EU: The new Cyber Resilience Act
The Cyber Resilience Act (CRA) is an EU legislative proposal which introduces baseline cybersecurity requirements for products with digital elements. Its aim is to make hardware and software products more secure and reliable. The document also defines the guiding principles for developing these types of products, with the entire product lifecycle in mind.
How serious is this? Well, this new law is something that software makers should definitely be focusing on already, since choosing not to comply may result in painful financial consequences and could even harm their hard-earned reputations.
Furthermore, these new safety regulations for software development companies will impact — one way or another — the entire western world, so this is not just a regional change in politics. For instance, the Biden administration has just released its National Cybersecurity Strategy, and while it may differ from the CRA in certain details, its goals are quite similar. Australia is also considering making comparable changes in its cybersecurity strategy.
Plus, we can expect that the UK will want to comply with the new act as well (just as it did with NIS2), despite no longer being a member state of the European Union.
Cyber Resilience Act — the reasons why
Digital products (both hardware and software) are becoming increasingly vulnerable to cyberattacks. According to the European Council, the estimated global annual cost of cybercrime amounted to €5.5 trillion by 2021. And apart from this low level of product security, there’s also another problem that has proven quite challenging: namely, how to increase limited user knowledge and improve poor user understanding of software security.
That’s why something needs to be done in order to create a new European cyber ecosystem that is safe for all of its citizens — no matter how educated they are on the subject of digital security.
Cyber Resilience Act — the goals
Law-makers have outlined two general and four specific objectives of the Cyber Resilience Act. The former focus on ensuring that the internal European market functions properly, while the latter basically revolve around creating a set of requirements for more secure coding.
That’s it for the general background of the new law. Now it’s time for the particulars.
Cyber Resilience Act — key takeaways
First and foremost, unlike the American National Cybersecurity Strategy, the CRA is designed to make everyone comply, whether you’re a small or large software development company, and not only “manufacturers and software publishers with market powers”. So, as long as you operate in the European market — you will have to take this seriously and adhere to the presented standards. And when it comes to producing software, this is absolutely revolutionary.
Cybersecurity will now become a crucial part of every phase of the software development process — from planning to maintenance. So, even if you plan to build a very basic product, you should take the essential security requirements under consideration from the very beginning.
Plus, there should be a set of outlined processes in place in case any emergencies should occur, and any detected vulnerabilities or cyberattack incidents (both successful and unsuccessful) should be immediately reported to ENISA (the European Agency for Cybersecurity, which oversees CRA). This way, every IT company will be forced by law to monitor and mitigate any vulnerabilities during the entire product lifecycle.
There’s also something that every user can benefit from directly: since companies will be obligated to publish all relevant security information, this includes clear instructions on how to properly install and use a given device or piece of software.
OK, but what if a company doesn’t comply with the new regulations? Is there any way the authorities will be able to put pressure on organisations to make them introduce all of the necessary changes? Well, not complying could be financially painful for them, since fines of up to 15 million euros or 2.5% of turnover (whichever is higher) can be levied.
Of course, every new and somewhat revolutionary law brings controversies and casts doubts. Here, doubts arise from the fact that it seems like the EU is trying to force developers to create software that is resilient against unspecified denial of service attacks, which is virtually impossible. So, I think that we can expect this point to be clarified or changed later on, since it might just become a dead letter.
Another significant consequence of the CRA is the fact that customers will no longer be allowed to be beta testers of products or services, since companies will be obligated to only release products that are already free of vulnerabilities.
Plus, since the CRA is still a living document, and coordinated standards are yet to come, we cannot prepare for it in detail. The act is likely to enter into effect in 2025 with more precise requirements becoming mandatory another 24 months after that.
What you can do now
Although no one can really know all the technicalities of a law that is still being shaped, there are some things that you can do right away, without waiting until the last minute:
- Hire cybersecurity specialists who will become an integral part of your team. They will guide you through any changes and help you build products that are compliant with best practices and state-of-the-art solutions.
- Begin working with an experienced IT partner that understands the significance of security, such as Future Processing. This is a great option, especially for mid-sized and larger companies that need a variety of services — from consulting to audits, to designing and implementing changes. An IT partner with a proactive approach will free up your internal resources and boost your efficiency, while allowing you to sleep soundly even in the most challenging periods.
- Read the CRA document yourself, follow changes and updates, listen to your specialists, report to the appropriate entities if anything sounds irrational or impossible to implement, and… just go with the flow. This is yet another shift in reality that will eventually become part of our day-to-day, as was the case with the GDPR or NIS2 regulations.