In an increasingly connected world, cybersecurity isno longer an optional "extra," but rather the foundation for trust inmodern technology. With the Cyber Resilience Act (CRA), the European Union haspassed the first regulation that sets a binding minimum level of cybersecurityfor all products with digital elements in the EU.
What is the aim of the Cyber ResilienceAct?
The main aim of the CRA is to significantly increase the level of protection within the EU. Until now, there have been no uniform, mandatory security requirements for connected products. This is now changing fundamentally.
The regulation applies to all products that contain "digital elements" and can be connected directly or indirectly to a network or device. The spectrum ranges from consumer products (smartphones, connected toys) to industrial or B2B solutions (complex industrial systems, microprocessors, firewalls, smart metergateways) and software. Only non-commercial open-source software is exempt from these strict requirements.
The timetable: When will the CRA come into effect?
The CRA will came into force just 20 days after its publication in the Official Journal of the European Union in December 2024. Implementation will be gradual to give manufacturers time to adapt. A key date is the end of 2027. By then, all new products placed on the market must meet the full requirements.
Particularly important for companies: The process is based on the well-known CE marking. Manufacturers who already use established verificationprocesses have a clear advantage here.
The four pillarsof compliance
To achieve compliance with the CRA, manufacturers must address four key areas:
1. Security by Design & Default
Cybersecurity must not be an afterthought. It must be taken into account during product development.
- Risk assessment: Manufacturers must identify and address potential vulnerabilities at an early stage.
- Encryption: Data must be protected both during transmission and storage.
- Secure default settings: Weak default passwords will be prohibited, and automatic security updates will become the norm.
2. Transparency through SBOM
A key component is the creation of a Software Bill of Materials (SBOM). You can think of it, similar to a list of ingredients for food: it lists in detail which libraries and components are used in a piece of software.
3. Vulnerability management
A new reporting platform is being set up via the European cybersecurity agency ENISA. Manufacturers are obliged to report actively exploited vulnerabilities and severe security incidents there. The option to report vulnerabilities to Rhebo in encrypted form already exists.
4. Long-term support
Security does not end with the sale. Manufacturers must provide security updates and fix vulnerabilities throughout the entire product lifecycle, which is five years minimum.
What does the CRA mean for Rhebo in concrete terms?
As a provider of industrial security solutions, Rhebo falls directly under the strict guidelines of the CRA. Since the Network Intrusion Detection System (NIDS) is classified as an "important product with digital elements," the obligations go beyond a mere self-declaration.
Current steps at Rhebo:
- External certification: Due to the classification of the products, certification by an independent third party (a so-called Notified Body) is required. Rhebo is already ISO 27001 certified and focuses on the coming CRA requirements.
- Process adaptation: Vulnerability management andreporting requirements are seamlessly integrated into existing processes.
- Technical documentation: Fragments from the software development life cycle (SDLC), such as threat models and SBOMs, are compiled into comprehensive documentation.
- Reference standards: Until final harmonized EU standards are available, Rhebo uses IEC62443-4-2 as a reference for security controls.
- Internal empowerment: Through targeted training, Rhebo ensures that all employees understand and can implement the new requirements.
Conclusion: More than just a compulsory exercise
Although some details of the law still need to be clarified, we do not see the CRA as a bureaucratic hurdle. Obtaining the Declaration of Conformity (DoC) is a valuable opportunity for us to further improve the security of our products and services in the long term and to guarantee our customers the highest level of reliability. This also benefits the further development of Rhebo OT Security.
