New EU legislation aims to tame the wild west of IoT products

The EU Cyber Resilience Act (CRA) is a legislative proposal introduced by the European Union to enhance the cyber resilience of critical entities across member states. 

However, achieving a unified framework across all European Union member states requires significant coordination and alignment of cybersecurity practices, which may be challenging given each country's diverse legal and regulatory landscapes. And what's in it for the product manufacturers?

The EU has long been a grey liability zone for IoT hardware and software products. Products are often shipped without adequate security and not maintained as new vulnerabilities come to light. As a result, just one compromised product could lead to havoc on supply chains across the EU bloc. As one example, the Mirai malware exploits security gaps in IoT devices and can launch massive attacks by effectively turning them into botnets.

The Cyber Resilience Act legislation proposes significant changes to improve cybersecurity and enhance resilience in the face of evolving threats, like the GDPR for IoT devices. As a complement to the already in effect Directive on the Security of Network and Information Systems (NIS2) and  EU Cybersecurity Act (EU CSA), it will emphasize establishing a unified framework for cyber resilience across the European Union, promoting consistency and coherence in cybersecurity practices. This framework includes measures to enhance risk management, incident response, and information sharing among organizations and individuals.

The European Commission has outlined the two main goals of the CRA while it goes through refining:
- Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product's life cycle; and
- Create conditions allowing users to consider cybersecurity when selecting and using products with digital elements.

Its successful application will require a gradual and well-defined approach considering the realities of constantly evolving security threats and the interconnectedness of global ICT supply chains and systems. Harmonizing these practices while respecting national sovereignty and existing cybersecurity frameworks will be very challenging. Furthermore, uniformly implementing and enforcing the legislation across the EU will require adequate resources, expertise, and technical capabilities, which may vary across member states.

Cyber threats constantly evolve, and determined attackers always look for new ways to exploit vulnerabilities. They will be keeping an eye on any compliance gaps that can be leveraged. Continuous vigilance, regular updates to security measures, and ongoing collaboration will be necessary to mitigate residual risks effectively.

Once the CRA comes into effect, product manufacturers will need to be convinced that compliance will be to their benefit and not just a necessary means of avoiding what could be a hefty financial wrap on the knuckles. Until now, product manufacturers have had little motivation to prioritize secure product design and development or offer consistent security updates.

This likely stems from factors like the perceived imbalance between cost and return on investment and whether sacrificing innovation and competitiveness for additional security measures holds any value. Nevertheless, the advantages of enhanced product security, including preventing conflicting security demands, establishing trust among users, and increasing market adoption, will ultimately outweigh the compliance costs for businesses. Additionally, it will reduce the number of incidents, expenses related to incident handling, and company reputational damage.

The primary objective of the CRA is to encompass the entire lifespan of digital products, so manufacturers will have to ensure that a comprehensive set of cybersecurity requirements and standardized regulations are considered during all stages, which include:
- Design
- Delivery
- Product use
- Maintenance
- Decommissioning and disposal

ECSO - European Cyber Security Organisation, a lobbying body in the cyber security field, have written and refined a position paper on the CRA with their member companies - including WithSecure - on the CRA and has been presenting it in the EU parliament. It is aimed that the comments and suggested amendments to the original CRA draft will push it in the direction of providing more legal certainty and less red tape to companies. 

The suggested changes to the legislation touch upon the following:
- Products' life cycle and how long technical security support can be reasonably expected
- Reporting obligations and to who incidents are reported
- Known vulnerabilities in a product and whether or not they can be sold in the internal market if the manufacturer considers the risk very low or can be fixed later with a security update
- What is classed as a critical product and needs, for example, third-party assessment for classification?

The European Parliament and the Council are currently working on the Cyber Resilience Act draft. It's expected to come into force in 2025, from which Member States (and their manufacturers) will have two years to adapt to the new mandatory requirements. In addition, the Commission will regularly review the Cyber Resilience Act and report on its functioning.

This hopefully means that companies will take a stance and try to do the right thing – beyond forced compliance - through more transparency, secure defaults and network interaction options. In addition, we will hopefully see the introduction and embracing of hardware and software frameworks that provide transparency and secure defaults for IoT vendors to use and embrace without the burden falling on consumers to be better informed. Time will tell.