Embedded Files
The EU Regulation 2847/2024.
REGULATION (EU) 2024/2847, on horizontal cybersecurity requirements for products with digital elements – hereafter called Cyber Resilience Act (CRA), was published in October 2024. This regulation, shall apply from 11 December 2027 with some of its parts becoming applicable as early as the 11th of June 2026.
The CRA lays down
rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;
essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;
essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;
rules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in the above.
The first and most important question that needs to be clarified is: “What is a product with digital elements?”
The regulation defines a ‘product with digital elements’ as a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
This is a very broad definition for such products, which could include:
Hardware products: laptops, smartphones, sensors and cameras, smart robots, smart cards, smart meters, mobile devices, internet-connected toys, personal wearable devices, network devices such as routers, switches, firewalls and others.
Embedded software (associated with hardware products): means firmware or other software essential for the end product's function, such as operating systems, network systems, storage and security management, etc.
Software products: other software that may be provided as standalone, like browsers, Software that searches for, removes, or quarantines malicious software, Security information and event management (SIEM) systems and others.
The Cyber Resilience Act (CRA) and its rules.
The Cyber Resilience Act is the first ever EU-wide legislation of its kind[1]. As shown above it introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software.
Moreover, the CRA classifies the products into categories and classes, and based on this distinction, different requirements regarding their conformity to the essential cybersecurity requirements for their design, development and production, as well as to the essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use.
Depending on the classification results, a manufacturer may self-assess the product and declare the fulfilment of the requirements or, where available and applicable, be required to undergo a European cybersecurity certification process and acquire a relevant certificate in order to place the product on the market.
Based on the European Commission's (currently) open consultation on the Technical description of important and critical products with digital elements[2], products belonging to the last category may be hardware devices with security boxes, smart meter gateways within smart metering systems, and smartcards or similar devices, including secure elements.
It should be noted that many of the essential cybersecurity requirements imposed on these products relate to their development process and the incorporation of cybersecurity controls.
Indicative requirements.
Some indicative requirements are:
Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.
On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall:
be made available on the market with a secure by default configuration, unless otherwise agreed between the manufacturer and the business user about a tailor-made product with digital elements, including the possibility to reset the product to its original state;
ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;
be designed, developed and produced to limit attack surfaces, including external interfaces;
be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
provide security-related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;
The CONSOLE platform.
The CONSOLE automated platform is being developed as a comprehensive solution to enhance cybersecurity in software development. By addressing vulnerabilities throughout the software development lifecycle, CONSOLE offers a scalable and secure solution for modern cybersecurity challenges. Its innovative approach integrates cutting-edge technology with robust training and market strategies, ensuring a safer software development ecosystem for organisations and users alike.
[1] https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_5375;
Google Sites
Report abuse