Noname Security speaks out on new EU Cyber Resilience Act

Filip Verloy, EMEA Technology Evangelist at Noname Security says the proposed new EU Cyber Resilience Act measures have both benefits and drawbacks.

On 15 September, the European Commission published the Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The regulation seeks to protect consumers and the market from cyber incidents and includes a package of rules to embed digital security in Europe. 

Filip Verloy, EMEA Technical Evangelist of Noname Security, an API security company, has shared his thoughts on the proposed act with Cyber magazine.

“The European Commission has proposed a new regulation to safeguard consumers and businesses buying or using products, or software, with a digital component. The Cyber Resilience Act is intended to decrease the damage caused by successful cyberattacks, currently estimated to be a global annual cost of €5.5 trillion," says Verloy.

“We are seeing that an increasing number of devices are either becoming interconnected and/or connected to the internet. As operational and information technologies continue to merge, systems and devices exchanging information using standard interfaces like APIs becomes increasingly common.

“However, we must be careful not to exaggerate one piece of the puzzle, but also to heighten the security baseline of these intermediary connections. Systems are only as secure as their weakest link.

“Today, many consumer devices are "smart". This means they need to communicate with an external control system, frequently using APIs to do this. They provide the glue to tie our connected devices together, but herein also lies the danger. If you can exploit this interconnected system, no part of the network remains safe. Cybersecurity is hard; defenders need to catch all potential issues, while attackers only need to find one to exploit it.

“Therefore, will we be better off by increasing the base level of security? Yes, but it will not result in cybersecurity issues completely disappearing. Introducing regulation will increase the potential legal risks for suppliers, forcing their hand in doing what is right for consumers and businesses alike. This increased pressure should be viewed as a positive, but we need to remain ever vigilant," he concludes.

When will the act be implemented?

The CRA is now subject to review and approval by the European Council and Parliament. Once adopted and entered into force, there will be a grace period of 24 months for compliance, with the exception of the reporting obligations for manufacturers, which shall apply 12 months after entry into force of the CRA. 

The CRA required Member States to establish designated market surveillance authorities who will be in charge with enforcing the CRA. The designated authorities will have the power to initiate a recall or withdrawal of the product from the market in instances of non-compliance. In addition, Member States are required to establish penalties for infringement of the obligations under the CRA. Such penalties are limited at €15,000,000 or 2.5% of the infringing entity’s global turnover, whichever is higher.

Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security