Cyber Resilience Act: updates in the works
Innovations in the IT security landscape: The CRA and its impacts on the digital device market
The EU Cyber Resilience Act introduces new rules for the security of digital products, distinguishing important and critical products and establishing specific compliance processes for each category.
Recent developments signal changes to the Cyber Resilience Act (CRA), the EU regulation on cyber security, focused on interconnected digital products. The goal is to minimize vulnerabilities through built-in security by design and support sustained manufacturer responsibility over the life cycle of products. A core of adequately updated requirements looks at the integrity of hardware and software devices before they are placed on the market, simultaneously increasing transparency for consumers and businesses.
Renewed classification and compliance processes
One of the key changes is the reworking of the product classification, which is now divided into "important products", divided into Class I and II, and "critical products". Depending on the category to which you belong, the regulatory compliance path varies. The compliance process is divided into 4 distinct modules, from A to H, each suitable for different contexts and levels of criticality. Companies will comply with the legislation through specific procedures, depending on the classification of the product.
The devices involved and exemptions provided
The regulation covers several areas, with a focus on devices such as browsers, IAM systems and password managers for Class I, and technologies such as hypervisors and IDS/IPS for Class II. However, some areas remain excluded, such as non-commercial open source software, cloud services covered by the NIS Directive, and devices in areas regulated by specific regulations, such as civil aviation or automotive. This prevents overlaps between various legislations.
Peculiarities of open source and next steps
The legislative process has focused significantly on the regulation of open source in the commercial context. The protagonists of the distribution of open source software, defined as "stewards", will have a proportionate regulatory regime. The need for rigorous risk assessment and careful management of vulnerabilities is emphasised, with particular attention to micro-enterprises and start-ups. Questions regarding the reporting of incidents and European certifications remain open, which will be addressed in subsequent guidelines. Stakeholders will be required to comply within three years of the regulation's approval, with tighter timeframes for reporting critical vulnerabilities.
Follow us on Threads for more pills like this02/16/2024 01:30
Marco Verro