The CRA stipulates clear security requirements for products, including access protection, the protection of confidentiality, integrity, availability, and even a secure delivery state. In order to ensure a secure development process, these aspects must be taken into consideration above all during design, development, and manufacturing.
The Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) represents a groundbreaking development in the field of cybersecurity. It defines clear obligations for manufacturers of digital products, in particular with regard to the implementation of security-by-design. In order to obtain the coveted CE marking, future products are subject to minimum security requirements. The CRA addresses essential aspects such as access protection, confidentiality, integrity, and availability throughout the entire development process. This article takes a look at the challenges and opportunities that the CRA presents for manufacturers and considers the possible role of the IEC 62443 international standard as a key player in this context.
Discover the future of cybersecurity for digital products in the Cyber Resilience Act (CRA) – clear guidelines, higher standards, and a groundbreaking strategy for a more secure digital age.
What is the CRA?
The Cyber Resilience Act (CRA) sets clear guidelines for manufacturers of digital products, who are now required to pursue a security-by-design strategy. In order to obtain the coveted CE marking, products that are subject to the CRA must meet minimum security requirements in the future. The legal text places particular emphasis on aspects such as access protection, confidentiality, integrity, and availability, which must be integrated into the entire development process. In addition, the CRA governs vulnerability management as well as the length of time that manufacturers are required to provide security updates.
The aim of the CRA is to strengthen trust in the digital infrastructure of the European Union and to increase the competitiveness of European companies on a global level. As an EU act, it does not require national implementation and is expected to come into force across the EU from 2024.
As an international standard, IEC 62443 plays a key role because it covers both the required secure development process and the technical requirements for products and systems. Due to this uniform coverage, IEC 62443 could serve as a promising basis for a harmonized CRA standard. To meet vulnerability management requirements, a standardized software bill of materials (SBOM) is required for all products. This comprehensive overview of all software components is essential. In addition, known vulnerabilities must be recorded in digital format, e.g., by the Common Vulnerability Scoring System (CVSS).
Who does this affect?
The Cyber Resilience Act (CRA) is an EU law, which affects all products with digital elements that have communication capabilities. The CRA covers both hardware and software and is based on the New Legislative Framework. The Act sets binding requirements that must be met when placing products on the market. Products that meet these rules carry a CE marking.
Conversely, this means that non-compliant products are not allowed to be placed on the market. Furthermore, the supplier must withdraw from the market any existing products that do not meet the cybersecurity requirements.
What does this mean for manufacturers?
As part of the secure development process, manufacturers must actively scrutinize their products for vulnerabilities and also rectify them immediately. Security updates should be provided free of charge and cover a period of five years. The CRA also introduces additional reporting obligations: Manufacturers must notify the European Union Agency for Cybersecurity (ENISA) immediately if they become aware of actively exploited vulnerabilities or attacks on their products that can jeopardize security, e.g., through manipulation of download areas.
Prior to market launch, the manufacturer must ensure that their product conforms to the prescribed standards. Assessment is based on the classification of the product with regard to its criticality. This requires compliance with European standards or testing by an authorized institution. The main focus here is on critical infrastructures in industry. In this context, the application of harmonized standards and/or cooperation with an approved institution is foreseeable.
What does this mean for users?
The CRA enables users to benefit from products that meet higher cybersecurity standards and pose fewer risks due to hackers, security vulnerabilities, or other threats. Such products must have the CE marking, which demonstrates their conformity with the new requirements.
Manufacturers are also required to maintain the products throughout their entire lifecycle and to provide automatic security updates. Users can therefore rely on the cybersecurity guarantees of CE-marked products.
Cybersecurity is no longer an option, but a necessity
Manufacturers are faced with the challenge of ensuring a secure development process and implementing comprehensive security measures ahead of market launch. This involves additional effort that can impact resources and production times. The new legislation promises considerable advantages for end users, as it raises the security level and significantly minimizes cybersecurity risks. However, manufacturers face some challenges that involve additional effort. Nevertheless, it is worth facing up to these challenges, as non-compliance can lead to authorities demanding product improvements or recalls and imposing fines of up to 15 million euros or 2.5% of global annual revenue.
But there is hope, because the fundamental requirements, as defined by the CRA, are covered by the secure development process in accordance with IEC 62443-4-1 along with the functional specifications in accordance with IEC 62443-4-2. It is therefore recommended that the IEC 62443 standard is implemented.
At Phoenix Contact, we adopt a comprehensive 360° approach to security which integrates secure products as a central element. Secure products are developed in accordance with the standards of IEC 62443-4-1, while also satisfying the requirements for security functions in accordance with IEC 62443-4-2. The Product Security Incident Response Team (PSIRT) is responsible for the effective handling of vulnerabilities.
This strategy has meant that Phoenix Contact is well positioned to meet the new legal requirements. In addition, we offer our customers secure application solutions and services. Independent certification by TÜV SÜD demonstrates our compliance with the cybersecurity processes in accordance with IEC 62443.