The European Commission's Cyber Resilience Act, the most comprehensive law regulating product cyber security in Europe, will soon come into force. A number of changes have recently been made that specify the scope of the law. The formal adoption is considered safe in expert circles.
“From our security analysis point of view, the specification of the Cyber Resilience Act is very welcome, especially the even further extended level of security for end users. The device classes have been redefined: Article 6 introduced two additional cybersecurity risk classes for critical hardware and software products, the core functions of which are listed in Annex III of the Regulation. A device class includes particularly critical systems and devices. All smart home devices and interactive toys are now explicitly included.
Automatic analysis
In our tests, we found that such devices often have significant security gaps that could easily be identified through an automatic analysis of essential parts and thus rectified more quickly. The area of industrial products and routers, which was not included in the previous draft in the current version, may need to be sharpened,” says Jan Wendenburg, CEO of Onekey. The Düsseldorf-based company operates a Product Cybersecurity & Compliance analysis platform that analyzes the software contained in all devices with network access and, in addition to an exact listing as a software parts list (SBOM), also enables a detailed security analysis with risk assessment of possible vulnerabilities. Onekey automatically checks and identifies critical security vulnerabilities and compliance violations in embedded software, especially in Internet of Things devices, and monitors and manages them throughout the entire product lifecycle. Manufacturers can now create the compliance self-declaration that will be required in the future more easily using the new Onekey Compliance Wizard, ie a virtual assistant, and, if necessary, hand it over to external certifiers via export.
Deadlines in the Cyber Resilience Act
For many manufacturers, the 36-month transition period granted by the EU is already tight - the development of new products and software usually takes years - so all manufacturers must begin implementation immediately. ONEKEY's automated analysis platform detects vulnerabilities and compliance violations in minutes, saving significant development time and costs for connected device manufacturers. The deadlines for reporting discovered security vulnerabilities are shortened in the latest draft of the Cyber Resilience Act: “New security vulnerabilities must be reported within 24 hours to the national supervisory authorities and the European Network and Information Security Authority ENISA. For companies that manufacture or market devices with Internet or network access, timely risk management and thorough analysis of their own products become even more important in order to eliminate possible serious zero-day gaps long before the Cyber Resilience Act finally comes into force “identify and close,” continues Jan Wendenburg from ONEKEY. An essential component is the software bill of materials - the SBOM (Software Bill of Materials) - which, according to the EU and authorities such as the German Federal Office for Information Security (BSI), will play a central role in the future security architecture.
SBOM at the click of a mouse
The question of liability for open source software has also been newly regulated: in the previous drafts of the Cyber Resilience Act, the obligation to comply was imposed on the creators of the software. However, the current version explicitly exempts open source organizations and natural persons as contributors to open source projects from liability. “This means that responsibility for compliance with EU regulations lies solely with the companies that use the open source code commercially or market it as part of their products.
The BSI has formulated its own SBOM guidelines for this purpose. Onekey is already able to meet the requirements for transparent analysis and representation of the components used across the entire software supply chain. To do this, the Onekey Product Cybersecurity & Compliance platform completely analyzes the software and firmware contained in the devices and, in addition to listing all components included, also carries out a risk analysis for vulnerabilities. “Our technology enables in-depth analysis of device software of all device classes defined by the EU,” explains CEO Wendenburg. With the built-in compliance check, current and future legal technical compliance requirements such as IEC 62443-4-2, ETSI 303 645 or the EU Cyber Resilience Act and many others can be checked automatically. In the future, the mandatory compliance self-declaration will be created much faster and easier using the new, patent-pending Compliance Wizard using a virtual assistant - and for external certifications, all data can be exported to the certifier with just one click.
More at OneKey.com
About ONEKEY ONEKEY (formerly IoT Inspector) is the leading European platform for automatic security & compliance analyzes for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). Using automatically created "Digital Twins" and "Software Bill of Materials (SBOM)" of the devices, ONEKEY independently analyzes firmware for critical security gaps and compliance violations, without any source code, device or network access.
Matching articles on the topic