Cyber Resilience Act-Compliance

In an ever-changing world with increasing cyberattacks, it is essential for companies to not only respond to current threats but also take proactive measures to minimize future risks. With the introduction of the Cyber Resilience Act (CRA), new challenges and requirements for the security of digital products arise.

The CRA outlines the necessity for restoring compliance if unforeseen security risks become known (Article 10, Point 12) and specifies concrete security requirements (Annex 1, Section 1, Point 3). For these key demands of the CRA, Wibu-Systems already offers a ready-made solution with its CodeMeter technology, as security in the digital supply chain is our daily business.

The CRA calls for comprehensive protective measures to secure the integrity of all stored, transmitted, or otherwise processed data, whether it is personal data, commands, programs, or configurations. This emphasizes the high security risk posed by unauthorized manipulations. A concrete example is the manipulation of configuration data in intelligent devices, which could lead to incorrect products and processes.

Our solution, CodeMeter Protection Suite, not only offers encryption and obfuscation techniques but also comprehensive integrity checks and anti-debugging measures. These are crucial to fully protect the integrity of your software and data. For example, in the manufacturing industry, the use of AxProtector, one of the Suite modules, protects the control software of production plants from unauthorized interference, ensuring both plant safety and product quality. Additionally, security is the essential basis for the safety of such facilities.

In case of manipulation attempts, it is crucial to reliably detect and prevent the attack. AxProtector can, if necessary, stop further use of the software. These measures ensure that any changes are immediately detected and addressed, minimizing the risk of manipulations and ensuring compliance.

In line with the provisions of the Cyber Resilience Act, products with digital elements must implement adequate protective mechanisms against unauthorized access. This includes advanced authentication procedures and comprehensive identity and access management systems aimed at ensuring the security and integrity of digital products. Our CodeMeter API, which offers cryptographic operations such as symmetric and asymmetric encryption as well as digital signature procedures, enables a seamless integration into the product. The key material, securely stored in the secure hardware component of the CodeMeter license containers (CmDongles), is both confidentially stored and protected from tampering. Associated certificates are also protected from tampering to avoid spoofing attacks. CodeMeter Certificate Vault provides an advanced, standard-compliant solution for authentication using certificates stored in the Common Criteria (CC) EAL 5+ certified crypto controller embedded in our dongles. This secures your digital assets against unauthorized access and ensures that your compliance requirements are met at all times.

If personal data is processed upon delivery of the software, for example, in imported customer databases or preset user accounts, this data must be specially protected in the future. Encrypting this data with state-of-the-art algorithms is an effective measure. Our AxProtector, along with our CodeMeter API, offers suitable encryption solutions to effectively encrypt and sign data. The secret keys are stored exclusively in our secure hardware dongle to ensure maximum security.

The CRA requires manufacturers to take immediate corrective measures if products with digital elements do not meet essential requirements. Our licensing system supports you effectively in this regard. By implementing our system, you can manage software subscriptions flexibly. In case of non-compliance or end of the product lifecycle, access to the affected software can be easily restricted by not renewing the subscription license. This ensures that non-compliant software or devices are taken out of service within a defined period without the need for a complex recall process.

To be able to contact affected customers and effectively withdraw products from the market in case of an unforeseen problem, it must be known when which software version was delivered to which customers. With CodeMeter License Central, you maintain a continuous overview of your distribution, including historical data.

Our product development philosophy has always considered a high level of data minimization. Accordingly, our licensing solutions are designed to integrate seamlessly into existing systems without generating redundant data. This ensures that our products inherently support the principles of data minimization required by the CRA.

For customers currently using complex licensing systems that may not fully meet CRA requirements, our CodeMeter License Central offers an efficient solution. By centralizing data in a leading system, our customers can simplify their data management and ensure that only necessary data is processed. This not only improves the clarity and management of license data but also facilitates compliance with legal requirements for data minimization. Seamless integration into existing back-office systems of a company is possible without any problems.