We spoke with Joachim Morbach, Chief Engineer and Security Specialist at infoteam, about the "Cyber Resilience Act" drafted by the EU and what special challenges and cybersecurity obligations it poses for manufacturers and distributors of products.
What are the EU’s objectives with the Cyber Resilience Act?
The Cyber Resilience Act’s objective is to increase IT security in the member states. The CRA is to ensure that products with digital elements become more resilient to cyberattacks. To achieve this objective, the CRA obliges manufacturers to meet specific requirements that become part of CE certification.
What specific obligations for manufacturers and distributors of products with digital elements are established in the CRA?
The appendix to the CRA contains a list of specific requirements that manufacturers must meet, which include maintaining a SBOM (software bill of materials) and system hardening. Another key element is cybersecurity compliance in all phases of the product life cycle, including planning, design, development, production, delivery/market introduction, operation, maintenance and decommissioning. This includes, among other things, a cybersecurity risk analysis and the monitoring and management of vulnerabilities throughout the product’s life cycle (up to a maximum of five years).
In addition, manufacturers must provide free and easy-to-implement security updates to maintain the cybersecurity of their products. Instructions must be written in an understandable way to avoid mistakes that can have cybersecurity implications.
How can infoteam support manufacturers in implementing the CRA requirements?
infoteam offers manufacturers the following support services to help them meet the CRA requirements in compliance with the regulations:
- Consulting and training: infoteam can help manufacturers develop and execute security concepts that meet the CRA requirements. The training provided by infoteam raises awareness of the importance of cybersecurity and improves understanding of the specific CRA requirements. Particularly noteworthy is our dedicated Secure Software Engineer (SSE) training.
- Implementation of cybersecurity tools or technical measures to increase cybersecurity in digital products: infoteam can help manufacturers to identify and put in place appropriate tools and systems that increase the cybersecurity of their products on the one hand, and to identify and enact measures to increase resilience against cyberattacks for the software or operating system on the other hand.
- CE certification support: infoteam can help manufacturers integrate the CRA requirements into CE certification and ensure that their products meet the CRA requirements.
- Post market surveillance: infoteam can assist in monitoring and management of vulnerabilities over the product life cycle and support the use of appropriate tools. We can also provide vulnerability monitoring and management as a service to manufacturers.
By taking these steps, infoteam can help companies meet CRA requirements and make their products more resilient to cyberattacks, which can ultimately contribute to greater cybersecurity across the industry.