Cyber Resilience Act is legally binding

The Cyber Resilience Act (CRA) was published recently in the Official Journal of the EU. The regulation contains specifications for the cybersecurity of products with digital elements. Affected companies now have 36 months to implement the requirements contained in the CRA. Certain reporting obligations must be fulfilled within the next 21 months. Who exactly is responsible? And what does the CRA require?

EU legal act on cyber resilience: The aim of the CRA is to provide better protection from cyber attacks for consumers and businesses. The CRA contains a variety of specifications for manufacturers, importers and distributors of products with digital elements, which are capable of communicating with other products. This includes hardware and software products. In other words, products from the B2C segment such as smartphones or robotic vacuum cleaners are affected by this, as are those from the B2B segment such as controllers and sensors, as well as pure software products such as operating systems. The CRA was published in the Official Journal of the European Union on xx.xx.xxxx. As a regulation, this law applies immediately in EU member states. However, companies have 36 months in which to meet the new specifications.

The key requirements for machine manufacturers

• Risk assessment and guarantee: Manufacturers must design and develop products in such a way that an appropriate level of cybersecurity is guaranteed during the whole product lifecycle.
• Vulnerability management: The manufacturer should eliminate known vulnerabilities through free security updates, unless otherwise agreed between the manufacturer and commercial user.
• Documentation: Manufacturers must identify and document vulnerabilities and components in their products.
• Reporting obligations: Within 24 hours of becoming aware of an exploited vulnerability, the manufacturer must report it via the ENISA (European Union Agency for Cybersecurity) reporting platform.

What machine manufacturers can do now

As an expert in Safe and Secure automation, Pilz recommends that all machine manufacturers address the requirements of the CRA promptly, and work with component manufacturers and operators to develop cooperation concepts. In which network zone should a machine be operated? How should software updates be handled? If questions like these are clarified in advance, each economic operator can fulfil its new organisational and technical obligations. For decades, Pilz has been supporting machine builders and users with the Safety of their plant and machinery - including with the new requirements for Industrial Security. Because without Security, a machine with all its Safety measures is vulnerable and unprotected. Precautionary measures are a must.

2 practical tips for implementing CRA specifications

1. Always keep up to date: Subscriptions to newsletters and RSS feeds on eur-lex.europa.eu will keep you informed about legislative changes at EU level.
2. The Common Security Advisory Framework (CSAF) is a standardised, open source framework for communication and automated distribution of machine-processable vulnerability and mitigation information, so-called Security Advisories.

• Further information on the topic of Industrial Security is available here