November 6, 2023 – Reading time: 4 minutes
In today’s world, it is increasingly challenging to stay up to date. Every day we are exposed to a flood of information, which can lead to essential information being overlooked. This is a significant problem, especially in areas such as cybersecurity, as it is crucial to know and understand current government requirements and regulations.
With this article, we aim to provide an overview of what exactly cybersecurity means and the importance of the Cyber Resilience Act.
Cybersecurity includes all technical and organizational precautions to protect systems from cyber-attacks and other threats. A central aspect of cybersecurity is, among other things, the security of data. It aims to ensure confidentiality, integrity and availability. In contrast to data protection, it includes not only personal data but all types of data. Confidentiality means that only authorized persons can access the data. Integrity refers to the data being unchanged and undamaged. Availability, on the other hand, means that the data is accessible when needed. Establishing data security requires various technical and organizational measures such as access controls, cryptography and redundant storage systems.
Risk assessment also plays a vital role in cybersecurity. This may include, for example, identifying vulnerabilities, assessing risks, and developing strategies to minimize cyber threats. As threats and attack methods are continuously evolving, cybersecurity is an ever-changing field. Effective implementation of cybersecurity measures is critical to protect sensitive information and systems.
To ensure this protection, the European Commission has published proposals for a regulation regarding cybersecurity requirements for products with digital elements. This regulation is called the Cyber Resilience Act.
The aim is to ensure the security of hardware and software products. This affects manufacturers and service providers within the European Union. Products manufactured outside the EU and exported to the EU may also be subject to these regulations, as they often must comply with the same standards and regulations to be allowed on the EU market. Companies have between 12 and 24 months after the law comes into force to implement the new requirements.
The security requirements for products with digital elements are extremely diverse and comprehensive. They are concerned with the protection of these products against cyber threats and risks. This includes ensuring an adequate level of cybersecurity as well as delivering the products without known exploitable vulnerabilities. Furthermore, manufacturers are obliged to provide secure default configurations and the possibility of resetting. Appropriate control mechanisms such as authentication systems are required to prevent unauthorized access. Protecting the confidentiality of data through encryption and ensuring the integrity of data are key aspects. Products must only process the necessary data to ensure data minimization. The availability of essential functions and the ability to defend against overload attacks are also of significant importance. In addition, the impact of products on the services of other devices or networks should be minimized. This is achieved by reducing attack surfaces, including external interfaces. In the event of incidents, it should be possible to reduce the impact through appropriate mechanisms. The provision of security-relevant information through recording and monitoring is another focus. Lastly, manufacturers must ensure that vulnerabilities can be addressed through security updates, including automatically, and that user notification of available updates is ensured.
Vulnerability handling requirements for products with digital elements include identification and documentation of vulnerabilities, immediate remediation and regular security audits. All security vulnerabilities must be reported immediately to ENISA (European Union Agency for Cybersecurity).
The European Commission’s requirements ensure that products with digital elements are adequately protected, and vulnerabilities can be dealt with more efficiently. Critical products with digital elements affected by this amendment can be divided into two classes:
Class I products include, for example:
- Software solutions for identity management systems as well as software for the efficient management of privileged access;
- Stand-alone browsers and browsers integrated into other applications;
- Products with digital components that provide Virtual Private Network (VPN) functionality;
- Network management systems;
- Network traffic monitoring systems;
- Network resource management;
- Update and patch management, including boot management;
- Physical network connections;
- Firewalls, attack detection and/or prevention systems;
- Routers, modems for Internet connectivity and switches;
- Industrial Internet of Things (IIoT).
Class II products include, for example:
- Operating systems for servers, desktop computers and mobile devices;
- Public key infrastructures and digital certificate providers;
- Firewalls, attack detection and/or prevention systems for industrial applications;
- Microprocessors designed for integration into programmable logic controllers (PLCs) and security devices;
- Smart cards, smart card readers and tokens;
- Industrial Internet of Things (IIoT) devices intended for use by essential facilities according to [Annex I of Directive 2022/2555 (NIS2)];
- Components for sensing and controlling sensors and actuators in robots and robotic systems;
- smart counters;
- Operating systems for servers, desktops and mobile devices.