Noname Security speaks out on new EU Cyber Resilience Act

Share
Filip Verloy, EMEA Technology Evangelist at Noname Security says the proposed new EU Cyber Resilience Act measures have both benefits and drawbacks.

On 15 September, the European Commission published the Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The regulation seeks to protect consumers and the market from cyber incidents and includes a package of rules to embed digital security in Europe. 

Filip Verloy, EMEA Technical Evangelist of Noname Security, an API security company, has shared his thoughts on the proposed act with Cyber magazine.

“The European Commission has proposed a new regulation to safeguard consumers and businesses buying or using products, or software, with a digital component. The Cyber Resilience Act is intended to decrease the damage caused by successful cyberattacks, currently estimated to be a global annual cost of €5.5 trillion," says Verloy.

“We are seeing that an increasing number of devices are either becoming interconnected and/or connected to the internet. As operational and information technologies continue to merge, systems and devices exchanging information using standard interfaces like APIs becomes increasingly common.

“However, we must be careful not to exaggerate one piece of the puzzle, but also to heighten the security baseline of these intermediary connections. Systems are only as secure as their weakest link.

“Today, many consumer devices are "smart". This means they need to communicate with an external control system, frequently using APIs to do this. They provide the glue to tie our connected devices together, but herein also lies the danger. If you can exploit this interconnected system, no part of the network remains safe. Cybersecurity is hard; defenders need to catch all potential issues, while attackers only need to find one to exploit it.

“Therefore, will we be better off by increasing the base level of security? Yes, but it will not result in cybersecurity issues completely disappearing. Introducing regulation will increase the potential legal risks for suppliers, forcing their hand in doing what is right for consumers and businesses alike. This increased pressure should be viewed as a positive, but we need to remain ever vigilant," he concludes.

When will the act be implemented?

The CRA is now subject to review and approval by the European Council and Parliament. Once adopted and entered into force, there will be a grace period of 24 months for compliance, with the exception of the reporting obligations for manufacturers, which shall apply 12 months after entry into force of the CRA. 

The CRA required Member States to establish designated market surveillance authorities who will be in charge with enforcing the CRA. The designated authorities will have the power to initiate a recall or withdrawal of the product from the market in instances of non-compliance. In addition, Member States are required to establish penalties for infringement of the obligations under the CRA. Such penalties are limited at €15,000,000 or 2.5% of the infringing entity’s global turnover, whichever is higher.

Share

Featured Articles

Cloudflare and the Push for E2E Encryption of Messaging Apps

Cloudflare has partnered with Whatsapp to deliver E2EE and Key Transparency for millions of users

Why Biden Was Proved Right on Push to Secure Water Utilities

The outgoing President has seen the threats posed by cyber attacks on specific utilise like water and has thus been pushing for tighter regulations

AI-Native Edge: Juniper Networks Vision of Networking

Juniper Network is aiming to offer visibility across network and security operations with its new Secure AI-Native Edge solution

DNV & CyberOwl Join to Give Shipping Huge Cyber Offering

Operational Security

Why is Active Directory a Concern for CISOs?

Cyber Security

Palo Alto Networks, Deloitte and The Push to Platformization

Cyber Security