Blog

Did you know? The EU's Cyber Resilience Act (CRA) seeks to increase vendor liability in the face of rising cyber threats.

In today's blog, our ethical hackers dive into how the CRA aims to hold tech manufacturers accountable in 2024 and beyond. Let's get started:

The Problem of Cybersecurity Vendor Liability

Our increased dependence on technology can make the stakes of a cyber breach extremely high. The sky-high costs of ransomware attack, operational downtime, reputational impact, and even human life are some of the risks organizations face.  According to the "2023 Cost of a Data Breach" report conducted by the Ponemon Institute and published by IBM Security, the global average cost of a data breach was $4.45 million. This represents a 2.3% increase from the 2022 cost of $4.35 million and a significant 15.3% increase from the average cost reported in 2020, which was $3.86 million. Many SME companies face insolvency after a cyberattack. 

The highly competitive technology market that rewards product vendors who innovate more than those who focus on security is also a contributing factor to the cyber crisis. Very little legal accountability can be enforced upon software and hardware creators who release exploitable products to market and fail to patch them when vulnerabilities become publicly known. Buyer-beware license agreements typically force SMEs and consumers to waive all rights to financial remediation for defective digital products. Large corporations have more leverage to demand consequential vendor liability, but many businesses do not have the resources to leverage this type of contract law.

The EU has recognized the problem this lack of liability creates and is currently planning the new Cyber Resilience Act to provide refuge from the storm created by insecure products.

A Brief Introduction to the Cyber Resilience Act (CRA)

Introduced in September 2022, the Cyber Resilience Act (CRA) is an EU legislative proposal closing in on adoption as a political agreement was reached on November 30, 2023. The CRA aims to standardize cybersecurity for digital products marketed in the EU and is considered groundbreaking regulation by many in the tech industry. The Act will legally require hardware and software products to maintain adequate cybersecurity features throughout the product lifecycle.

The CRA does not apply to medical devices, motor vehicles, or military hardware. However, it will apply to virtually all other forms of digital products including: end devices (laptops, smartphones, desktops), networking appliances (routers, switches, industrial control systems), IoT (smart cards, smart meters, smart speakers, other sensors and cameras), and software (operating systems, apps, firmware, games), and components of both hardware as well as software (CPUs, video cards, open and closed source software libraries).

Obligations Of Manufacturers Under the CRA

The term "manufacturer" is used in the CRA to refer to any individual or entity that develops, manufactures, or sells digital products under their own brand. The responsibilities imposed on manufacturers highlights the need for increased emphasis on digital risk assessment, classification of products based on cybersecurity risks, and the need to continuously monitor and update products when new risks are uncovered.

Under the CRA, manufacturers must:

• Employ Essential Cybersecurity Best Practices: Manufacturers must design, develop, and produce their products in accordance with the essential cybersecurity requirements set out in the CRA. This means that from the initial stages of conception through to the final production, cybersecurity must be a core consideration. Manufacturers need to assess the potential cybersecurity risks and ensure that the product's security measures are sufficient to mitigate these risks

• Test Product Cybersecurity Resilience: At the time of delivery, the product should not have any known vulnerabilities that could be exploited. Manufacturers are expected to conduct thorough testing and reviews to identify and rectify any such vulnerabilities before the product reaches the market

• Critical Products Must Meet Increased Requirements: Products may be classified as "Class I Critical Products" or "Class II Critical Products" for which additional assessment is necessary. Manufacturers of Class I products can opt to conduct this assessment themselves, using harmonized standards, common specifications, or certification schemes as outlined in the Cyber Security Act. Alternatively, if they do not wish to perform the assessment themselves, third-party conformity assessment becomes mandatory. For products classified under Class II, which are considered to carry a higher level of risk, manufacturers are required to undergo a mandatory third-party conformity assessment

• Remediate Discovered Vulnerabilities: Manufacturers will be required to establish policies and procedures, including those for coordinated vulnerability disclosure for rectifying discovered  vulnerabilities in their products even after the product has been marketed. To ensure compliance with these post-market obligations, a framework for market surveillance will be implemented to monitor and enforce the ongoing management of cybersecurity risks by manufacturers, and ensure a continuous commitment to product security

• Report Discovered And Exploited Vulnerabilities: In cases where a product is found to have an actively exploited vulnerability or if an incident impacts the product's security, manufacturers are required to promptly notify the European Union Agency for Cybersecurity (ENISA). This notification must be made within a 24-hour timeframe from the moment the issue is identified. Additionally, when manufacturers identify a vulnerability within a component of their product, they are obligated to report this vulnerability directly to the individual or organization responsible for maintaining that component. ENISA shall compile a biennial technical report to summarize the nature and impact of reported vulnerabilities and incidents

• Formally Declare Conformity: manufacturers are tasked with creating an "EU declaration of conformity" (Conformité Européenne) and affix a CE marking on the product

Next Steps Towards CRA Adoption

Here is the expected timeline for CRA adoption and enforcement:

• Finalization: The CRA's text is currently being finalized in technical meetings

• Adoption: The finalized text will likely be adopted by the European Parliament and the Council by April 2024

• Publication: Following adoption, the text is likely to be published in the Official Journal of the European Union, possibly by June 2024

• Implementation Timeline: The CRA's rules are anticipated to be applicable three years after the act enters into force, which is expected to be in spring or early summer of 2027

Conclusion

The European Union's Cyber Resilience Act (CRA) represents a significant shift in cybersecurity regulation, aiming to increase vendor liability for the security of digital products by formalizing new standards for digital product security within the EU. The CRA mandates that manufacturers, defined broadly as entities that develop, manufacture, or sell digital products under their brand, adhere to strict cybersecurity practices. 

Products must be delivered to the market free from known vulnerabilities, and adhering to essential cybersecurity best practices.  Also, manufacturers must maintain the security of the product throughout its lifecycle. Critical products are subject to even more stringent requirements. The CRA also requires prompt reporting of any vulnerabilities or security incidents to ENISA who will document and produce annual summary reports.

Packetlabs can assist companies in identifying gaps in their security posture and provide the necessary tools, services, and expertise to ensure that they are meeting regulatory compliances like the CRA. Taking preventive measures such as conducting penetration tests and implementing security solutions can drastically improve the chances of a successful cyber insurance application. Reach out today to take the first step.