EU CYBER RESILIENCE ACT FOR IOT PRODUCTS

The Cyber Resilience Act, a regulation proposed by the European Commission, is set to revolutionize the cybersecurity landscape for IoT devices within the European Market. Download a summary of the CRA and learn how to build a CRA-compliant IoT security architecture.

 

cra_arrows-1

 

Simplify compliance: Download the full Summary of the CRA

CYBER RESILIENCE ACT AT A GLANCE

The CRA affects all products with digital elements within the European Union, such as IoT devices, Smart Home applications, and more.

In case of non-compliance fines of up to €15 Mio., or 2,5% of the global turnover, product recalls & the denial of CE certification are imposed.

Affected products with digital elements are divided into 4 different categories according to the related cybersecurity risks.

CYBER RESILIENCE ACT TIMELINE

cra-timeline-version2

WHICH PRODUCTS ARE AFFECTED BY THE CRA?

The Cyber Resilience Act applies to products with digital elements, in other words, IoT products. IoT products are categorized in 4 categories by the Cyber Resilience Act, depending on the intended use and type of product. 

The “default category” is not specifically mentioned in the regulation, but it affects all products with digital elements that are not classified as important or critical. 90% of all IoT products will be classified in the “default category”. Products with digital elements that impose higher cybersecurity risks are classified as either “Important Class 1” or “Important Class2”. Products with the highest criticality fall into the category “Critical”

cra_products

HOW TO COMPLY WITH THE CYBER RESILIENCE ACT?

Conduct Cybersecurity Risk Assessment

The journey to CRA compliance starts with a detailed cybersecurity risk assessment of your IoT products. This will give manufacturers of IoT products a detailed overview about the state of cybersecurity risk for their IoT products and the current IoT security posture. At a minimum the cybersecurity risk assessment should comprise an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the expected product lifetime.

Provide Product Documentation

Manufacturers of IoT products must fulfill the following mandatory documentation requirements and provide it to the customers.
All documentations must be retained for 10 years or for the duration of the support period, whichever is longer, after the product is released to the market:

1. Technical Product Documentation 2. EU Declaration of Conformity 3. User Information & Instructions

 

steps-Oct-28-2024-04-15-31-3469-PM

Compliance with 13 Essential Cybersecurity Requirements

The essential cyber security requirements cover different properties that products with digital elements need to fulfil according to the level of risk identified in the cybersecurity risk assessment. The essential cybersecurity requirements cover the following topics: 

1.    Integrity Protection 7.    Data Minimization
2.    Vulnerability Mitigation 8.    Availability Protection
3.    Security by Default 9.    Minimize Negative Impact
4.    Vulnerability Remediation 10.    Attack Surface Reduction
5.    Unauthorized Access Protection 11.    Incident Impact Reduction
6.    Confidentiality Protection 12.    Security Information Provision
  13.    Secure Data Removal

 

Compliance with 8 Vulnerability Handling & Reporting Requirements

Manufacturers must handle and report any identified risks, vulnerabilities, and incidents associated with their IoT products. The reporting requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents.
1. Identify Vulnerabilities & Components 5. Disclose Vulnerabilities
2. Remediate Vulnerabilities 6. Share Insights on Potential Vulnerabilities
3. Apply Effective and Regular Tests 7. Securely Distribute Updates for Products
4. Publicly Disclose Information about Fixed Vulnerabilities 8. Disseminate Security Patches or Updates for Free

 

HOW TO BUILD A CRA COMPLIANT IOT SECURITY ARCHITECTURE?

Building a Cyber Resilience Act compliant IoT security architecture requires organizations to consider security throughout the whole lifecycle of an IoT product. This involves implementing security-by-design principles, ensuring IoT security throughout the whole lifecycle of an IoT device. Start by implementing strong data protection through encryption and integrity checks, safeguarding both data at rest and in transit. Enable secure over-the-air (OTA) updates and implement secure certificate lifecycle management for authenticating devices and establishing secure communications. Furthermore, access management is crucial—use multi-factor authentication, role-based access control, and secure identity management to limit device access. Additionally, incorporate regular security testing, vulnerability management, and incident response mechanisms to maintain resilience against evolving threats while complying with the CRA's requirements.

blog-thumbnail-2
An Introductory Guide to the Cyber Resilience Act
cra-teaser1-1-1
The EU Cyber Resilience Act Explained for IoT
iotsecurity-1
 Why Cybersecurity Is a Top Priority for IoT

FAQ

What is the Cyber Resilience Act in the EU?

The Cyber Resilience Act is a regulation imposed by the European Union which affects all products with digital elements and introduces specific cyber security requirements. 

When will the CRA come into force?

The timeline after the press release of the Council of the EU on 10 October 2024 is as follows: By August 2026, all reporting requirements will come into force. By December 2027 the full CRA will be in force.

 Are there any exceptions for the CRA?

Products with digital elements that are already covered by one of the following regulations are excluded from the scope of the CRA:

  • Professional medical devices covered by regulations (EU) 2017/745 and (EU) 2017/746;
  • Motor vehicles and their trailers, and their systems, components and separate technical units, covered by regulation (EU) 2019/2144;
  • Civil aviation systems and marine equipment, respectively governed by regulations (EU) 2018/1139 and 2014/90/EU;
  • Digital elements developed or modified exclusively for military or national defense purposes.
What are the consequences of non-compliance?

The consequences of non-compliance with the CRA are fines of up to €15 Mio. or 2,5% of the global turnover, product recalls or the denial of CE certification.

WHAT TO EXPECT

  • Get an extensive overview about the requirements of the CRA

  • Find out how your IoT products are categorized

  • Learn how to build a CRA compliant IoT security architecture

  • Receive our expert guidance in building a CRA compliant security architecture

Simplify compliance: Download the full Summary of the CRA

Copyright © Tributech Solutions GmbH 2024. All Rights Reserved. | Privacy Policy