{"id":12918,"date":"2023-11-26T16:28:00","date_gmt":"2023-11-26T14:28:00","guid":{"rendered":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/?p=12918"},"modified":"2024-03-28T21:57:18","modified_gmt":"2024-03-28T19:57:18","slug":"insights-for-the-upcoming-eu-cyber-resilience-act","status":"publish","type":"post","link":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/blog\/device-security\/insights-for-the-upcoming-eu-cyber-resilience-act\/","title":{"rendered":"Insights for the upcoming EU Cyber Resilience Act (CRA)"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1600\" height=\"840\" data-src=\"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2.jpg\" alt=\"\" class=\"wp-image-13071 lazyload\" data-srcset=\"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2.jpg 1600w, https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2-300x158.jpg 300w, https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2-768x403.jpg 768w, https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2-1536x806.jpg 1536w, https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/01\/BlogPicture_2023cra2-1200x630.jpg 1200w\" data-sizes=\"(max-width: 1600px) 100vw, 1600px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1600px; --smush-placeholder-aspect-ratio: 1600\/840;\" \/><\/figure>\n\n\n\n<p>Since the EU CRA has created a lot of questions for device manufacturers, we held a seminar at the Teknologia fair and shared our knowledge regarding the matter. <br><br><strong>Watch the seminar video of the presentation from the fair or read the text version below.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio cookieconsent-optin-marketing\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Insights for the upcoming EU Cyber Resilience ACT (CRA) November 2023\" width=\"500\" height=\"281\" data-src=\"https:\/\/www.youtube.com\/embed\/h7zavi7TlDc?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<div class=\"cookieconsent-optout-marketing\">\n    <a href=\"javascript:Cookiebot.renew()\" style=\"border-bottom:none;\"><img decoding=\"async\" data-src=\"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2024\/03\/placeholder-cookies-vid.png\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" style=\"--smush-placeholder-width: 1920px; --smush-placeholder-aspect-ratio: 1920\/1080;\"><\/img><\/a>\n<\/div>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">EU Cyber Resilience Act overview and discussion&nbsp;<\/h2>\n\n\n\n<p>Hello! My name is Terry London. I\u2019ve been with Proekspert for around 16 years. And I am here to give you some new information about the upcoming EU CRA.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is the EU CRA?<\/h2>\n\n\n\n<p>The European Cyber Resilience Act is meant to unify cybersecurity rules for hardware and software products across the European Union. The problem it addresses is the fact that the number of connected devices is constantly growing, and, at the same time, attacks against those connected devices are growing as well \u2013 almost exponentially.&nbsp;<\/p>\n\n\n\n<p>The main goal here, for the EU, is to protect end users \u2013 to have easier-to-understand and up-to-date security on the devices users rely on. Also, the EU is trying to avoid a situation where each EU country creates its own rules, which would result in a mess in the entire market.&nbsp;<\/p>\n\n\n\n<p>We can also say that the CRA is meant to make product developers more responsible for their product security. It\u2019s not a bad thing at all. Bu, there seems to be a lot of confusion among device manufacturers due to a lack of clear information about requirements and the release date.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/cyber-resilience-act\" target=\"_blank\" rel=\"noreferrer noopener\">Here is the link<\/a> to the draft document on the European Commission\u2019s web page. This is from September of last year. This is the only official source.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The current situation among device manufacturers&nbsp;<\/h2>\n\n\n\n<p>We have had lots of discussions about CRA with our clients and other companies that manufacture industrial devices.<\/p>\n\n\n\n<p>Here\u2019s how we perceive the situation.\u202f&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Many companies are aware of the CRA \u2013 painfully aware.<\/li>\n\n\n\n<li>However, only some are developing hardware security functionalities for their devices.\u202f&nbsp;<\/li>\n\n\n\n<li>And only a very few are developing software infrastructure for their devices.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Their approach has been to wait until they see what the requirements are going to be.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Latest updates about the EU CRA<\/h2>\n\n\n\n<p>We didn\u2019t want to wait. And we did our research.&nbsp;<\/p>\n\n\n\n<p>We went straight to the source at the European Commission. And here is our Interview with a Cyber and Digital Affairs Councilor. Get the link with the QR code, or find the video on our web page, Proekspert.com&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New insights about the EU CRA<\/h2>\n\n\n\n<p>Here is what we learned from the interview:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Despite the hesitation that surrounded the draft half a year ago, the act will probably be\u202f<strong>released in the spring of 2024<\/strong>. Of course, there will be a\u202ftransition time of three years. After three years, companies that release certain critical products must start certifying their products.&nbsp;<\/li>\n\n\n\n<li><strong>Vulnerability reporting<\/strong> &#8211; After two years, companies must start reporting known vulnerabilities in their software and hardware products.&nbsp;<\/li>\n\n\n\n<li>One big question was whether the requirements apply to already existing products, as well. The answer is no. The CRA will apply only to new products released after the transition period.&nbsp;<\/li>\n\n\n\n<li>We also know that some new types of <strong>products won&#8217;t be covered<\/strong>. These are SaaS and open-source software (and also automotive, and medical devices, as was already known).&nbsp;<\/li>\n\n\n\n<li>Finally, we got some updates on how products will be divided into categories by <strong>criticality levels<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Criticality levels and certification requirements<\/h2>\n\n\n\n<p>This is rough simplification, but we can say that CRA divides hardware and software products into three different criticality levels. Each level has its own assessment requirement.\u202f&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Common products<\/strong> like smart home devices require only in-house\u202f<strong>self-assessments<\/strong> by manufacturers.