The closer the Cyber Resilience Act (CRA-E) comes into force, the more questions arise for manufacturers and distributors of smart devices.
In the future, companies will be liable for the management of security risks - EU law provides for drastic fines, which can be due even if deadlines are missed. The CYBICS conference will take place for the eighth time on November 28, 2023 - for the second time this year it will be dedicated exclusively to the topic of cyber resilience and CRA-E. Under the motto “Compliance, security and best practices: the Cyber Resilience Act”, the conference will be led by the isits AG International School of IT Security together with partners such as the IoT/OT cybersecurity expert Onekey, representatives of the European Commission, Experts from the Bureau Veritas certification body and CERT@VDE organized in Frankfurt am Main.
High requirements, quick implementation
For the first time, the Cyber Resilience Act transfers responsibility for the secure operation of devices with digital elements - from mass-produced items such as smartwatches to routers, access control systems to printers and industrial control systems - from users to manufacturers. “Network operators will continue to be responsible for their security in the future. However, manufacturers and distributors of devices will have to meet significantly higher requirements in the future during development and marketing. This not only affects IT security itself, but also processes and reporting obligations. There is currently a lot of uncertainty among companies because, in addition to EU legislation, coordination with local authorities is still pending. But this must under no circumstances lead to delays – because the CRA-E will take effect immediately in all EU countries after its final adoption,” says Jan Wendenburg, CEO of CYBICS co-organizer Onekey. The company is Europe's leading provider of automated cybersecurity and compliance products and operates a highly automated analysis and management platform (PCCP), which provides manufacturers of smart devices and systems with essential support in meeting the upcoming requirements of the EU Commission's Cyber Resilience Act and is already able to analyze the individual software components of a device in detail and assess them for risks.
Discussions among the manufacturers
This huge paradigm shift in legal requirements is accompanied by growing uncertainty. The CRA-E offers potential for conflict in many areas - especially when it comes to open source software, which is also used in devices and their firmware. “Hardly any other topic has generated as much resonance and discussion among manufacturers in the last ten years as the new EU legislation surrounding the Cyber Resilience Act. As the organizer, we are meeting the need with a second CYBICS conference later this year in order to be able to offer manufacturers concrete guidelines and assistance that are already geared towards practical use in companies,” says Birgitte Baardseth from the isits AG International School of IT Security.
More at Onekey.com
About ONEKEY ONEKEY (formerly IoT Inspector) is the leading European platform for automatic security & compliance analyzes for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). Using automatically created "Digital Twins" and "Software Bill of Materials (SBOM)" of the devices, ONEKEY independently analyzes firmware for critical security gaps and compliance violations, without any source code, device or network access.
Matching articles on the topic