Strengthening Cybersecurity Standards in the EU

Robot vacuums, of all things, are the latest IoT devices to be exploited by cyber criminals. Apparently, robot vacuums have been reported moving around people’s homes while screaming profanities through the onboard speakers. The company’s software was later found to be vulnerable to intrusion. This story comes on the heels of additional reports of vulnerabilities found in other IoT products like Internet connected garage doors, alarms, cameras, and other smart home products.

According to data from Check Point Software, cyberattacks on IoT devices have been increasing across the globe with Europe suffering from the most attacks, averaging almost 70 such attacks per organization every week. And, it is not just consumer IoT related products being targeted. Digital transformation in industry has introduced significant risks and vulnerabilities as well. Cyberattacks, data leaks, and security incidents increasingly threaten the integrity and operational capabilities of businesses and institutions.

In response to these and other cybersecurity events, the European Union has introduced the Cyber Resilience Act (CRA) – a regulation that fundamentally redefines cybersecurity for products with digital elements (PDEs).

The CRA aims to strengthen cybersecurity standards in the EU and will require companies to take robust measures to ensure the safety of digital products sold in Europe. Whether it's software, hardware, or cloud-based services – all companies that bring digital products to the European market or use them must prepare for extensive regulations. The Cyber Resilience Act demonstrates the European Union’s dedication to fortifying cybersecurity measures, fostering a secure digital environment for all stakeholders involved.

The Act will apply to software developers, manufacturers of embedded systems and IoT devices, and resellers of such products. Software developers will be required to ensure an appropriate level of cybersecurity and compliance with the Cyber Resilience Act. These requisites include:

• Software must be developed in a manner that guarantees a level of cybersecurity by implementing security measures and best practices throughout the software development lifecycle.
• Products must be delivered with a secure-by-default configuration and users should be able to reset the product to its original secure state, if necessary.
• Software should incorporate control mechanisms to prevent unauthorized access.
• Software should process only the data that is necessary and relevant to the intended use of the product.
• Software should be designed to protect the availability of essential functions and to minimize any negative impact on the availability of services provided by other devices or networks.
• Vulnerabilities should be addressed through security updates. Users should be notified of available updates to ensure the continued security of the software product.

When the Regulation goes into effect, software and products connected to the Internet must comply with the new standards to maintain their CE mark. Requiring manufacturers and retailers to prioritize cybersecurity, customers and businesses would be more confident in the cybersecurity credentials of CE-marked products.

The Cyber Resilience Act is planned for adoption and enforcement between 2025 and 2027, with manufacturers required to ensure compliance for products placed on the Union market by the end of 2027, as formal audits and assessments are expected to begin. In the ensuing years, formal audits and assessments are likely to begin, particularly for businesses that manufacture or distribute digital products in the EU. Non-compliance after this point could result in penalties, including fines and restrictions on product sales.

In an increasingly connected world where cyber threats are omnipresent, companies must fundamentally rethink their cybersecurity strategy. The CRA is a turning point – it demands a shift in mindset and proactive action from all involved. As a result, companies face higher demands and the need to fully implement and document these requirements. As a company dedicated to the security of digital assets, Wibu-Systems is well positioned to help developers plan and meet the new cyber security requirements. Our CodeMeter technology already offers many functions to help meet these requirements:

• Protection against tampering software and updates
• Trustworthiness of software, updates and data
• IP protection of data (e.g. control parameters, personal data, …)
• Control and transparency about distribution channels of products
• Authentication and traceability of identities (persons and devices: Who are you and can I trust you?)
• Authorizations and traceability of identities (persons and devices: Which roles and rights do you have?)

For further assistance, you can download our CRA Compliance Guide or attend our upcoming webinar 9-10 December where we will help decision-makers in business, IT, and corporate management understand how the CRA affects their operations, which security measures are mandatory, and what consequences loom if these requirements are not met.