A new publication from the European Union Agency for Cybersecurity (ENISA) provides more clarity on basic cybersecurity requirements and the standards that can be applied under the Cyber Resilience Act. “The new paper provides insights into the standardization process under the Cyber Resilience Act for the first time. ENISA provides a helpful overview of the proposed requirements and their implementation in harmonized standards,” explains Felix Brombach, cybersecurity expert at TÜV Rheinland.
“Security by design” required
The background to this is the Cyber Resilience Act (CRA), which the EU Parliament passed in March 2024. The aim of the CRA is to improve the cyber security of products that can be connected to each other or to the internet. This applies to products for end consumers as well as products that companies use in their production, for example. The CRA incorporates the principle of “security by design” into European technology law for the first time. In future, it will no longer be sufficient to ensure CRA compliance for a product with digital elements only at the time of market entry, but an ongoing assessment of the risk will be necessary.
The Cyber Resilience Act is relevant for all companies that manufacture such products or use them in their production. Until now, however, companies have lacked a lot of information on the basic requirements of the CRA in order to prepare for it today. “The paper and the ‚guard rails‘ described in it now make it possible to analyze whether your own digitally networked products are likely to already meet the standards required by the CRA. The first possible adjustments to your own production and development processes are now also becoming tangible,” says cybersecurity expert Brombach.
Recognizing gaps in good time
According to the cybersecurity experts at TÜV Rheinland, companies should address the internationally recognized standards set out in the paper as soon as possible and secure their products accordingly. “Companies can already achieve a level of security today that corresponds to the CRA – or identify gaps in good time,” continues Brombach. The CRA is due to come into force within 24 months of its adoption by the European Council. As the CRA is a regulation, it applies directly in all European member states; a national transposition act is not required.
The ENISA paper can be found at: Cyber Resilience Act Requirements Standards Mapping – ENISA.
Safety and quality in almost all areas of business and life: That’s what TÜV Rheinland stands for. The company has been active for more than 150 years and is one of the world’s leading testing service providers. TÜV Rheinland has more than 22,000 employees in over 50 countries and generates annual sales of more than 2.4 billion euros. TÜV Rheinland’s highly qualified experts test technical systems and products around the globe, accompany innovations in technology and business, train people in numerous professions and certify management systems according to international standards. In this way, the independent experts ensure trust along global flows of goods and value chains. Since 2006, TÜV Rheinland has been a member of the United Nations Global Compact for more sustainability and against corruption. Website: www.tuv.com
TÜV Rheinland
Am Grauen Stein
51105 Köln
Telefon: +49 (221) 806-2148
http://www.tuv.com
Senior Communication Manager
Telefon: +49 (0) 221 806-5210
E-Mail: Alexander.Schneider@de.tuv.com