In a significant development, negotiators hashing out the European Union’s groundbreaking Cyber Resilience Act (CRA) for internet-connected products have tentatively agreed on the contested legislation. The focus of the CRA is to bolster security standards for Internet of Things (IoT) devices, ranging from smartphones to household appliances. Despite concerns raised by stakeholders, the exact details of the legislation remain undisclosed at this provisional stage.
The landscape of manufacturing and design practices has exposed numerous IoT products to potential risks, posing threats to both home and business networks. Notably, a well-documented case by Darktrace revealed how hackers exploited an internet-connected temperature sensor in a fish tank to breach a casino’s secure network. This incident underscores the urgency for comprehensive regulations.
Bart Groothuis, the representative steering the CRA negotiations on behalf of the European Parliament, expressed unease about certain provisions of the legislation, particularly the mandate for a “conformity assessment” for any product containing a microprocessor. This requirement necessitates third-party certification before market release, potentially leading to increased production costs and delayed product launches.
While the provisional agreement’s specifics are not public, information from a reliable source suggests that the legislation now incorporates support measures for small and micro enterprises during conformity assessments. Additionally, it outlines a streamlined methodology for classifying digital products, offering the European Union a more nuanced approach.
The legislation, in its initial proposal, sought to prohibit companies from selling products with known exploitable vulnerabilities, compelling them to report significant incidents to ENISA, the EU’s cybersecurity agency. However, Groothuis voiced concerns about ENISA stockpiling critical vulnerabilities, citing potential risks to internet safety and security.
Under the CRA, non-compliance with vulnerability reporting obligations could result in substantial fines, reaching up to €15 million or 2.5% of global turnover for companies. The European Council, in its revised version, diverted from the central role initially designated for ENISA, advocating for manufacturers to disclose vulnerabilities to national Computer Security Incident Response Teams (CSIRTs).
Although the Council’s proposal has been adopted, questions remain about addressing concerns related to ENISA’s information stockpiling. The compromise entails manufacturers reporting to national CSIRTs, which, in turn, upload reports to a platform operated by ENISA. The provisional agreement also allows for exceptions from sharing vulnerabilities in cases where it could jeopardize safety.
ENISA, already entrusted with establishing an EU Vulnerability database, faces the responsibility of maintaining and securing the platform. The proposed reporting platform is designed to accommodate various incident response teams’ electronic notification endpoints, with the overall design and security overseen by the EU’s CSIRTs network.
The provisional agreement extends the timeline for implementing these obligations by three years after the regulation takes effect, affording manufacturers adequate time for adaptation. Although the specific details of the agreement are not public, an unofficial version is anticipated in December, with the official version slated for adoption next spring, signaling the commencement of reporting obligations in 2027.
CyberSec84 | Cybersecurity news. 
Leave a comment