© Pexels

Cyber Resilience Act: EU enhances cyber resilience of hardware and software

On average, a European owns 17 networked devices. The digital transformation is also gaining momentum in industry. If IT and OT solutions were to be compromised by cyber criminals, the consequences could be severe. By agreeing on the EU Cyber Resilience Act, the European Union is the first region in the world to introduce binding requirements for the cybersecurity of products. Manufacturers now have until 2027 to implement the new requirements.

Smart Home, Smart Mobility and Industry 4.0: from everyday life to mobility to production in factories, more and more areas of our daily lives are becoming smarter, i.e. more digital and thus more connected. According to current estimates, the number of connected devices worldwide is set to rise to around 29 billion by 2030. By comparison, there were just under nine billion networked objects in 2019. The progressive spread of digital technologies creates a multitude of new opportunities, both for private and commercial users. However, digitalisation also brings with it numerous challenges in terms of security and data protection.

Cyber security for connected devices

More and more home appliances, such as refrigerators and televisions, are connected to the internet - making them “smart”. However, thereby they are also exposed to potential threats from cyberspace. These risks can be countered by targeted technical, regulatory and behavioural measures. German companies are already investing in the cybersecurity of the products they develop, their internal processes, the people they employ, and the services they offer. Nevertheless, one hundred percent cybersecurity cannot be achieved, let alone guaranteed as the threat landscapes continuously changes.

For companies, coherent regulatory requirements are paramount to facilitate the development and marketing of products that meet these requirements and fulfil risk-based cybersecurity standards. The Federation of German Industries - together with German standardisation organisations (DIN and DKE) and industry associations (Bitkom, VDMA and ZVEI) - has therefore advocated for the introduction of horizontal cybersecurity requirements that are based on the principles of the New Legislative Framework, the regulatory framework for European product regulation.

Agreement reached: Cyber Resilience Act comes into force in 2024

In light of the increasing digital transformation in private households and industry as well as the constantly rising number of cyberthreats, the European Commission has proposed the Cyber Resilience Act 2021. The Cyber Resilience Act introduces mandatory cyber security requirements for all products with digital elements. In addition, the Cyber Resilience Act requires manufacturers of these products to implement a vulnerability management system. The combination of cybersecurity requirements and vulnerability management will strengthen the cyber resilience of products throughout the entire value creation process - from design to production, placing on the market and operation.

European legislators in the Council and Parliament were able to agree on a joint text for the Cyber Resilience Act in December 2023. This is currently being translated into all official EU languages and will then be adopted by the newly elected Parliament in the corrigendum procedure at the end of 2024.

BDI supports Cyber Resilience Act - Companies must initiate implementation

German industry supports the European Union (EU) in its endeavours to strengthen Europe's cyber resilience holistically by introducing cyber security requirements for all products with digital elements. The Cyber Resilience Act will assist critical infrastructure operators and critical and important organisations to implement their risk management measures in accordance with the NIS 2 Directive.

The legislative text that has now been passed demands a great deal from manufacturing companies, as they must implement the CRA's far-reaching requirements within three years. At the same time, cyber resilient products will particularly help those companies that have to implement the cyber security requirements of the NIS 2 Directive. If only cyber-resilient products (hardware and software) are available on the European market, this will make it much easier to implement risk management measures.