The European Commission’s Cyber Resilience Act is on the brink of becoming Europe’s most encompassing cybersecurity legislation for products. Recent amendments have clarified the law’s applicability, and experts view its formal ratification as assured.
“From our viewpoint on security analysis, the detailed specifications of the CRA are highly appreciated, enhancing security levels for end-users and consumers. The legislation has redefined the categories of devices: Article 6 introduces two new cybersecurity risk categories for essential hardware and software, whose primary functions are detailed in Annex III of the Regulation. A particular category is designated for exceedingly critical systems and equipment. Notably, all smart home devices and interactive toys are now explicitly covered.
Through our evaluations, we’ve identified that such devices often harbour considerable security flaws, which could be swiftly pinpointed and remedied through automated analysis. The segment concerning industrial products and routers, previously overlooked in earlier drafts, warrants further tightening,” states Jan Wendenburg, CEO of ONEKEY.
This German firm offers a platform for product cybersecurity and compliance analysis, examining software in network-accessible devices to provide a precise SBOM and comprehensive security risk assessment of potential vulnerabilities. ONEKEY proactively identifies and addresses critical security weaknesses and compliance breaches in embedded software, notably in Internet of Things devices, overseeing them throughout their lifecycle. The newly introduced ONEKEY Compliance Wizard simplifies the creation and external certification of the required compliance self-declaration for manufacturers.
Urgent adaptation required by manufacturers
The 36-month transition period allowed by the EU is seen as insufficient by many manufacturers, as product and software development often spans years, necessitating immediate action. ONEKEY’s automated platform swiftly detects vulnerabilities and compliance issues, offering significant time and cost savings during the development of connected devices. The latest CRA draft mandates quicker vulnerability disclosure: “New vulnerabilities must be reported to national regulators and the European Network and Information Security Agency (ENISA) within 24 hours. For firms producing or selling internet or network-connected devices, prompt risk management and in-depth product analysis are crucial to identify and rectify potential critical zero-day vulnerabilities well ahead of the CRA’s implementation,” continues Jan Wendenburg of ONEKEY. The SBOM will be a pivotal element in future security frameworks, as endorsed by the EU and agencies like the German Federal Office for Information Security (BSI).
SBOM at a click
The responsibility for open source software has been redefined in the latest CRA draft, exempting open source organisations and individual contributors from liability and placing the onus on commercial users or distributors of the software.
The BSI has issued specific SBOM guidelines. ONEKEY is already equipped to fulfil the demands for transparent analysis and documentation of software supply chain components. The ONEKEY Product Cybersecurity & Compliance Platform conducts exhaustive software and firmware analyses, alongside vulnerability risk assessments and component listings. “Our technology enables detailed software analysis across all device categories defined by the EU,” explains ONEKEY CEO Wendenburg. The platform’s integrated compliance check automatically verifies adherence to current and future legal technical standards such as IEC 62443-4-2, ETSI 303 645, or the EU Cyber Resilience Act. The innovative, patent-pending Compliance Wizard will greatly expedite the production of mandatory compliance self-declarations through a virtual assistant, facilitating single-click data exportation to certifiers for external certification.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.