With the increasing governmental concern about the security of IoT devices, particularly in critical national infrastructure, can you elaborate on the significance of the EU Cyber Resilience Act (CRA)?
Martin Nord: The EU CRA is a landmark piece of legislation. It has huge ramifications for society at large, for companies of different types across most industries using IoT, and of course for the end-users. It addresses the growing cybersecurity risks resulting from a combination of a higher number of malicious actors with advanced capabilities and the increased volume of IoT devices. Unfortunately, many of these devices have historically been insecure, making them prime targets for cybercriminals.
The CRA is truly significant since it puts significant responsibility on manufacturers, software developers and distributors to remedy these security challenges in order to be able to serve the European single-market. These actors need to certify that the IoT devices are 'secure by design'. Security shall be built into the device from the ground up, rather than being added as an afterthought. Moreover, this has to be documented and certified.
How does the CRA propose to enforce this 'secure by design' approach?
Martin Nord: The CRA enforces this by placing the responsibility for security on the entire IoT device supply chain, from manufacturers to distributors and importers. Once approved by the Council, non-compliance with these regulations will prevent companies from obtaining CE marks for their products, which are necessary for market access. Withdrawal and recall of products are corrective measures that may be necessary in certain cases, if the actor has information that the product does not conform. Furthermore, non-compliant companies could face several types of fines for infringements. The most severe being up to €15 million or 2.5% of global turnover, whichever is highest, for non-compliance with the essential cybersecurity requirements.
This ensures that all stakeholders engaged in the development and supply of IoT devices prioritize security measures. These parties shall implement key security features enhancing security in practice, like only launching secure products on the onset, with proper documentation. Their obligation also spans over the entire lifespan of the product, with the requirement for conducting thorough analysis, sharing vulnerabilities, providing support, and delivering security updates to address any potential vulnerabilities.
What impact will this legislation have on the global IoT industry?
Martin Nord: While the CRA primarily affects the EU market, its impact extends far beyond due to the size of the market and the industry's goal of simplifying product variations. I expect that the global IoT industry will not ignore these regulations by focusing on non-EU markets. Moreover, many other countries are debating similar IoT security regulations, making the market for insecure devices smaller. The U.S., for example, is working on the Cybersecurity Improvement Act, which aligns with the CRA. There are even discussions about mutual recognition of compliance standards between the EU and the U.S. This means that if a company meets the CRA standards, it will likely comply with U.S. regulations as well, streamlining international cooperation and compliance efforts.
At the end of the day, I do believe the IoT device manufacturers also have an intrinsic interest in ensuring the highest security standards of their products. With a harmonized legislation across many industries it has now become more practical to realise this ambition, also in the more price-sensitive market segments of IoT.
What challenges do you foresee for manufacturers, importers, and distributors in meeting these new standards?
Martin Nord: The primary challenge is the timeline for compliance. Manufacturers have 36 months to comply with the new regulations, with a 21-month grace period for incident reporting. Given that the typical IoT device development lifecycle is around 18 months, companies must start adapting their processes immediately. Financial responsibility and the sheer volume of devices needing compliance will also pose significant challenges. Implementing these changes requires substantial investments in security measures and continuous updates, which can strain resources, especially for smaller companies. Still, the silver-lining for those that are already prepared or that make fast progress should be increased profits, as the market will reward those that can offer devices that already are compliant with the legislation.
How can IoT manufacturers best prepare for the implementation of the CRA?
Martin Nord: Preparation is crucial to avoid the financial penalties of non-compliance. Manufacturers should seek expert advice from the onset to navigate these regulations effectively.
First up is to identify if your products are covered by this legislation, and requirement number one is that the product is actually made available on the market. The legislation also only covers “products with digital elements” (“PDE”), defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to being placed on the market separately”. Working through the definitions and interpretations in details may be needed to e.g. conclude on software and open-source software cases.
It is also important to note that there are some exemptions for devices, like e.g. some spare parts intended to replace identical components. Other exemptions are in sectors currently considered to be sufficiently covered by other regulations, like medical devices, automotive vehicles, aviation products, military hardware and marine equipment. However, these may be covered in the future, so one should consider planning for how to ensure compliance regardless.
Be cautious that even if the product should not fall under CRA, one should be mindful that other regulations may still be applicable, like the NIS2 Directive.
The implementation of the CRA is contingent upon the specific product, its classification, and its category. The full list of requirements can be found in the CRA text itself, or one can find a partner that specialises in assisting companies with this. Naturally. one needs to ensure that one covers all aspects of the regulations. It is e.g. not enough to launch a product that is tested to be without vulnerabilities if this is not documented, nor if the information is not accessible to the user.
Going beyond the minimum requirements of the CRA can also be beneficial. As cybercriminals evolve their tactics, being proactive in enhancing security measures will help companies stay ahead of regulatory changes and ensure their products remain secure and trustworthy.
As an MVNO specializing in Cellular IoT connectivity we at Com4 also understand the importance that the manufacturers consider how they ensure that the security updates reach the end-user devices. Keep in mind it may be more pressing to have a high success rate on these now mandatory updates, than traditional over-the-air updates, like firmware (FOTA) which can be more “nice to have”.
- Coverage, data price, radio access technology all become important parameters when Wide Area Network (WAN) connectivity solutions are chosen. This should be part of the dialogue with the connectivity provider.
- It is also key to have a trusted connectivity partner in a solid financial state to avoid future unavailability of the service. Inability to update the product with security updates could lead to cumbersome and costly replacement or recall processes if such security update is needed as corrective action to ensure compliance, e.g. due to a newly discovered vulnerability.
- I would also like to stress that IoT connectivity design is an integral part of the product design, including security aspects. Examples include SIM form factors affecting tamper-resistance (traditional plastic variants, embedded SIMs and integrated SIMs), use of fully GSMA certified solutions that more and more will be required to have access to mobile networks, as well as add-on products to secure the application communication from the device to the backend or Cloud.
- The connectivity provider may also have other monitoring tools and security controls that can improve security. Again, it is important to cover these types of topics and more with your connectivity provider, as each use case presents its own challenges.
What long-term benefits do you see arising from the CRA for both businesses and consumers?
Martin Nord: The long-term benefits of the CRA are significant. For businesses, it means creating more secure products, which can enhance their reputation and trust with customers. It also reduces the financial risk of reputation and service loss from successful attacks on their services. It also fosters a more resilient digital environment, reducing the risk of costly cyber-attacks. For consumers and citizens alike, the CRA promises greater transparency and peace of mind, knowing that the connected devices they use daily are subject to stringent security standards. This legislation represents a critical step towards a safer and more reliable IoT ecosystem, and society as a whole.
Any final thoughts on the future of IoT security in light of the CRA?
Martin Nord: The CRA is just the beginning. As the landscape of cyber threats shifts and transforms, regulations will adapt and evolve to effectively counter them. It's vital for the IoT industry to stay agile and forward-thinking, continuously improving security measures and fostering a culture of cybersecurity awareness. By doing so, we can build a more secure digital future for everyone.
For any questions or further information on how to comply with the Cyber Resilience Act, please contact Com4. Our IoT experts are ready to assist you in navigating this new regulatory landscape and ensuring your IoT devices meet the highest security standards.