42 n SAFETY AND SECURITY March 2026 www.drivesncontrols.com EU’s Cyber Resilience Act could affect you from June The Cyber Resilience Act (CRA) officially came into force on 10 December 2024, setting out a timeline for affected companies. From September 11, 2026, manufacturers will have to report exploited vulnerabilities as well as serious security incidents. Under the regulation, they must notify the relevant authorities of security vulnerabilities and security-related incidents as soon as they become aware of them, and within strict time limits. To support this process, the EU Agency for Cybersecurity (Enisa) is establishing a centralised platform, through which all CRA reports must be submitted. The CRA's comprehensive requirements – including security by design, lifecycle management, and CE marking under CRA conformity assessment – will apply in full from 11 December 2027. From 11 June, 2026, conformity assessment bodies (CABs) will start to check product conformity. These CABs are accredited, independent testing laboratories. They will enable manufacturers to obtain external CRA conformity certification. Manufacturers need to have their internal processes, documentation, technical evidence, and safety requirements in place by then so that a CAB can test their products. External conformity assessment is mandatory for products with a high safety risk – classified by CRA as “critical” and “highly critical” – such as critical infrastructure components, IoT devices with high damage potential, and industrial control systems. However, a self-declaration is sufficient for around 90% of all networked products. This is a declaration by the manufacturer that the digital product meets the CRA's requirements and is being placed on the market legally. The declaration must include a detailed conformity assessment. (One way to do this is to use Onekey’s platform, which analyses device firmware for security vulnerabilities and CRA compliance.) From 11 December 2027 onwards, products without such a declaration can no longer be sold in the EU. Time to act It's time for manufacturers to subject their networked devices, machines, and systems to a CRA conformity assessment. Gaps can emerge, and many of them are difficult to resolve. Manufacturers should be prepared to invest the necessary time, money, and personnel to meet the legal requirements imposed on them. For example, there could be vulnerabilities in programs from partners outside the EU with little understanding of CRA compliance, or purchased components with incomplete documentation and opensource software. The first step for manufacturers is to create a software bill of materials (SBOM) for each networked product. This can be challenging. The aim of an SBOM is to identify software components that may contain vulnerabilities that could be exploited by attackers, so that they can be addressed quickly. To this end, the Cyber Resilience Act requires a comprehensive inventory of all software elements, including programs, libraries, frameworks and dependencies, along with their version numbers. Manufacturers must also document licensing information, authorship, and any known vulnerabilities or security gaps associated with each component. Many manufacturers will struggle to meet these requirements because they are not receiving sufficient or reliable information from their suppliers. Many SBOMs are incomplete, outdated, or lack the necessary context around vulnerabilities. Such SBOMs will fail to meet the mandatory documentation standards under EU regulations and offer little practical value for compliance or security purposes. CRA requirements extend well beyond providing accurate SBOMs. Manufacturers must implement security measures during the design and development phases of their products. These requirements include secure software and hardware designs, clear vulnerability management guidelines, end-toend risk management, and mandatory security updates throughout defined product lifecycles. These measures need to be implemented, evaluated, documented and verified. The first implementation phase of the CRA is undoubtedly a milestone for digital security in Europe – but it will also require considerable effort from manufacturers. n The EU’s Cyber Resilience Act will have its first direct regulatory impact in June. Manufacturers of digital devices, machines and systems with Internet connections will have to comply with new reporting and security obligations. Jan Wendenburg, managing director of the German cybersecurity specialist, Onekey, explains why manufacturers need to act quickly.
RkJQdWJsaXNoZXIy MjQ0NzM=