The European Cyber Resilience Act Explained

Photo by Christian Lue on Unsplash

What is the European Cyber Resilience Act and what is it for?

The standardization of practices within the European community is a major issue which affects, among other things, the field of cybersecurity. With the creation of ENISA, the European Union is sending a strong signal to security players in Europe and around the world: cybersecurity is an important issue that must be managed at European level, states can no longer fly solo. But, how does this concretely improve the security of the equipment that will be deployed in the field? And, how do we guarantee that the practices are the same in each state belonging to the European market ?

This is where the new European Cyber Resilience Act Proposal comes in. It is a proposal for a regulation for products with digital elements that strengthens cybersecurity rules to ensure more secure hardware and software products. Basically, most products embedding digital parts would have to pass either a self-assessment or third-party security assessment to obtain the right to bear the well-known CE mark required to be sold in Europe.

Is my product concerned ?

Cyber Resilience Act states that hardware and software products are concerned if the belongs to one of the two following classes :

CLASS I

  • Identity management systems software and privileged access management software;
  • Standalone and embedded browsers;
  • Password managers;
  • Software that searches for, removes, or quarantines malicious software;
  • Products with digital elements with the function of virtual private network (VPN);
  • Network management systems;
  • Network configuration management tools;
  • Network traffic monitoring systems;
  • Management of network resources;
  • Security information and event management (SIEM) systems;
  • Update/patch management, including boot managers;
  • Application configuration management systems;
  • Remote access/sharing software;
  • Mobile device management software;
  • Physical network interfaces;
  • Industrial Internet of Things not covered by class II.
  • Operating systems not covered by class II;
  • Firewalls, intrusion detection and/or prevention systems not covered by class II;
  • Routers, modems intended for the connection to the internet, and switches, not
  • covered by class II;
  • Microprocessors not covered by class II;
  • Microcontrollers;
  • Application specific integrated circuits (ASIC) and field-programmable gate arrays
  • (FPGA) intended for the use by essential entities;
  • Industrial Automation & Control Systems (IACS) not covered by class II, such as
  • programmable logic controllers (PLC), distributed control systems (DCS),
  • computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);

Class II

  • Operating systems for servers, desktops, and mobile devices;
  • Hypervisors and container runtime systems that support virtualised execution of
    operating systems and similar environments;
  • Public key infrastructure and digital certificate issuers;
  • Firewalls, intrusion detection and/or prevention systems intended for industrial use;
  • General purpose microprocessors;
  • Microprocessors intended for integration in programmable logic controllers and
    secure elements;
  • Routers, modems intended for the connection to the internet, and switches, intended for industrial use;
  • Hardware Security Modules (HSMs);
  • Secure cryptoprocessors;Smartcards, smartcard readers and tokens;
  • Industrial Automation & Control Systems (IACS) intended for the use by essential
    entities, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control
    and data acquisition systems (SCADA);
  • Industrial Internet of Things devices intended for the use by essential entities
  • Robot sensing and actuator components and robot controllers;
  • Smart meters.
  • Secure elements;

Well, this is a pretty long list which actually covers most products with digital parts.

What do I have to show to get the CE mark ?

First you will have to show that your product is well designed and that cybersecurity has been taken into account from the ground. In detail, you may have to :

Second, you will have to update your processes to circumvent the cybersecurity risk by:

The exact list of requirements is far longer. However, according to the nature of your product some of them might be already tackled by other applicable normalization standards. Feel free to contact us if you have any questions.

Can I do that myself ?

In short, yes and no. If your product is a Class I product, you can do that yourself. But, in practice, we would not recommend doing this alone. In the same way, no one would recommend you to pass CEM tests yourself.

If your product is in Class II, you will have to get it certified by a third-party lab that will check the conformity of your documentation and processes and will assess the actual security of your product. The lab will perform non-invasive, semi-invasive or invasive penetrations tests according to the nature of your product. Read this blog post to have an example of what a security laboratory (or an attacker) can do to break a secure bootloader.

Conclusion

The implementation of the Cyber Resilience Act will fundamentally change the way a product must be designed, developed and manufactured as well as the rest of its life cycle until it is disposed of. Securing a product is not an easy task and you should rely on security experts to limit the risk of non-compliance with potentially dramatic consequences.

TrustnGo markets products and services which can help you to be compliant with the Cyber Resilience Act.

Leave a Reply

Your email address will not be published. Required fields are marked *