AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Cyber Resilience Act: updates in the works

Innovations in the IT security landscape: The CRA and its impacts on the digital device market

The EU Cyber Resilience Act introduces new rules for the security of digital products, distinguishing important and critical products and establishing specific compliance processes for each category.

This pill is also available in Italian language

Recent developments signal changes to the Cyber Resilience Act (CRA), the EU regulation on cyber security, focused on interconnected digital products. The goal is to minimize vulnerabilities through built-in security by design and support sustained manufacturer responsibility over the life cycle of products. A core of adequately updated requirements looks at the integrity of hardware and software devices before they are placed on the market, simultaneously increasing transparency for consumers and businesses.

Renewed classification and compliance processes

One of the key changes is the reworking of the product classification, which is now divided into "important products", divided into Class I and II, and "critical products". Depending on the category to which you belong, the regulatory compliance path varies. The compliance process is divided into 4 distinct modules, from A to H, each suitable for different contexts and levels of criticality. Companies will comply with the legislation through specific procedures, depending on the classification of the product.

The devices involved and exemptions provided

The regulation covers several areas, with a focus on devices such as browsers, IAM systems and password managers for Class I, and technologies such as hypervisors and IDS/IPS for Class II. However, some areas remain excluded, such as non-commercial open source software, cloud services covered by the NIS Directive, and devices in areas regulated by specific regulations, such as civil aviation or automotive. This prevents overlaps between various legislations.

Peculiarities of open source and next steps

The legislative process has focused significantly on the regulation of open source in the commercial context. The protagonists of the distribution of open source software, defined as "stewards", will have a proportionate regulatory regime. The need for rigorous risk assessment and careful management of vulnerabilities is emphasised, with particular attention to micro-enterprises and start-ups. Questions regarding the reporting of incidents and European certifications remain open, which will be addressed in subsequent guidelines. Stakeholders will be required to comply within three years of the regulation's approval, with tighter timeframes for reporting critical vulnerabilities.

Follow us on Telegram for more pills like this

02/16/2024 01:30

Editorial AI

Complementary pills

The EU Commission launches incentives for cybersecurityCybersecurity development: from AI enhancement to post-quantum cryptography, EU incentives

The European Union launches a 71 million euro tender for IT securityNew opportunities for operational and technical capacity building: call for proposals by September 2023 under the European Digital Work Program 2023-2024

Cyber threats on the rise in 2022: what to expect in 2023From regulatory strengthening to certifications, here are the challenges and preventive measures to protect public bodies, businesses and citizens from growing cyber attacks

Last pills

Large-scale data leak for Dell: impacts and responsesData of 49 million users exposed: IT security and privacy concerns

Microsoft strengthens cybersecurityNew policies and accountability measures to strengthen cybersecurity at Microsoft

"Emerging Threat: Social Media Platforms Vulnerable to New Exploit"New critical exploit discovered that threatens the security of millions of users of social platforms

Critical VPN flaw discovered: the TunnelVision attackA new type of DHCP attack threatens the security of VPN networks by exposing user data