The clock is ticking for Europe, David Haslam, Head of Software Engineering at Crypto Quantique writes, as the Cyber Resilience Act deadline looms
As the European Union’s Cyber Resilience Act (CRA) looms on the horizon, manufacturers, importers, and distributors of digital products are scrambling to adapt to a new era of stringent cybersecurity requirements.
With the clock ticking towards the Act’s December 2027 deadline for full implementation, many industry insiders are questioning whether the sector is prepared for the sweeping changes ahead.
The CRA landscape: a seismic shift in device security
The CRA, which became law on December 10, 2024, represents the EU’s most ambitious attempt yet to safeguard consumers and businesses from cybersecurity threats.
Quoted in a recent European Parliament press release, Lead MEP Nicola Danti (Renew, IT) said: “The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent.”
This legislation introduces mandatory cybersecurity standards for a vast array of products with digital elements (PDEs), from smart home devices to industrial control systems.
However, the road to compliance is fraught with challenges. Many companies are only now beginning to grapple with the extensive obligations imposed by the CRA, which include:
- Implementing essential cybersecurity requirements throughout product lifecycles
- Conducting rigorous conformity assessments
- Establishing robust vulnerability management processes
- Providing timely security updates for at least five years
Industry preparedness: a mixed picture
Despite the CRA’s looming implementation, industry readiness appears uneven at best. Smaller manufacturers, in particular, may struggle with the technical and financial demands of compliance. The spectre of hefty fines – up to €15 million or 2.5% of global turnover—hangs over those who fail to meet the mark.
Jimmy Ahlberg, Director Open Source Policy at Ericsson’s Open Source Program Office, illustrated the challenge for many firms with this ‘CRA awareness curve’ at a recent presentation:
CRA is a seismic shift in how organisations now need to approach product security. It spans device design to final disposal and experts have warned that many companies still underestimate the complexity of the task.
Crypto agility: the unsung hero of CRA compliance
Amidst the flurry of preparation, one critical concept is emerging as a linchpin of long-term CRA compliance: crypto agility. This approach, which enables systems to swiftly adapt their cryptographic mechanisms, is becoming increasingly vital in an era of evolving threats and quantum computing advancements.
Without it, companies that may have put processes in place then sat back and considered themselves to be compliant may become exposed to new vulnerabilities, particularly when standards change.
Indeed, the CRA’s emphasis on ongoing security updates and vulnerability management makes crypto agility a cornerstone of compliance strategy. Companies that fail to build this flexibility into their products may find themselves struggling to keep pace with the Act’s requirements.
The core of crypto agility is switching cryptographic algorithms to keep pace with the threat landscape. However, if crypto agility is interpreted in a holistic way, which is the essence of the approach to cyber security advocated by the CRA, the concept may be extended into the broader domain of security lifecycle management.
By way of example, here are five ways in which crypto agility improves IoT security in industrial environments:
- Crypto agility allows industrial IoT networks to quickly update cryptographic algorithms and protocols across devices when vulnerabilities are discovered. This capability enables swift patching of security flaws, minimising potential downtime and security breaches in critical industrial systems
- Industrial IoT devices with crypto agility can seamlessly transition to new cryptographic standards, such as post-quantum cryptography, without requiring hardware replacements. This futureproofing ensures that industrial systems remain secure against emerging threats, including those posed by quantum computing
- Crypto agility supports the implementation of advanced device identity architectures, which provide a robust framework for device authentication and secure communication. The framework includes secure provisioning of initial device Identities during manufacturing and simplified and secure onboarding of new devices into industrial IoT ecosystems. It may also facilitate frequent rotation of local device identities throughout the device lifecycle
- By incorporating crypto agility, industrial organizations can better manage the lifecycle of digital certificates used in their IoT networks. This includes:
- Automating certificate provisioning and renewal processes
- Quickly revoking and replacing compromised certificates
- Ensuring compliance with evolving industry regulations and standards
- Crypto agility allows industrial enterprises to work with hardware vendors that provide regular security updates and support the latest cryptographic algorithms. This flexibility minimises risk and improves the overall security posture of the industrial IoT network
The road ahead: challenges and opportunities
As the 2027 deadline approaches, the European tech landscape faces a period of intense transformation. While the CRA promises to enhance cybersecurity across the board, it also poses significant challenges. Multi-tiered supply chains can be complex, and companies must ensure compliance throughout these. Resource constraints may limit the ability of smaller companies to allocate sufficient resources to CRA compliance, and there are technical hurdles too. Implementing crypto agility in legacy systems can be particularly challenging.
Yet, amidst these challenges lie opportunities. Companies that embrace the CRA’s ethos of ‘security by design’ may find themselves with a competitive edge in an increasingly security-conscious market.
A call to action
With less than three years until full implementation, the clock is ticking for Europe’s tech sector. Industry leaders must prioritise CRA compliance, with a particular focus on building crypto agility into their product ecosystems.
One EU official was quoted as saying: “The CRA is not just about regulation; it’s about creating a safer digital future for all Europeans. Companies that fail to adapt risk being left behind in this new landscape.”
The message is clear: in the race towards CRA compliance, crypto agility may well be the key to staying ahead of the curve – and the cyber criminals.
The challenges of implementing crypto agility can be minimised using cloud-based IoT device security platforms that streamline and automate the required processes from chip-to-Cloud.
David Haslam is Crypto Quantique’s Head of Software Engineering. He has over 25 years’ experience in leading-edge software development and is a strong advocate for agile methodologies and DevOps practices, driving efficiency and collaboration across cross-functional teams. In his previous role his commitment to excellence and forward-thinking approach helped Avalara Inc. develop a massively scaled, cloud-based platform ahead of an $8.4 Billion exit. He is adept at aligning technology initiatives with business goals, ensuring that software not only meets the current market demands but are also future-proof and delight the customer.
