FAQ

The Cyber Resilience Act is a regulation proposed by the European Commission that aims to improve the cybersecurity of IoT devices used in the European Single Market.

Once adopted, this legislation will impose mandatory cybersecurity features on both manufacturers and developers of IoT products. In order to ensure their products’ cyber resilience throughout their lifespan. It will also give more control to users by mandating manufacturers to provide them with free and automatic security updates and information about security risks.

The CRA has not yet been passed, though we expect it to be signed into law in Q2 or Q3 2024.

Once the Act is signed, it will be published in the European Official Journal of the EU.

Then, it will be another 21 months before the reporting requirements become enforceable and another 15 months after that before the technical requirements also become enforceable (i.e: 36 months following the entry into force of the Act)

One common approach is to use a software composition analysis (SCA) tool. An SCA tool can generate an SBOM that lists all of the software components in the application, along with their names, versions, and vendors.

Another approach to preparing an SBOM is to manually collect the information about the software components in a product. However, this can be a time-consuming process, but it can be done by reviewing the source code of the product, the installation files, and the documentation.

Cyber resilience encompasses the ability of individuals or organizations to withstand, recover from, and adapt to cyber attacks. In addition, it offers several benefits, including protecting data and systems from unauthorized access or manipulation, reducing financial losses, reputational damage, increasing customer trust and satisfaction.

Cyber resilience is built on five pillars. By implementing those, organizations can strengthen their cyber resilience:

1. Identification: Understanding an organization’s assets but also its threats and vulnerabilities.
2. Protection: Implementing security controls.
3. Detection: Continuously monitoring systems and networks for signs of attacks.
4. Response: Having a plan for responding to cyberattacks, such as isolating affected systems, containing the damage, and restoring operations.
5. Recovery: Having a plan for recovering from cyberattacks, such as restoring data, rebuilding systems, and compensating for losses.