&nbsp;<\/li>\n\n\n\n<li><strong>Critical products<\/strong>\u202flike microcontrollers and general-purpose operating systems <strong>require\u202fthird party validation<\/strong>.&nbsp;<\/li>\n\n\n\n<li>The third group is called\u202f<strong>highly critical products<\/strong>. These products <strong>require\u202fcertification<\/strong>\u202fby authorized certification service providers. Examples of such products are smart cards and hardware devices with security boxes (something similar to what we demonstrated in our booth at the Teknologia fair).&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Requirements for device manufacturers<\/h2>\n\n\n\n<p>Here are the very general requirements that device manufacturers face.&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Get products certified<\/strong>&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Self-assessment&nbsp;<\/li>\n\n\n\n<li>Third party validation&nbsp;<\/li>\n\n\n\n<li>Certification&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Compile software Bills of Materials (SBOM)<\/strong>&nbsp;\n<ul class=\"wp-block-list\">\n<li>Define software suppliers&nbsp;<\/li>\n\n\n\n<li>Define who is responsible for which software modules and software lifetime stages&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Ensure secure software updates<\/strong>\n<ul class=\"wp-block-list\">\n<li>Define the intended purpose and requirements of products&nbsp;<\/li>\n\n\n\n<li>Provide security updates over the product\u2019s lifetime&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Report product vulnerabilities<\/strong> \u2013 the details behind this are unclear<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Our suggestions today<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>For certification audits<\/strong>. Even if we don\u2019t know exactly how the certification and third party validation is going to be officially organized, you can start with simple things. Map and document your product functionalities, because internal auditing is the main part of preparing for certifications anyway, and it is always a relatively time-consuming process. This will help you be more prepared when the requirements by the CRA are officially released.&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>For SBOM<\/strong>&nbsp;\n<ul class=\"wp-block-list\">\n<li>Go through your third party software packages and document what you have and who supports these with new updates.&nbsp;<\/li>\n\n\n\n<li>Define who is responsible for your different software modules across different product development stages.&nbsp;<\/li>\n\n\n\n<li>Use modern software development principles and tools. Maintain code repositories that help keep a product\u2019s technical documentation up to date.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>For security updates<\/strong>&nbsp;\n<ul class=\"wp-block-list\">\n<li>Review the risks you must protect your devices against. This gives you an understanding of what security measures to prepare.&nbsp;<\/li>\n\n\n\n<li>Plan how you will provide security updates. Is it remotely OTA or in a local network, for example? Then you\u2019ll know what technology you need for securing your devices.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Additional recommendations<\/strong>&nbsp;\n<ul class=\"wp-block-list\">\n<li>What we know is that the EU cares about the competitiveness of SMEs. They plan to release special support programs for SMEs, including sandboxes to test your products with regards to the CRA.&nbsp;<\/li>\n\n\n\n<li>Plan ahead on how to prepare for the EU CRA.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">How can Proekspert help?<\/h2>\n\n\n\n<p>Consulting \u2013 We are up to date on the CRA and have been building software solutions for 30 years.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>SFWU solution &#8211; A solution for high-level device security on an embedded level.&nbsp;<\/li>\n\n\n\n<li>Device Identity Management infrastructure (PKI) &#8211; A solution for managing devices with unique identities.&nbsp;<\/li>\n\n\n\n<li>Remote device connectivity &#8211; A solution for managing remote devices over the cloud.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p><strong>You can also download slides from the seminar here:<\/strong><\/p>\n\n\n<div class=\"vlp-link-container vlp-template-default\">\n\t\t\t<a href=\"https:\/\/proekspert.com\/wp-content\/uploads\/2024\/01\/CRA-presentation-nov3-update.pdf\" class=\"vlp-link\" title=\"EU Cyber Resilience Act - new insights\" rel=\"nofollow\" target=\"_blank\"><\/a>\n\t\t\t<div class=\"vlp-link-image-container\">\n\t\t\t\t\t\t<div class=\"vlp-link-image\"><img decoding=\"async\" style=\"--smush-placeholder-width: 1200px; --smush-placeholder-aspect-ratio: 1200\/630;max-width: 1200px;\" width=\"1200\" height=\"630\" data-src=\"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-content\/uploads\/2023\/11\/Screenshot-2024-01-29-at-20.19.00-1200x630.png\" class=\"attachment-1200x630 size-1200x630 lazyload\" alt=\"\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" \/><\/div>\n\t\t\t<\/div>\n\t\t<div class=\"vlp-link-text-container\">\n\t\t\t\t<div class=\"vlp-link-title\">\n\t\t\tEU Cyber Resilience Act &#8211; new insights\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"vlp-post-link\">\n\t\t\t<a href=\"https:\/\/proekspert.com\/wp-content\/uploads\/2024\/01\/CRA-presentation-nov3-update.pdf\" title=\"EU Cyber Resilience Act - new insights\" rel=\"nofollow\" target=\"_blank\">https:\/\/proekspert.com\/wp-content\/uploads\/2024\/01\/CRA-presentation-nov3-update.pdf<\/a>\n\t\t<\/div>\n\t\t\t<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s time to stop procrastinating about the EU Cyber Resilience Act. It\u2019s coming whether we like it or not\u2013and here\u2019s how to prepare.<\/p>\n","protected":false},"author":5,"featured_media":13071,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-12918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-device-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/posts\/12918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/comments?post=12918"}],"version-history":[{"count":15,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/posts\/12918\/revisions"}],"predecessor-version":[{"id":13699,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/posts\/12918\/revisions\/13699"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/media\/13071"}],"wp:attachment":[{"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/media?parent=12918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/categories?post=12918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/clients.triloogia.ee\/proekspert\/wp-new\/wp-json\/wp\/v2\/tags?post=12918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}