The European Commission's Cyber Resilience Act (CRA) aims to close the digital patchwork of devices and systems with a network connection. Industrial networks and critical infrastructures require special protection. The EU regulation on cyber resilience can mean millions in fines for manufacturers, distributors and importers.
According to the European Union, there is currently a ransomware attack every eleven seconds; in the last few weeks alone, it has hit a leading manufacturer of baby food and a global Tier1 automotive supplier headquartered in Germany, with the latter falling victim to a massive ransomware attack. Such an attack even led to insolvency for the manufacturer Prophete in January 2023.
Deliberate security gaps are punished
In order to hold manufacturers, distributors and importers accountable, severe penalties are threatened if security gaps in devices are discovered and not reported and closed correctly. “The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even if there are still a few work steps to be completed, for example with the local state authorities," says Jan Wendenburg, Managing Director of the cybersecurity company ONEKEY.
Fines: 15 million euros or 2,5 percent of annual sales
The penalties for affected manufacturers and distributors are therefore high: up to 15 million euros or 2,5 percent of global annual sales in the past financial year - the larger number counts. "This makes it unmistakably clear: If the specifications are not implemented, the manufacturers face severe penalties," Wendenburg continued.
Manufacturers, distributors and importers are required to notify ENISA – the European Union Agency for Cybersecurity – within 24 hours if a vulnerability in any of their products is exploited. Exceeding the reporting deadlines is penalized.
Manufacturers must respond to the Cyber-Resilience Act
The Commission's proposal provides for the new requirements to apply 24 months after the regulation comes into force. Individual elements such as the obligation to report security incidents should apply after 12 months. “The time horizon is tight considering that orders for IT products from OEM manufacturers are already being placed this year for the next 12-18 months. Therefore, the timing situation must be considered and resolved now before a product cannot be brought to market due to defects or the market launch is delayed," explains Jan Wendenburg from ONEKEY.
The company operates a firmware analysis platform for finding security vulnerabilities in smart and networked devices - from vacuum cleaner robots to industrial controls worth millions. With a Cyber Resilience Readiness Assessment, ONEKEY offers the possibility for manufacturers, distributors and importers to already check their products for essential requirements of the Cyber Resilience Act and also to examine security gaps and also the SBOM (Software Bill of Materials ) can be filled with content.
More at ONEKEY.com
About ONEKEY ONEKEY (formerly IoT Inspector) is the leading European platform for automatic security & compliance analyzes for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). Using automatically created "Digital Twins" and "Software Bill of Materials (SBOM)" of the devices, ONEKEY independently analyzes firmware for critical security gaps and compliance violations, without any source code, device or network access.