Cyber Resilience Act on the verge of passage: EU agrees rules for connected products

Feb. 22, 2024
A key component of this is the Software Bill of Materials (SBOM), which will play a central role in the future security architecture.

Duesseldorf, Germany, February 22nd, 2024 - The European Commission's Cyber Resilience Act will soon become the most comprehensive piece of product cybersecurity legislation in Europe. A number of amendments were recently adopted to specify the scope of the law. Formal adoption is considered certain by experts.

"From our security analysis point of view, the CRA specification is very welcome, especially the further enhanced level of security for end users and consumers. The classes of equipment have been reorganised: Article 6, for example, introduces two additional cybersecurity risk classes for critical hardware and software products whose core functions are listed in Annex III of the Regulation. One class of devices covers particularly critical systems and equipment. All smart home devices and interactive toys are now explicitly included.

In our tests, we have found that such devices often have significant security vulnerabilities that could be easily identified by an automatic analysis and thus be fixed more quickly. The area of industrial products and routers, which was not included in the current version of the previous draft, should possibly be tightened up," says Jan Wendenburg, CEO of ONEKEY.

The German company operates a product cybersecurity & compliance analysis platform that analyses the software contained in all devices with network access and, in addition to an exact listing as a software bill of materials (SBOM), also enables a detailed security analysis with risk assessment of possible vulnerabilities.

ONEKEY automatically checks and identifies critical security vulnerabilities and compliance violations in embedded software, especially in Internet of Things devices, and monitors and manages them throughout the entire product lifecycle. The new ONEKEY Compliance Wizard, a virtual assistant, now makes it easier for manufacturers to create the required compliance self-declaration and export it to external certifiers if required.

Shorter deadlines require rapid response from manufacturers

For many manufacturers, the 36-month transition period granted by the EU is already too short - new product and software development typically takes years - so all manufacturers must begin implementation immediately. ONEKEY's automated analysis platform identifies vulnerabilities and compliance violations in minutes, saving manufacturers of networked devices significant time and money during development.

The latest CRA draft shortens the timeframe for vulnerability reporting : “New vulnerabilities must be reported to national regulators and the European Network and Information Security Agency (ENISA) within 24 hours. For companies that manufacture or market devices with internet or network access, timely risk management and thorough analysis of their own products will become even more important in order to identify and fix potentially serious zero-day vulnerabilities long before the CRA finally comes into force," continues Jan Wendenburg of ONEKEY.

A key component of this is the Software Bill of Materials (SBOM), which will play a central role in the future security architecture, according to the EU and authorities such as the German Federal Office for Information Security (BSI).

One-Click SBOM

The issue of liability for open source software has also been reorganised: In previous drafts of the CRA, the obligation to comply was imposed on the creators of the software. The current version, however, explicitly excludes open source organisations and individuals as contributors to open source projects from liability. "This means that the responsibility for complying with EU requirements lies solely with the companies that commercially use the open source code or place it on the market as part of their products.The BSI has formulated its own SBOM guideline for this purpose. ONEKEY is already able to meet the requirements for transparent analysis and presentation of the components used throughout the entire software supply chain.

To this end, the ONEKEY Product Cybersecurity & Compliance Platform fully analyses the software and firmware contained in the devices and performs a risk analysis for vulnerabilities, in addition to listing all the components contained. "Our technology makes it possible to thoroughly analyse device software for all device classes defined by the EU," explains ONEKEY CEO Wendenburg.

The integrated compliance check enables the automatic verification of current and future legal technical compliance requirements such as IEC 62443-4-2, ETSI 303 645 or the EU Cyber Resilience Act and many others. In the future, the new patent-pending Compliance Wizard will make it much faster and easier to create the mandatory compliance self-declaration using a virtual wizard - and for external certification, all data can be exported to the certifier with a single click.