The Cyber Resilience Act (CRA) is on its way. It is a European initiative to regulate cybersecurity. In contrast to NIS-2, which involves infrastructure operators, CRA starts with the manufacturers of products. CRA plays a crucial role when it comes to ensuring security in the digital world. One focus is to firmly incorporate the idea of “security by design” into the development process and the product life cycle. This means that security aspects are taken into account from the outset and continuously analyzed in order to design products securely throughout their entire life cycle. Cybersecurity is an integral part of future products which includes hardware and software in order to implement robust security measures based on currently required security standards. In this way, users can be better protected against potential threats.
Cybersecurity measures that are appropriate to the current threat situation should be taken during the design, development, production, and use of the products by customers. The CRA makes manufacturers responsible for guaranteeing cybersecurity over the life cycle of the product, which goes beyond the previous market observation obligations. This includes obligations to deal with vulnerabilities, security support, and reporting obligations. The support period can be defined by manufacturers based on specific indicators such as user expectations, product type, intended use, alignment with other regulations, period of other similar products, support periods of central integrated components.
The CRA stipulates the premise of “security by design” for products with digital elements. Security measures should be taken into account during the development of the product. A risk assessment of the product must be carried out. Depending on the type of product, there may be restrictions with regard to the requirements, but all detailed requirements must be examined and checked for feasibility. If the product cannot fulfill a requirement due to its nature, this must be documented. The following selected requirements must be checked and, if the nature of the product permits, fulfilled:
Security support for a product is another component of the CRA. Security updates should be offered for the product over a defined period of time in order to close security gaps and protect the product appropriately against acute threats. Selected security support requirements are listed below:
The Cyber Resilience Act assigns products to different classification levels. Which products fall into which classification can be found in Annex III & IIIa of the CRA. Based on the classification, appropriate conformity assessment procedures must be followed. If products are cyber-critical or network-critical, they are considered Class I critical products. If the products are cyber-critical and network-critical, they are classified as Class II important products. In addition to this classification, there are also critical products.
In summary, the CRA promotes the integration of security aspects into the entire life cycle of a product, makes cybersecurity an indispensable component of products, and protects users from potential security threats. These are essential steps for successfully mastering the challenges of the digital world and shaping a secure future.
KiviCore offers support in the form of consulting on security concepts for system-on-chips, computing, and communication applications and can provide customized security subsystems for FPGAs and ASICs consisting of hardware and software for integration into customer products. Pure software solutions for microcontrollers can also be designed and provided. Examples include topics such as secure boot, root-of-trust, secure life cycle or authentication, integrity checks and encryption of data transmissions.