The EU Cyber Resilience Act (CRA) has put manufacturers of B2B and B2C products with digital elements on notice: they have until December 2027 to comply, and from that date forward, only products with a “CE Mark” may be sold in the EU. The mark certifies a level of cybersecurity resilience within the product where risks have been assessed, secure development practices have been followed, and a security roadmap has been developed for the lifecycle of a product.
The act includes a number of essential requirements that aren’t going away and should be the North Star for manufacturers in their compliance efforts. The requirements are centered around incident prevention through secure-by-design and secure-by-default (out of the box) principles, incident readiness and resilience, and incident and vulnerability handling.
In this episode of the Nexus Podcast—No. 100!—Sarah Fluchs joins to discuss her work as a Type-A member in the EU commission's Cyber Resilience Act Expert Group, the ongoing progress—and challenges—around the CRA, and her passion for bringing cybersecurity principles to engineers and other non-security technologists.
Fluchs points out that the CRA veers away from other cybersecurity regulations governing critical infrastructure, where non-compliance may—or may not—result in a fine, for example.
“For the Cyber Resilience Act, that's really a difference because manufacturers feel, and that's why they are starting to get very nervous about it, that this could really be revenue-stream disrupting,” Fluchs said. “Because if you don't comply, you're simply not allowed to place your product on the market anymore in the European Union. And that's, I think, what makes it so big.”
As compliance efforts ramp up, Fluchs said some manufacturers, for example, are concerned about vague language within the regulation and how it may impede what they’re trying to accomplish.
“It's adding to the insecurity of manufacturers because they say, ‘Okay, there's so many uncertainties and things that are yet to be defined. How do we even start?’ In their minds, there's this big elephant of the CRA with many requirements for some things [that] they don't even know exactly what to do. So that obviously is a challenge,” Fluchs said.
She adds that companies perhaps may have to alter strategic product decisions in order to comply with the CRA.
“It's not like you just decide today that you want to be more secure and tomorrow your product is more secure. It takes time until you have changed processes and features and you need to make strategic product decisions about what you are going to sell after 2027,” Fluchs said. “That's why manufacturers know that they need to act now and they are nervous because there are these uncertainties and they feel they can't really act.”
With the secure-by-demand and -default requirements of the CRA, Fluchs’ work with bringing cybersecurity to engineers and other non-security teams takes on heightened importance. At this year’s S4 Conference, Fluchs presented a concept called Cyber Decisions Diagrams, below, which break down cybersecurity concepts into a simplified visual representation. Engineers, she said, must be able to bring their knowledge of industrial and other processes to risk assessments, for example. They can communicate the consequences of a faulty configuration, or failure of a process or system due to a software or firmware vulnerability.
“I think the reason why I've worked so much on this is because one group, one large group of non-cyber security experts is engineers. In OT cybersecurity, you always need to work with engineers because they have all the knowledge that you need in order to do good risk assessments,” Fluchs said. “And I don't think we've done a good enough job in getting their knowledge in there so far. And that's why we've worked on that so much. And the approach we've come up with is a pretty visual approach.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
