The Cyber Resilience Act
At Inwedo, we take great care to ensure that the software we develop remains secure and compliant with the highest standards.
It’s a very good direction to set standards. When we buy some products, we assume they will meet specific criteria, not harm us, or are relatively safe. In this case, of course, it is about increasing resistance to cyber threats.
The CRA provides essential cybersecurity requirements for products with digital elements distributed in Europe and strengthens cybersecurity rules to ensure more safe hardware and software products:
The proposed Regulation will apply to all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. (…) a broad scope of tangible and non-tangible products with digital elements, including non-embedded software
In other words, the act will apply to most physical devices with a network connection and most software, even non-embedded. Noncompliance carries significant fines — 15 million euros or 2.5% of annual revenue, whichever is greater.
The Cyber Resilience Act share similar goals with the Digital Operational Resilience Act, and the European Commission views both regulations as complementing each other. The difference between them is that DORA establishes a comprehensive set of regulations that apply to all financial institutions under supervision.
Essential Cybersecurity Requirements
In Essential Cybersecurity Requirements, devices and programs are divided into two classes based on the level of cybersecurity risk associated with these categories of products, with class II representing a higher level of risk. Class II critical products are specifically mentioned, as they are required to meet higher standards and undergo a more rigorous conformity assessment process.
Some of these products include:
- operating systems for servers, desktops, and mobile devices,
- boot managers,
- network interfaces,
- remote access software,
- patch management systems,
- routers and modems,
- network traffic monitoring systems,
- public key infrastructure,
- virtual private networks.
Nearly all software developers and electronic device manufacturers will at least have to evaluate if they comply with the standard or determine if they are low-risk, which is still unclear. A third-party assessment from a notified body is required for the most critical products (class II).
Although “in order not to hamper innovation or research free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this regulation“, the proposal leaves room to interpret when you are engaged in “commercial activity” and when not. As a result, many people in the open-source community are still concerned that the CRA will impact them.
The proposal from the European Commission leaves many unanswered questions that still need to be answered, especially regarding concerns about innovative software products. That’s why the work on the CRA should be taken with care and not should be rushed.