The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.
According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier, headquartered in Germany, were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.
Fines of 15 million Euros – or 2.5 percent of annual revenues
The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.
Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cybersecurity agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.
Manufacturers need to act now on cyber resilience readiness
The Commission’s proposal allows the new requirements to be in force 24 months after the regulation takes effect. Individual elements, such as the obligation to report security incidents, should already apply after 12 months.
“The time horizon is tight, considering that orders for IT products are already being placed with OEM manufacturers this year for the next 12-18 months. Therefore, the timing situation needs to be considered and resolved now, before a product ends up not being launched or delayed due to defects,” explains Wendenburg.