Are you fully aware and familiar with the European Union Cyber Resilience Act requirements? If you said no, then you are in good company. A new survey shows fewer than one in three German companies are fully familiar with the EU Cyber Resilience Act requirements, while another 36% have at least begun to review them. Another 27% have not engaged with the topic at all. So, let’s review.
All about the Act
The CRA (Cyber Resilience Act) aims to shape Europe’s digital future, enhancing cybersecurity standards of products that contain a digital component. It will require manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products.
The regulation applies to all products connected directly or indirectly to another device or network except for specified exclusions. Products with the CE marking indicate they comply with the Cyber Resilience Act requirements.
The Cyber Resilience Act entered into force on Dec. 10, 2024. The main obligations introduced by the Act will apply beginning Dec. 11, 2027. The Cyber Resilience Act Expert Group is currently being set up, which will assist and advise on issues relevant to the act.
This builds on the 2020 EU Cybersecurity Strategy and the EU Security Union Strategy and complements other legislation in the area. Violations of the EU regulation may result in fines of up to €15 million or 2.5% of a company’s annual global turnover, whichever is greater.
All about the Roadblocks
It all sounds well and good: Manufacturers must develop secure products from the outset (security by design) and ensure CRA compliance throughout their products’ lifecycles. Additionally, manufacturers must report actively exploited vulnerabilities and serious incidents that compromise the security of their products. Cybersecurity is great, but as most manufacturers know this is easier said than done.
Certainly, there are some challenges that arise because of this act. ONEKEY recently published a study that reveals the German economy is not prioritizing the EU Cyber Resilience Act.
For the report, 300 German industrial companies were surveyed about their status and plans regarding the security of industrial control systems—OT (operational technology)—and the IoT (Internet of Things) devices, which are at the core of the EU Cybersecurity Regulation.
Only 14% of respondents have taken extensive measures to ensure compliance for their connected devices, machines, and systems. At least 38% have initiated first steps, while an equal share has yet to take any action.
But what are the biggest hurdles standing in our way? The survey points to a few key ones including:
- 37% view the requirement to report security-related incidents within 24 hours as the top challenge
- 35% cite meeting the “secure by design” and “secure by default” criteria as a big hurdle
- 29% say the creation of a software bill of materials is the greatest difficulty
- A similar share highlights ongoing software vulnerability management as a concern
Perhaps the biggest challenge here though is up until now cybersecurity has been about protecting one’s own company against attacks. This now shifts the focus and addresses the fact that we must protect products against attack. It is a broader brush and a bigger challenge for manufacturers.
I think most would agree cyber crime is a concern. In 2024 alone, cybercrime caused an estimated €178.6 billion in total damage in Germany, marking a €30.4 billion increase from the previous year. Securing our industrial control systems is the next step in protecting our products—but it won’t be an easy step. But one thing is for sure: now is the time to better understand how to protect our products.
Want to tweet about this article? Use hashtags #IoT #AI #futureofwork #digitaltransformation #cyber #cyberresilience #CRA