Better and more secure IoT in Europe will arise thanks to the European Cyber Resilience Act
On September 15, 2022, the European Commission published a proposal for a future “Cyber Resilience Act (CRA),” which aims at setting common cybersecurity standards for connected devices and services.
The project is part of the EU vision, supported by Ursula von der Leyen, European Commission President, and Thierry Breton, Commissioner for the Internal Market, with the objective to build a stronger Europe when it comes to dealing with cyberthreats and cybercrime. The proponents of the project state that cybercrime in Europe represented a EUR 5.5 trillion impact in 2021. The most important aspect of the new proposed CRA regulation is that it expressly focuses on digital products and connected services, in other words, the world of IoT and connected objects!
The proposed regulation will cover hardware and software products, throughout their whole lifecycle. Cybersecurity takes into account planning, design, development, production, delivery and maintenance phases. The proposed CRA regulation makes manufacturers accountable as they will be required to document all cybersecurity risks. They will be under the obligation to report vulnerabilities, exploits and incidents, to set up policies to handle all vulnerabilities during the whole product lifecycle, to provide clear instructions to users and integrators, and to deliver security updates for at least five years.
The proposed Act describes different levels of security requirements: “default category,” “critical class I” and “critical class II.” Criticity of the hardware and software products are assessed based on their functionality, their intended use and other criteria, including the potential impact of cybersecurity issues. IoT devices that embed a MCU are considered as critical products, class I.
Even if this is just the beginning of a process, and not all details are defined yet, Trusted Objects welcomes this announcement as a significant milestone in developing a better, safer and more resilient Europe as well as providing support for the European IoT-oriented security industry. The requirements of the Cyber Resilience Act translate into concrete actions that are in total consistency with Trusted Objects mission: protect, detect and securely manage IoT devices.
The CRA project is a draft document proposed by the European Commission, which means it will have to go through the entire EU decision process involving the European Parliament and the European Council. The whole industry will keep on paying attention to this topic.
We encourage you to stay tuned; should you have any question about CRA compliance, do not hesitate to contact Trusted Objects.
About this blog…