On the 15th of September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA), one of the key pieces of legislation for the European cybersecurity legislative framework. The CRA aims at creating a horizontal regulation that put forth the requirements for safely placing products with digital elements on the European Single Market, ensuring that manufacturers are held accountable for the cybersecurity of their products, and fostering awareness of cybersecurity issues and best practices for end users.
The aim of this regulation is to create a security-by-design approach to placing products on the market, where manufacturers are obliged to ensure the security of their products for all their life cycle: from the planning to the maintenance, manufacturers must guarantee the security of their products by making available security updates for at least five years and by reporting exploited vulnerabilities and incidents to ENISA.
The legislation offers a distinction between different types of products, based on their risk profile: 90% of products, according to a fact sheet released by the Commission, will require a self-assessment. Critical products (such as password management software, firewalls etc.) will be defined as Class I. Class I products will require the application of a harmonised standard or a third-party assessment. Highly Critical Products (such as operating systems and industrial firewalls) will be deemed Class II. Class II will necessarily go through a third-party assessment.
This regulation, among other key pieces of European legislation on cybersecurity (such as the NIS2 Directive, The Cyber Security Act, and the DORA) goes in the direction of creating a more secure digital sphere for all products and services in the European Market.
Regarding the effect that the Cyber Resilience Act could have on the European business that produces software and hardware under the scope of the proposal, the horizontal nature of this regulation calls for a need to align different pieces of legislation (such as the ones mentioned above) in order to facilitate the due diligence and compliance of companies. Compliance with standards of cybersecurity (not only for products and services but also for processes) can be a difficult task for SMEs and smaller entities that have fewer resources to invest.
For this reason, it is of the utmost importance to avoid a one-size-fits-all solution in creating those standards, which are usually developed having in mind the resources of larger companies and are unrealistic if applied to SMEs. Therefore, it is fundamental that guidelines and tools are made available for all those actors that could be negatively impacted by this regulation. One example of those tools, specifically tailored for SMEs, are the two guides on 27001 and 27002 ISO security standards published by the European DIGITAL SME Alliance. It is also important that the voice of SMEs is heard among different players that may have more visibility. Standards and requirements not only need to be adapted, but also need to be co-designed to better reflect the needs of all the stakeholders that may be affected.
In order to increase the visibility of SMEs’ opinions on this regulation, the European DIGITAL SME Alliance has also published a survey on its website where SMEs can share their thoughts on the impacts of the Cyber Resilience Act.
The ISO guides are accessible at the following links:
- New SME Guide on Information Security Management: the standard ISO27001 made easy for SMEs.
- New SME Guide based on ISO/IEC 27002 standard: Essential controls for SMEs to protect user’s privacy and data and ensure GDPR compliance.