On 15 September, the European Commission published the Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The regulation seeks to protect consumers and the market from cyber incidents and includes a package of rules to embed digital security in Europe.
Filip Verloy, EMEA Technical Evangelist of Noname Security, an API security company, has shared his thoughts on the proposed act with Cyber magazine.
“The European Commission has proposed a new regulation to safeguard consumers and businesses buying or using products, or software, with a digital component. The Cyber Resilience Act is intended to decrease the damage caused by successful cyberattacks, currently estimated to be a global annual cost of €5.5 trillion," says Verloy.
“We are seeing that an increasing number of devices are either becoming interconnected and/or connected to the internet. As operational and information technologies continue to merge, systems and devices exchanging information using standard interfaces like APIs becomes increasingly common.
“However, we must be careful not to exaggerate one piece of the puzzle, but also to heighten the security baseline of these intermediary connections. Systems are only as secure as their weakest link.
“Today, many consumer devices are "smart". This means they need to communicate with an external control system, frequently using APIs to do this. They provide the glue to tie our connected devices together, but herein also lies the danger. If you can exploit this interconnected system, no part of the network remains safe. Cybersecurity is hard; defenders need to catch all potential issues, while attackers only need to find one to exploit it.
“Therefore, will we be better off by increasing the base level of security? Yes, but it will not result in cybersecurity issues completely disappearing. Introducing regulation will increase the potential legal risks for suppliers, forcing their hand in doing what is right for consumers and businesses alike. This increased pressure should be viewed as a positive, but we need to remain ever vigilant," he concludes.
When will the act be implemented?
The CRA is now subject to review and approval by the European Council and Parliament. Once adopted and entered into force, there will be a grace period of 24 months for compliance, with the exception of the reporting obligations for manufacturers, which shall apply 12 months after entry into force of the CRA.
The CRA required Member States to establish designated market surveillance authorities who will be in charge with enforcing the CRA. The designated authorities will have the power to initiate a recall or withdrawal of the product from the market in instances of non-compliance. In addition, Member States are required to establish penalties for infringement of the obligations under the CRA. Such penalties are limited at €15,000,000 or 2.5% of the infringing entity’s global turnover, whichever is higher.