all products with a digital element that make our lives easier. However, these IoT products are often not optimally secured and therefore an attractive target for malicious actors. Illustrative is the relative ease with which our team hacked multiple charging stations in a recent hacking competition. To better protect users against risks, European legislation is forthcoming: the Cyber Resilience Act (CRA), which imposes strict requirements on products. Therefore, manufacturers must work in the coming years to increase the security level of their products. What does this law entail exactly and what should a manufacturer, importer, or supplier consider?
What is the CRA legislation?
The European CRA legislation sets security requirements for applications containing a digital element. The aim of the legislation is to gain more control over cybersecurity and better protect society. An important aspect of the CRA legislation is that it falls under the CE marking. This marking will soon indicate not only that a product meets the usual quality and safety requirements but also stricter cybersecurity standards.
Under the CRA, manufacturers, importers, or traders all have the responsibility to supply products that meet the security requirements. So even if you import and sell products via platforms like AliExpress, you cannot escape the obligations that the CRA legislation entails.
Another characteristic of the CRA is that it is a 'regulation'. Unlike the local translations we see with directives such as the Network and Information Systems Regulation (NIS), a regulation means that the law is the same in every European country. Similar to the General Data Protection Regulation (GDPR), it cannot be deviated from. This uniformity is chosen to avoid differences per country and ensure a standardized approach.
Why is the legislation so important?
You may wonder why everyday devices such as smart doorbells and refrigerators need to be secured. The answer to this question becomes clear when you look at the bigger picture. While a single hacked device may seem harmless, a group of hacked devices can, for example, be used in a DDoS attack and lead to serious problems. The Mirai botnet is a recent striking example of how vulnerabilities in IoT devices can be exploited for large-scale attacks that can disrupt large parts of the internet. The same could have been the case with the charging stations that were hacked, where even the most logical security measures were not taken. The CRA plays an important role in preventing this.
Implementation timing
Although the CRA legislation is still in development, it is expected that the final text will be ready in the first half of this year. After approval, there will be a 36-month implementation period. The law will be fully operational in 2027. This may seem far off, but given the expected requirements, it is essential for companies to start preparing now.
Strict requirements
To comply with the requirements of the CRA, it is first important for suppliers to understand their role and responsibilities under this regulation. The CRA has a classification for companies based on the sensitivity of the systems you develop or market. For companies with highly sensitive systems, the requirements are stricter. A first crucial step is to determine in which class a company falls. This requires not only self-assessment but also the use of a security framework. The specific framework to be applied has not yet been decided, but consider, for example, the ISO 27002 standard. For companies producing extremely sensitive systems, such as firewall products, there is even a requirement for independent assessment.
An important requirement that the CRA legislation brings is the integration of risk analysis into the software development process. Additionally, you must deliver products with a 'secure by default' configuration, which means that default passwords such as 'welcome123' are no longer allowed. Moreover, there should be no known vulnerabilities, and an update process must be implemented where the responsibility for updates does not lie with the end user.
The law also introduces the obligation to define a clear support period, with security updates being supported for at least five years. This applies unless the period of use is shorter. This transparency about the lifespan of the device enables consumers to make better-informed choices.
Like with NIS2, companies under the CRA legislation must report active attacks or serious incidents. Therefore, an initial report must be made within 24 hours of discovery, followed up with details within 72 hours. Subsequently, an update report is expected within 14 days of the incident. Additionally, the law includes penalty clauses that can amount to 2.5% of a company's turnover, depending on the seriousness of the situation.
The importance of cybersecurity for IoT manufacturers
Although implementing the CRA legislation is a challenging process, it signifies an important step towards a safer society. Producers and importers are forced to improve their products, address known vulnerabilities, and be transparent about the lifespan of their products. However, the reporting obligation also puts extra pressure on large manufacturers to communicate proactively and report incidents quickly. To prepare properly, companies will need to take action and invest in cybersecurity to comply with the requirements of the CRA legislation and thereby contribute to overall digital security.