The EU Cyber Resilience Act (CRA) is coming hard and companies need to be prepared, warned Chris Jones, Director of Applications at Crypto Quantique in his talk at Hardware Pioneers.
In this part three of interviews highlighting experts present at Hardware Pioneers, Jones spoke to IoT Insider following on from his talk and elaborated on the major points, including the importance of being prepared for the Act and providing clarity.
The CRA, which was approved by the European parliament in March 2024, is due to be implemented by the end of 2024/start of 2025, with requirements taking effect approximately 36 months after. It outlines the cybersecurity requirements for hardware and software products with digital elements placed on the EU market, and takes a stronger approach towards strengthening cybersecurity and tackling vulnerabilities.
Jones tried to carefully walk the line in his talk between warning and scaremongering, outlining that what were once best practices and are advice, are going to become enforceable legislation and companies need to prepare accordingly.
“We wanted to emphasise that the CRA is coming in, because we’re hearing a lot of companies don’t know about it and therefore aren’t preparing for it,” Jones told IoT Insider. “From what I said in my talk, it [CRA] requires a lot of documentation work, right from the beginning of a design to the end; everything has to be documented. We’re trying to get people to understand they have to do it, but there are certain areas in there that are quite difficult to do.”
Failure to both comply can result in vulnerable products, reputational damage and fines. Failure to display the CE mark can also result in a product being restricted or withdrawn from the market.
“GDPR is a very good case in that you saw GDPR all of a sudden – although it had been around for a while, and there were a lot of attempts to get people aware of it, it wasn’t until the message popping up about cookies that people woke up,” Jones explained. “That’s what’s going to happen with CRA.”
Jones said that the CRA had been “coming for a long time”, and is somewhat targeted at device manufacturers who he sees as being complacent in believing their security is good enough. “That’s a phrase we hear a lot,” he said, in reference to security being “good enough”. “And with a CRA you can ask, what’s your risk analysis? How have you determined that? A common response is, ‘Oh, we didn’t do anything’, so how do you know you’re secure enough?”
Another common scenario Jones has witnessed is manufacturers who have to implement security shy away from implementing security themselves because of the cost, and instead turn to microcontroller companies who find it difficult to charge for additional security features and consequently don’t have much interest in promoting a high standard of security, either.
“To be fair to them, they [microcontroller companies] have continued to add security peripherals to microcontrollers,” Jones countered. “But customers are still finding it too complicated. So they put the chip on their board, sell the product and if they’re asked if the product has security on it, they can say yes – but they haven’t directly implemented it.”
Better communication and better tools would help to resolve this scenario, Jones explained. “One of the things in the industry is a hardware security function called Trust. It’s implemented in our microcontrollers, but it’s very difficult to actually get to work and we found a lot of customers really struggle with getting it to operate in their product.” As a result, customers try to seek out software that enables them to use this security function, “but we can provide you with the embedded software to help you use those security functions,” he stressed.
On the pressing point of whether Jones thought the Act was long overdue or not, Jones stated: “It definitely needed to be brought a little bit earlier. There have been a lot of advancements in the microcontroller industry with the addition of security functions. The functions have been in there for quite a while but it’s only when the legislation will come in that people will have to use them in their products.
“Once they’ve got over that initial pain, it will become standard practice,” Jones concluded.
This is part three of a four-part series. To read part one, click here, and part two, here.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.