EU Cyber Resilience Act: What manufacturers will have to accomplish in the upcoming months
EU Cyber Resilience Act: What manufacturers will have to accomplish in the upcoming months
Analysis and documentation requirements will challenge companies
Duesseldorf, March 1, 2023 – With the EU’s Cyber Resilience Act (CRA), the industry is dealing with one of the strictest regulatory requirements. Manufacturers, importers and even distributors of products with digital elements – in other words, anything with a microchip – will be required to take a number of stringent measures. So far, there are hardly any established procedures for this: „Among other things, the Cyber Resilience Act will require a cyber risk assessment before a product is put on the market. All manufacturers must start now to integrate the upcoming requirements into their product development, as the development of new products and variants often takes many months and years,“ says Jan Wendenburg, CEO of ONEKEY. The company, which specialises in product cybersecurity, has published the first concise guide for the industry, summarising the upcoming regulations, essential measures and practical tips for their implementation for the industry. In addition, ONEKEY is offering a 45-minute online seminar focusing on the legal basis and the implementation of CRA in existing workflow. The seminar, titled „Understanding the EU Cyber Resilience Act and achieve product cybersecurity compliance“, will take place March 9 at 11 a.m. Central European Time, and registration is available here.
Documentation requirements and the need for a Software Bill of Materials
In addition to security measures against unauthorised access, companies will also be required to manage software vulnerabilities and patches in the future – before damage is caused by exploitable vulnerabilities. „Throughout the entire product lifecycle, manufacturers must effectively manage the vulnerabilities of their products, conduct regular testing and demonstrate comprehensive patch management. There is also an obligation to maintain clear documentation.“ Wendenburg continues. This includes maintaing a Software Bill Of Materials (SBOM), that details all software products – including hidden ones –in a device or system. Depending on the product and the components installed, there can be hundreds of different assemblies, each with its own „brains“ and hidden risks. Staff structures also need to be put in place: Certain tasks and duties of the CRA need to be performed by an officer on behalf of the organisation. This includes, for example, the role of contact person for the market surveillance authorities.
Redesigning established processes
In addition to the documentation requirements, companies will have to regularly update the data inventory on the products and keep the data for up to ten years after the product has been placed on the market. „It is becoming clear that the pressure – even if the EU Commission postpones the law somewhat – is high. Products and components, including those from third-parties, have to be tested for vulnerabilities, manufacturers and importers must document this and provide the necessary capacity to meet the information obligations. For industry, this means rethinking established development and production processes. Those who do not act in time here risk high penalties from the authorities,“ summarises Jan Wendenburg of ONEKEY. As a specialist in product cybersecurity, the company operates one of the world’s largest automated analysis platforms to examine products with digital elements for vulnerabilities that could be exploited by hackers. ONEKEY thus already provides the automated analysis and information that manufacturers urgently need to secure their products.
ONEKEY is a leading European specialist in product cybersecurity. The unique combination of an automated security & compliance software analysis platform and consulting services by cybersecurity experts provides fast, comprehensive analysis, and solutions in the area of IoT/OT product cybersecurity. Building upon automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time, and can thus be remediated in a targeted manner. The easy-to-integrate solution enables manufacturers, distributors, and users of IoT technology to quickly and continuously perform 24/7 security and compliance audits throughout the product lifecycle. Leading international companies in Asia, Europe, and America are already successfully benefiting from the ONEKEY platform and experts.
Further information: ONEKEY GmbH, Sara Fortmann, e-mail: sara.fortmann@onekey.com, Kaiserswerther Straße 45, 40477 Duesseldorf, Germany, web: www.onekey.com
Um dir ein optimales Erlebnis zu bieten, verwenden wir Technologien wie Cookies, um Geräteinformationen zu speichern und/oder darauf zuzugreifen. Wenn du diesen Technologien zustimmst, können wir Daten wie das Surfverhalten oder eindeutige IDs auf dieser Website verarbeiten. Wenn du deine Zustimmung nicht erteilst oder zurückziehst, können bestimmte Merkmale und Funktionen beeinträchtigt werden.
Funktional
Immer aktiv
Die technische Speicherung oder der Zugang ist unbedingt erforderlich für den rechtmäßigen Zweck, die Nutzung eines bestimmten Dienstes zu ermöglichen, der vom Teilnehmer oder Nutzer ausdrücklich gewünscht wird, oder für den alleinigen Zweck, die Übertragung einer Nachricht über ein elektronisches Kommunikationsnetz durchzuführen.
Vorlieben
Die technische Speicherung oder der Zugriff ist für den rechtmäßigen Zweck der Speicherung von Präferenzen erforderlich, die nicht vom Abonnenten oder Benutzer angefordert wurden.
Statistiken
Die technische Speicherung oder der Zugriff, der ausschließlich zu statistischen Zwecken erfolgt.Die technische Speicherung oder der Zugriff, der ausschließlich zu anonymen statistischen Zwecken verwendet wird. Ohne eine Vorladung, die freiwillige Zustimmung deines Internetdienstanbieters oder zusätzliche Aufzeichnungen von Dritten können die zu diesem Zweck gespeicherten oder abgerufenen Informationen allein in der Regel nicht dazu verwendet werden, dich zu identifizieren.
Marketing
Die technische Speicherung oder der Zugriff ist erforderlich, um Nutzerprofile zu erstellen, um Werbung zu versenden oder um den Nutzer auf einer Website oder über mehrere Websites hinweg zu ähnlichen Marketingzwecken zu verfolgen.
Comments are closed