New obligations must protect laptops, mobile applications and smart devices from online threats. A revision of the act holds the manufacturers accountable for the cybersecurity of their products. On the financial side, manufacturers also seem to be losing out.
The Cyber Resilience Act (CRA) is an idea from the European Commission that was proposed in 2022. The idea was to design a set of rules that puts more importance on the security of all products directly or indirectly connected to the internet. This product can include both hardware and software.
Longer support, more transparency
Recently, the Commission and Parliament came to an agreement on the content of the law. Does the European Commission indeed know how to make devices more secure?
First of all, not all of the legislation focuses on the production side. This part is covered with some certification criteria for both hardware and software. After this process, the device receives a CE mark. Once an item goes on sale, the manufacturer must issue sufficient security updates. The period must match the expected lifetime of the device and must at least cover five years. Finally, the law requires security incidents to be reported at all times.
Open-source will not have to comply
The content is also reassuring for the open-source community. Europe will hold manufacturers responsible for making products more secure. If this manufacturer starts working with open-source code in a product, this code becomes part of the product for which the manufacturer is responsible. This is made clear through an important specification about who must comply with the law. Any development that takes place outside the goal of commercialization will now be allowed to ignore the rules. Open-source developers often cannot respond as quickly to a security incident as a company acting from commercial interests.
Manufacturers may, therefore, continue to shop the open-source community for software. This is common, by the way: “Open-source software represents more than 70 percent of the software present in products with digital elements in Europe.” This statement comes from an open letter that several open-source organizations sent to the Commission earlier this year to express their concerns. But where manufacturers could previously choose to adopt the code in its entirety, security controls will now be required.
Will devices become more expensive within the EU?
After agreeing on the content of the legal text, the Commission immediately started doing the math. There it presents nice figures. It states the full EU will save 290 billion euros annually.
The manufacturers’ costs increase annually by 29 billion euros because they have to invest in problems with older devices, among others. There is little chance that manufacturers will absorb these costs themselves. Products connected to the Internet may, therefore, carry a higher price tag inside the European Union than in other areas. Judging from the Commission’s calculations these extra costs will be covered in the long term, because of the savings that come from making devices last longer.
Ransomware attacks are another issue the Commission hopes to address with the CRA. Just by reducing these attacks, large savings are possible: “Every 11 seconds an organization is hit by a ransomware attack, costing an estimated €20 billion annually.”
For the Commission and the Parliament, the agreement on substance indicates that the rules are considered sufficient to make products more secure. This puts the legal text in the last straight line to publication. For manufacturers, Europe provides a 36-month transition period which will begin after publication.
Also read: Siemens, Ericsson and Nokia fear supply chain problems due to Cyber Resilience Act