The Cyber Resilience Act is a significant legislative step forward in the fight to ensure digital products and services security. At CTERA, we’ve been monitoring the progression of cyber threats and can say without hesitation that they’ve become more sophisticated than ever. The CRA could be a crucial framework heading these threats off at the pass, ensuring that prevention is so strong, that a “cure” is less necessary. But what guarantees do we have that brands will prioritize their cybersecurity in the way that the Act demands? And what can we expect from this Act in the future?
The introduction of the Cyber Resilience Act (CRA) couldn’t come at a more crucial time
We’ve witnessed first-hand the surge of digital products that not only skimp on quality but also on security. The market is awash with low-cost devices, frequently sourced from Chinese manufacturers, where the issue isn’t merely the sporadic grammatical mistakes in their English, but hints at a more profound neglect, a disregard for quality driven by the competition toward the lowest cost.
These oversights, especially in areas as critical as security, suggest deeper, invisible flaws. Take, for example, the home routers or connected cameras we use daily. They are pivotal to our personal and national security, yet their vulnerabilities make them akin to Trojan horses within our networks.
There are few incentives today for vendors that compete on price, design and features, to invest substantial resources to remove security flaws that are invisible to the consumer. Add the geopolitical situation and the risk of state actors, and you can understand that these products, with their backdoors and hidden vulnerabilities known to state actors, pose a significant risk, one we might only understand the full extent of when it’s too late.
The challenges businesses face in adhering to the CRA
The CRA does present major challenges for digital product vendors. The regulation certainly could be seen as a hurdle, increasing the cost of doing business in Europe, particularly for products classified under ‘critical’ categories. However, this inconvenience pales in comparison to the potential risks these unsecured devices pose.
For many organizations, the costs associated with CRA compliance will be significant. Investing in cybersecurity infrastructure, training, and ongoing monitoring – for those companies not already doing so – could hugely impact their bottom line. Along with this, the Act’s requirements are complex and demanding, requiring products to be shipped with no known vulnerabilities and any vulnerabilities to be reported to ENISA within 24 hours of discovery. Since technology changes so rapidly and businesses have to ship fast to deal with competitors, this may be more than many can handle.
This will affect more than the EU
The Cyber Resilience Act has far-reaching implications beyond its immediate jurisdiction. It is setting a precedent for other countries to follow, and this could lead to a more standardized global approach to cybersecurity. Multinationals then, will need to navigate cybersecurity compliance across different regions which will be costly and time-consuming – but very necessary.
Given the dynamic nature of cyber threats and of digital products, it’s reasonable to anticipate future amendments to the Cyber Resilience Act. These will likely aim to address new types of cyber threats, incorporate emerging technologies, and refine compliance processes based on feedback from stakeholders.
The CRA is a solid step in the correct digital safety direction
The CRA is a proactive measure against the backdrop of increasing cyber threats, and with its mandate for manufacturers to implement a robust security program and provide customer guarantees — such as at least five years of security updates – I believe it’s a significant step forward in establishing a barrier to the entry of dangerous products and an incentive toward make it more transparent which products are insecure.
As a person who has dedicated decades to the topic of making software more secure, I commend the initiative to enhance our digital security by increasing the accountability and responsibility of product vendors and am hopeful it will significantly improve our digital world’s safety.