Violations of the Cyber Resilience Act could cost Companies the CE Mark
The CRA is about to come into force – manufacturers, importers and retailers should be creating and automating processes now
Duesseldorf, May 7th, 2024 – In March 2024, the European Parliament adopted the Cyber Resilience Act. The final version will be published in the coming weeks, signaling the start of the transition period. „Companies should immediately assess how the requirements of the CRA will affect their own products and how they can ensure full compliance as soon as possible. This will require adjustments to their own production and development processes, which are now more tangible based on the latest iterations,“ said cybersecurity expert Jan Wendenburg, managing director of ONEKEY. The Duesseldorf-based company has filed a patent application for a solution that simplifies key steps for manufacturers, importers and sellers of technology products with digital elements: the Compliance Wizard, which enables a comprehensive cybersecurity assessment of products. By combining automated vulnerability detection, CVE prioritisation and filtering with a holistic, interactive compliance questionnaire, it significantly reduces the effort and cost of cybersecurity compliance processes. The sanctions threatened by the EU for security breaches are severe – including fines for companies and fines for directors. Manufacturers, distributors and importers can also have their CE mark withdrawn: This means a sales ban on the entire EU market.
CRA Readiness Assessment
With the CRA, the principle of „security by design“ becomes law: it is no longer enough to ensure that a product with digital elements is compliant only at the time it is put on the market. Instead, it will require ongoing risk assessment – and immediate remediation of security vulnerabilities. When purchasing third-party and open-source components, manufacturers must perform due diligence to ensure that the end product will not be compromised by the inclusion of these components. Until now, however, there has been a lack of information about the basic requirements of the CRA and uniform standards. This is about to change: „The EU Commission has already announced horizontal standards for key activities and safety requirements, as well as vertical standards for important and critical products – 42 in total. This – and the corresponding tools such as our Compliance Wizard – will enable companies to analyse more quickly what needs to be implemented in order to achieve compliance with the CRA,“ explained Jan Wendenburg of ONEKEY. Companies that want to be on the safe side can also book a CRA Readiness Assessment from ONEKEY’s team of experts.
Documentation Requirements with SBOM
As part of the documentation requirements, manufacturers must also maintain the software bill of materials (SBOM) and generally analyse the entire supply chain for product and component security. Automation is the key to product-focused processes that do not negatively impact on retail prices. This digital document is a complete list of all software components used in a product – including hidden ones. „Manufacturers, importers and retailers should be aware that the SBOM must be kept up to date. Every patch or update requires an update of the SBOM, ideally automatically,“ advised Jan Wendenburg. With the Compliance Wizard, an SBOM is automatically created and can also be automatically maintained at any time. In addition, many companies are not yet aware of what falls under the term „products with digital elements“: „Mobile devices such as laptops, smartwatches, smart home devices such as thermostats or smart electricity meters and, above all, the huge and particularly high-risk area of industrial control systems through to motor vehicles all fall under this category – in other words, everything that is connected to an IT network or the Internet,“ summarised Jan Wendenburg.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. „Digital Cyber Twins“ enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
