In March 2024, the European Parliament ratified the Cyber Resilience Act (CRA), which is set to be published in the upcoming weeks, marking the commencement of the transition period. “Companies should immediately assess how the requirements of the CRA will affect their own products and how they can ensure full compliance as soon as possible. This will require adjustments to their own production and development processes, which are now more tangible based on the latest iterations,” said cybersecurity expert Jan Wendenburg, Managing Director of ONEKEY.
Dusseldorf-based company ONEKEY has submitted a patent application for a solution known as the Compliance Wizard, streamlining key procedures for manufacturers, importers, and sellers of technology products with digital components. This tool facilitates a comprehensive cybersecurity assessment by combining automated vulnerability detection, CVE prioritisation and filtering, and an interactive compliance questionnaire, thereby reducing the time and cost involved in cybersecurity compliance processes significantly.
The EU has outlined severe penalties for security breaches, meaning there is all the more urgency for companies to ensure compliance, including fines for companies and directors, as well as the possibility of withdrawing the CE mark from manufacturers, distributors, and importers, which will lead to a ban on sales across the EU market.
CRA readiness assessment
With the CRA, the principle of “security by design” becomes legally binding, requiring ongoing risk assessment and immediate rectification of security vulnerabilities for products with digital elements. Manufacturers must exercise due diligence when procuring third-party and open-source components to ensure the integrity of the final product.
However, until now, there has been a lack of information regarding the CRA’s basic requirements and uniform standards. This is set to change, as the EU Commission has announced horizontal standards for key activities and safety requirements, as well as vertical standards for crucial products. “The EU Commission has already announced horizontal standards for key activities and safety requirements, as well as vertical standards for important and critical products – 42 in total. This – and the corresponding tools such as our Compliance Wizard – will enable companies to analyse more quickly what needs to be implemented in order to achieve compliance with the CRA,” explained Jan Wendenburg.
Documentation Requirements with SBOM
As part of the documentation requirements, manufacturers must maintain a software bill of materials (SBOM) and scrutinise the entire supply chain for product and component security. Automation is crucial for maintaining product-focused processes without inflating retail prices. The SBOM, a comprehensive list of all software components used in a product, including concealed ones, must be regularly updated.
“Manufacturers, importers and retailers should be aware that the SBOM must be kept up to date. Every patch or update requires an update of the SBOM, ideally automatically,” advised Jan Wendenburg.
The Compliance Wizard facilitates automatic SBOM creation and maintenance. Additionally, many companies may not fully understand the scope of “products with digital elements”.
“Mobile devices such as laptops, smartwatches, smart home devices such as thermostats or smart electricity meters and, above all, the huge and particularly high-risk area of industrial control systems through to motor vehicles all fall under this category – in other words, everything that is connected to an IT network or the Internet,” concluded Jan Wendenburg.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.