Violations of the Cyber Resilience Act could cost Companies the CE Mark

The CRA is about to come into force – manufacturers, importers and retailers should be creating and automating processes now

Duesseldorf, May 7^th, 2024 – In March 2024, the European Parliament adopted the Cyber Resilience Act. The final version will be published in the coming weeks, signaling the start of the transition period. “Companies should immediately assess how the requirements of the CRA will affect their own products and how they can ensure full compliance as soon as possible. This will require adjustments to their own production and development processes, which are now more tangible based on the latest iterations,” said cybersecurity expert Jan Wendenburg, managing director of ONEKEY. The Duesseldorf-based company has filed a patent application for a solution that simplifies key steps for manufacturers, importers and sellers of technology products with digital elements: the Compliance Wizard, which enables a comprehensive cybersecurity assessment of products. By combining automated vulnerability detection, CVE prioritisation and filtering with a holistic, interactive compliance questionnaire, it significantly reduces the effort and cost of cybersecurity compliance processes. The sanctions threatened by the EU for security breaches are severe – including fines for companies and fines for directors. Manufacturers, distributors and importers can also have their CE mark withdrawn: This means a sales ban on the entire EU market.

CRA Readiness Assessment

With the CRA, the principle of “security by design” becomes law: it is no longer enough to ensure that a product with digital elements is compliant only at the time it is put on the market. Instead, it will require ongoing risk assessment – and immediate remediation of security vulnerabilities. When purchasing third-party and open-source components, manufacturers must perform due diligence to ensure that the end product will not be compromised by the inclusion of these components. Until now, however, there has been a lack of information about the basic requirements of the CRA and uniform standards. This is about to change: “The EU Commission has already announced horizontal standards for key activities and safety requirements, as well as vertical standards for important and critical products – 42 in total. This – and the corresponding tools such as our Compliance Wizard – will enable companies to analyse more quickly what needs to be implemented in order to achieve compliance with the CRA,” explained Jan Wendenburg of ONEKEY. Companies that want to be on the safe side can also book a CRA Readiness Assessment from ONEKEY’s team of experts.

Documentation Requirements with SBOM

As part of the documentation requirements, manufacturers must also maintain the software bill of materials (SBOM) and generally analyse the entire supply chain for product and component security. Automation is the key to product-focused processes that do not negatively impact on retail prices. This digital document is a complete list of all software components used in a product – including hidden ones. “Manufacturers, importers and retailers should be aware that the SBOM must be kept up to date. Every patch or update requires an update of the SBOM, ideally automatically,” advised Jan Wendenburg. With the Compliance Wizard, an SBOM is automatically created and can also be automatically maintained at any time. In addition, many companies are not yet aware of what falls under the term “products with digital elements”: “Mobile devices such as laptops, smartwatches, smart home devices such as thermostats or smart electricity meters and, above all, the huge and particularly high-risk area of industrial control systems through to motor vehicles all fall under this category – in other words, everything that is connected to an IT network or the Internet,” summarised Jan Wendenburg.