On Thursday night, the EU Commission, Parliament, and Council made major progress on moving the European Cyber Resilience Act (CRA) one step closer to reality. They reached agreement on some major sticking points around the submission of vulnerability reports, the duration of a manufacturer's responsibility for security updates, and how certification will be shown.
With the EU CRA edging ever closer to law, it's past time to look at its implications for connected device manufacturers, both within the EU's borders and beyond. Through the CRA, the EU has signaled a crackdown on cyber threats. The CRA threatens a broad reach and massive fines with its zero-tolerance approach to vulnerability management and reporting.
Could the EU's new rule change everything for software devs and device manufacturers? Does it go too far?
Despite its considerable girth (weighing in at over 100 pages), the CRA, in the connected device security space, boils down to these four key points:
The EU Cyber Resilience Act, proposed in 2022 by the European Committee on Civil Liberties, Justice, and Home Affairs, seeks to harmonize product security practices across the EU. Its objectives include enhancing preparedness, promoting cooperation, encouraging information sharing, and ensuring resilience in member states' cyber defenses.
The CRA seeks to improve the security of IoT devices by establishing minimum cybersecurity standards and mandating ongoing updates for products in use within the borders of the European Union.
The impetus behind the CRA originated with the 2020 update to the EU Cybersecurity Strategy. The CRA is intended to work in concert with the EU Cybersecurity Act and the NIS2 Directive.
The CRA will require manufacturers and distributors to disclose vulnerabilities within their products. The Act also creates new liability rules for security incidents.
Many claim that complying with the CRA will be costly, counter-productive, and just plain excruciating. They're probably right.
Let's dive into each key facet of how the CRA will impact you:
The CRA means new requirements across the development lifecycle that will apply to any connected product "placed on the EU market." Also, once sold, manufacturers' responsibilities under the act continue for up to five years. Even if you're not targeting European markets, if your product finds its way into the EU, you're required to comply with the CRA.
Among its proposals, the CRA also requires products "not [to] be shipped with any exploitable vulnerabilities" (clause 2). This proposal would mean that all known vulnerabilities, even those that represent low risk, would need to be fully remediated before shipping, or a company would risk litigation and fines. In practice, this requirement could result in costly re-contracting for different hardware vendors and/or rewriting low-level firmware from scratch, which would require a significant level of effort for software development teams. Companies need to focus now on remediating known vulnerabilities - including those that become known between now and the date of the first shipment (and each shipment thereafter).
Manufacturers must report all exploited vulnerabilities to national authorities and to ENISA, the EU's cybersecurity agency, no more than 24 hours after discovery. Beyond the compliance requirement and potential liability that this will cause, more than 50 leaders in the cybersecurity community came together in October to point out that a database containing real-time, unresolved vulnerabilities could serve as a treasure trove of exploits for cybercriminals, or even government agencies who could seek to exploit those vulnerabilities.
Current proposals for the EU CRA outline fines up to €15 million, or 2.5% of a company's total worldwide annual turnover, for non-compliance. Failure to comply could also result in connected devices being removed from the market, recalled, and not again made available until they are fixed.
Proposals within the CRA would make software developers, including open-source developers, liable for their software, which may saddle the open-source development and maintenance process with enough liability that it would threaten to outright kill the open-source community. That provision has caught much derision from multiple industry bodies, including the Linux Foundation Europe, the Open Source Initiative, and the Eclipse Foundation who predicted a "chilling effect" for open-source development.
It's hard to miss that the CRA also offers clear benefits to software security: promoting transparency around vulnerabilities and hastening their mitigation and remediation. Even outside the EU, many manufacturers are likely to apply the CRA's standards to their products and the Act will likely result in a greater degree of risk-assessed, secure-by-design connected devices that will buoy consumer confidence regarding cybersecurity and the protection of information.
That said, more care should be taken in the unintended consequences the legislation, in its current form, may bring. Can connected device manufacturers, many of them outside the EU's borders, support the considerable responsibilities thrust upon them by the required management, reporting, and patching of newly surfaced vulnerabilities? Does the transparency promised by the mandated 24-hour disclosure window for new vulnerabilities outweigh potential security concerns?
Do the benefits that the EU CRA promises outweigh the burdens and risks that the legislation threatens?
These are discussions that should be encouraged while the regulation and its implications are being considered, rather than as after-the-fact fixes aimed at repairing damage. While sufficient flexibility should be maintained to allow for the agile development and deployment of new technologies, we must also ensure robust cybersecurity measures–the right measures–are in place.
Like a train in a tunnel, the CRA is coming. While the European Commission finalizes the wording of the final Act, stakeholders will likely have up to 36 months to adapt to the new requirements, although initial indications suggest that reporting obligations imposed on manufacturers will likely become mandatory much sooner, possibly after just 12 months.
The time to prepare is now.