Violations of the Cyber Resilience Act could cost Companies the CE Mark
Violations of the Cyber Resilience Act could cost Companies the CE Mark
The CRA is about to come into force – manufacturers, importers and retailers should be creating and automating processes now
Duesseldorf, May 7th, 2024 – In March 2024, the European Parliament adopted the Cyber Resilience Act. The final version will be published in the coming weeks, signaling the start of the transition period. „Companies should immediately assess how the requirements of the CRA will affect their own products and how they can ensure full compliance as soon as possible. This will require adjustments to their own production and development processes, which are now more tangible based on the latest iterations,“ said cybersecurity expert Jan Wendenburg, managing director of ONEKEY. The Duesseldorf-based company has filed a patent application for a solution that simplifies key steps for manufacturers, importers and sellers of technology products with digital elements: the Compliance Wizard, which enables a comprehensive cybersecurity assessment of products. By combining automated vulnerability detection, CVE prioritisation and filtering with a holistic, interactive compliance questionnaire, it significantly reduces the effort and cost of cybersecurity compliance processes. The sanctions threatened by the EU for security breaches are severe – including fines for companies and fines for directors. Manufacturers, distributors and importers can also have their CE mark withdrawn: This means a sales ban on the entire EU market.
CRA Readiness Assessment
With the CRA, the principle of „security by design“ becomes law: it is no longer enough to ensure that a product with digital elements is compliant only at the time it is put on the market. Instead, it will require ongoing risk assessment – and immediate remediation of security vulnerabilities. When purchasing third-party and open-source components, manufacturers must perform due diligence to ensure that the end product will not be compromised by the inclusion of these components. Until now, however, there has been a lack of information about the basic requirements of the CRA and uniform standards. This is about to change: „The EU Commission has already announced horizontal standards for key activities and safety requirements, as well as vertical standards for important and critical products – 42 in total. This – and the corresponding tools such as our Compliance Wizard – will enable companies to analyse more quickly what needs to be implemented in order to achieve compliance with the CRA,“ explained Jan Wendenburg of ONEKEY. Companies that want to be on the safe side can also book a CRA Readiness Assessment from ONEKEY’s team of experts.
Documentation Requirements with SBOM
As part of the documentation requirements, manufacturers must also maintain the software bill of materials (SBOM) and generally analyse the entire supply chain for product and component security. Automation is the key to product-focused processes that do not negatively impact on retail prices. This digital document is a complete list of all software components used in a product – including hidden ones. „Manufacturers, importers and retailers should be aware that the SBOM must be kept up to date. Every patch or update requires an update of the SBOM, ideally automatically,“ advised Jan Wendenburg. With the Compliance Wizard, an SBOM is automatically created and can also be automatically maintained at any time. In addition, many companies are not yet aware of what falls under the term „products with digital elements“: „Mobile devices such as laptops, smartwatches, smart home devices such as thermostats or smart electricity meters and, above all, the huge and particularly high-risk area of industrial control systems through to motor vehicles all fall under this category – in other words, everything that is connected to an IT network or the Internet,“ summarised Jan Wendenburg.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life. Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. „Digital Cyber Twins“ enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle. The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others. The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation. Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Further information: ONEKEY GmbH, Sara Fortmann, E-Mail: sara.fortmann@onekey.com, Kaiserswerther Strasse 45, 40477 Duesseldorf, Germany, Web: www.onekey.com
Um dir ein optimales Erlebnis zu bieten, verwenden wir Technologien wie Cookies, um Geräteinformationen zu speichern und/oder darauf zuzugreifen. Wenn du diesen Technologien zustimmst, können wir Daten wie das Surfverhalten oder eindeutige IDs auf dieser Website verarbeiten. Wenn du deine Zustimmung nicht erteilst oder zurückziehst, können bestimmte Merkmale und Funktionen beeinträchtigt werden.
Funktional
Immer aktiv
Die technische Speicherung oder der Zugang ist unbedingt erforderlich für den rechtmäßigen Zweck, die Nutzung eines bestimmten Dienstes zu ermöglichen, der vom Teilnehmer oder Nutzer ausdrücklich gewünscht wird, oder für den alleinigen Zweck, die Übertragung einer Nachricht über ein elektronisches Kommunikationsnetz durchzuführen.
Vorlieben
Die technische Speicherung oder der Zugriff ist für den rechtmäßigen Zweck der Speicherung von Präferenzen erforderlich, die nicht vom Abonnenten oder Benutzer angefordert wurden.
Statistiken
Die technische Speicherung oder der Zugriff, der ausschließlich zu statistischen Zwecken erfolgt.Die technische Speicherung oder der Zugriff, der ausschließlich zu anonymen statistischen Zwecken verwendet wird. Ohne eine Vorladung, die freiwillige Zustimmung deines Internetdienstanbieters oder zusätzliche Aufzeichnungen von Dritten können die zu diesem Zweck gespeicherten oder abgerufenen Informationen allein in der Regel nicht dazu verwendet werden, dich zu identifizieren.
Marketing
Die technische Speicherung oder der Zugriff ist erforderlich, um Nutzerprofile zu erstellen, um Werbung zu versenden oder um den Nutzer auf einer Website oder über mehrere Websites hinweg zu ähnlichen Marketingzwecken zu verfolgen.
Comments are closed