InformationWeek - What Is the Cyber Resilience Act? Secure EU Compliance Simplified

Commentary by Nick Kathmann, CISO, LogicGate

The Cyber Resilience Act (CRA) is a new set of cybersecurity rules in the European Union (EU) that regulates products and services with digital elements. This means it mandates security requirements for pretty much everything from software to IoT.

The Cyber Resilience Act is the first legislation to regulate cybersecurity globally. The Act mandates specific cybersecurity requirements for manufacturers and retailers to replace inadequate cybersecurity features with better protection. The European Cyber Resilience Act is expected to enter into force in early 2024. It was proposed in September 2022, and agreed upon in December 2023.

Challenges and Opportunities
“The opportunities are vast, and long overdue. Many companies in today’s landscape value cheap and fast to market over security and maintainability. This is especially obvious in the commercial IoT space, where every appliance has to be internet connected while running a full Linux distro in the background. Just like a system that an IT team maintains, that embedded system also requires lifecycle management and clearly setting expectations of EOL/EOS -- before the purchase is made,” says Nick Kathmann, chief information security officer at LogicGate.

Unfortunately, vast opportunities laden with the best of intentions also come with significant challenges and risks for companies.

“The challenge, however, is around the vulnerability disclosure to a central government agency. While the EU Cyber Resilience Act doesn’t go as far as China does requiring POC code and technical details, it does become another government-controlled vulnerability database that’s more closed in nature than, for instance, the CVE process. Also, even without technical details, just knowing an application has a vulnerability of a certain class can cause researchers -- both good and bad -- and attackers to point the microscope on that application and discover the vulnerability before the vendor has had a chance to reasonably remediate. Another challenge will be getting the assessment firms vetted and trained quickly,” Kathmann adds.