The Cyber Resilience Act (CRA) was recently published in the Official Journal of the EU. The regulation contains requirements for the cyber security of products with digital elements. Affected companies now have 36 months to implement the requirements contained in the CRA. Certain reporting obligations must be fulfilled within the next 21 months. Who exactly is under obligation? And what is required by the CRA?
EU legal act on cyber resilience: The aim of the CRA is to better protect consumers and companies from cyber attacks. To this end, the CRA includes a large number of requirements for manufacturers, importers and distributors of products with digital elements that are able to communicate with other products. This includes hardware and software products. Products from both the B2C sector, such as smartphones or robot vacuum cleaners, and the B2B sector, such as controllers and sensors, as well as pure software products such as operating systems, are therefore affected. The regulation will enter into force on the twentieth day following its publication.
The most important requirements for machine manufacturers
➢ Risk assessment and guarantee: Manufacturers must design and develop products in such a way that an appropriate level of cyber security is guaranteed throughout the entire product life cycle. ➢ Vulnerability management: Known vulnerabilities should be addressed by the manufacturer through free security updates, unless otherwise agreed between the manufacturer and the business user. ➢ Documentation: Manufacturers must identify and document vulnerabilities and components of their products. ➢ Reporting obligations: Within 24 hours of becoming aware of an exploited vulnerability, the manufacturer must report it via the ENISA (European Union Agency for Cybersecurity) reporting platform.
What machine manufacturers can do now
As an expert in safe automation, Pilz recommends that all machine manufacturers address the requirements of the CRA soon and develop concepts for cooperation together with component manufacturers and operators. In which network zone should a machine be operated? How should software updates be handled? If such questions are clarified in advance, every economic player can fulfil their new organizational and technical obligations. Pilz has been supporting machine builders and users with the safety of their plant and machinery for decades – including with the new requirements on industrial security. Because without security, a machine, including the safety measures taken, is vulnerable and unprotected. Precautionary measures must be taken here. Two practical tips for implementing the CRA requirements 1. stay up to date: Subscriptions to newsletters and RSS feeds on eurlex.europa.eu keep you informed about legislative changes at EU level.
2. The Common Security Advisory Framework (CSAF) is a standardized and open-source framework for the communication and automated distribution of machine-processable vulnerability and mitigation information, so-called security advisories.
Web:
www.pilz.com