The impact of the Cyber Resilience Act on IT security (2024)

February 16, 2024 / Avatar photoBy

The Cyber Resilience Act is an EU-wide piece of legislation that aims to introduce binding cyber security requirements for products containing hardware and software. The EU Commission also refers to these as “products with digital elements”. Products with digital elements are defined as “any software or hardware product and its remote computing solution, including software or hardware components, which are placed on the market separately”. In summary, this means that IoT devices and associated software and hardware products are affected. For these products, cybersecurity requirements are intended to ensure that these products are secured throughout their lifecycle. Software-as-a-Service, for example, is currently not affected and is outside the scope of the regulation, but this could change in the course of discussions.

By 2021, cybercrime has caused financial damage of around 5.5 trillion euros. There are many products on the market that are not secure and consumers are not aware of this. The EU’s main aim with the regulation is to create the conditions for the development of secure products with fewer vulnerabilities and the possibility of vulnerability management throughout their lifecycle, and to create the conditions for users to take cybersecurity into account when choosing and using products.

Critical products with digital elements

It is also important to know the critical product categories, referred to as Class I and Class II, see https://ec.europa.eu/newsroom/dae/redirection/document/89544.

Examples of the Class I category:

  • Software for identity management systems and privileged access management software
  • Standalone and embedded browsers
  • Password manager
  • Software that searches for, removes or quarantines malicious software
  • Products with digital elements with the function of a virtual private network (VPN)
  • Microcontroller
  • Microprocessors
  • IACS, PLC, DCS, CNC and SCADA.

Examples for category Class II:

  • Operating systems for servers, desktops and mobile devices
  • Hypervisors and container runtime systems that support the virtualized execution of operating systems and similar environments
  • Infrastructure for public keys and issuers of digital certificates
  • So-called “secure elements”
  • Sensor and control components for robots and robot controllers
  • Router
  • HSMs

Most Software-as-a-Services are not included in the two categories, but some could fall under one of the listed critical products. The Czech Presidency would like to explicitly exclude SaaS from the scope of the regulation as they fall under NIS2.

Schedule

In the first half of 2022, the Commission launched a public consultation and a call for evidence, which will run until May 25, 2022. Following this, a call for evidence on the proposed legislation will be published by January 23, 2023. On June 2, 2023, EU ministers will meet to discuss the process.

The aim of the Council Presidency over the next six months is to push forward the negotiations on the Cyber Resilience Act in the Council as far as possible.

At present, the majority of companies are not yet affected by this issue. However, there is a possibility that this situation will change in the coming years.

Consequences

The effects of these developments are complex:

  • The distribution of cheap products from China will face greater challenges and access to the European Union market will become increasingly difficult.
  • Companies in the hardware and software sector will have to expand their processes and may encounter considerable obstacles in doing so.
  • Even though increased security measures make it more difficult for attackers to exploit vulnerabilities, they can still manage to uncover vulnerabilities if they try hard enough. Companies need to ensure that their products remain updatable, which is a major challenge as most rarely update.
  • The cost of cyber security measures is likely to increase and non-compliance with the new requirements can result in penalties of up to €15 million or 2.5% of annual turnover. While self-assessment protocols are in place to prevent non-compliance, there is no guarantee that these measures will prove effective.
  • Start-ups and small to medium-sized companies may have greater difficulty gaining a foothold in the market or being successful in view of the challenges mentioned.

IT security marketplace

If you need professional advice or assistance with IT security measures, we invite you to explore our extensive range of IT security services on our specialized IT security marketplace. On this marketplace you will find a variety of qualified service providers tailored to your individual requirements.

Our ultimate goal is to make the communication and agreement process as smooth as possible. We understand that the security of your business is of the utmost importance. That’s why we’ve made sure that you can easily and efficiently find the right solutions to keep your business secure.

Let’s work together to strengthen your IT security and minimize the risks. We are at your side with our expertise and our network of specialists to ensure that your company is optimally protected.

You can access our IT security marketplace via the following link: https://marketplace.cyberphinix.de

Further topics

If you are interested in this topic, the following articles may also be of interest to you:

Ressourcen

WordPress Cookie Plugin by Real Cookie Banner