In an exclusive article for IoT Insider, Gianni Cuozzo, Founder and CEO, Exein poses the question: does the Cyber Resilience Act go far enough? Or could more be done?
As the digital landscape evolves, the importance of robust cybersecurity measures cannot be overstated. The Cyber Resilience Act (CRA) represents a significant milestone in the journey towards unified IoT security standards across Europe. For years, IoT security protocols have varied widely according to different regions and jurisdictions, leading to a fragmented approach that left significant gaps and vulnerabilities.
Manufacturers and businesses have welcomed the CRA as a necessary step towards greater regulatory alignment. However, there remain concerns that the CRA may not go far enough in addressing the wide-ranging cybersecurity threats we face today. In an increasingly complex IoT ecosystem where connected devices sit at the heart of critical infrastructure, in our homes and even in the cars on our streets, are we going far enough to safeguard our society?
Security necessitates shared accountability
The Cyber Resilience Act is the first law of its kind to regulate the software industry. It aims to improve the cybersecurity of products or software that are ubiquitous in our daily lives, ranging from baby monitors and smartwatches to firewalls and routers. It also seeks to empower consumers, allowing them to make more informed choices when using IoT devices. Once the CRA is applied, the security of these products will be the responsibility of the entire supply chain involved in its creation and distribution.
To guarantee accountability throughout the entire supply chain, the law includes several requirements for manufacturers, importers and distributors, but each will be impacted in different ways.
Manufacturers must explicitly assess the cybersecurity risks and requirements of a product during all phases of product development and conduct regular tests and reviews to actively verify the security of the product throughout the support period. The manufacturer must also report an exploited vulnerability to the EU Agency for cybersecurity (ENISA) without undue delay and in any event within 24 hours.
For importers and distributors, they must ensure that the manufacturer has carried out the relevant conformity assessment, that the CE marking has been affixed and the product has all the relevant documentation and instructions. If they believe a product presents a significant cybersecurity risk, they must inform the manufacturer immediately.
Ensuring both sides of the supply chain have shared accountability for security decreases the overall risk posed to the supply chain.
Does the CRA go far enough?
Some industry experts argue that the CRA doesn’t go far enough. Although the regulation provides consistency, there must be a greater focus on the need for automatic and continuous security improvement. Particularly following a recent warning of a China-backed “botnet” of more than 260,000 compromised devices, it is essential businesses incorporate a software agent that can automatically manage the security of the device.
The CRA recommends proactive updates and patches for customers, but this isn’t enough. If malicious actors are using automated technology to infiltrate networks and devices, businesses should also use automated technology to defend against them.
Additionally, for most products encompassed by the CRA, manufacturers can self-declare that the necessary requirements were met. While the product’s technical documentation can provide a basis for future audits, allowing manufacturers to self-declare creates risk as companies may prioritise cost and speed over security. Without independent verification, there’s a risk of inconsistent standards and undiagnosed vulnerabilities.
The CRA also does not cover services that are unrelated to a product, such as cloud applications like Dropbox or search engines like Google Search. However, any remote data processing without which a product cannot perform one of its functions is considered part of that product and must comply with all CRA requirements.
The future of the supply chain and IoT security
Implementing the necessary changes to comply with the CRA will likely involve substantial investments, particularly for small and medium-sized enterprises (SMEs). Businesses will need to invest in new technologies, expertise, and processes to meet the CRA’s requirements, which could increase operational costs. For some, the compliance burden may be seen as a barrier to innovation or market entry.
Overall, the Cyber Resilience Act will reshape the landscape of digital products and services, requiring businesses to adopt a security-first approach. While it will increase costs and compliance obligations and certain aspects of the legislation remain unclear, it will ultimately enhance trust, drive innovation in cybersecurity, and provide competitive advantages to businesses that prioritise resilience.
Long-term, the CRA may also act as a global benchmark for cybersecurity standards, influencing not just the EU but businesses worldwide. The Cyber Resilience Act represents a positive step forward, but the question remains: will it be enough?
Gianni Cuozzo is the Founder and CEO of Exein, an Italy-based embedded IoT security company building digital immune systems for more than 80 million devices daily.
Author: Gianni Cuozzo, Founder and CEO, Exein
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
