The Joint Research Centre (JRC) and the European Union Agency for Cyber security (ENISA) just published a thorough analysis on different cyber security standards for the upcoming Cyber Resilience Act. The Cyber Resilience Act (CRA) is an EU regulation aimed to enhance cybersecurity and cyber resilience in the EU by establishing common cybersecurity standards for products with digital elements in the EU. Presently, the compliance with cybersecurity standards is voluntary. There are a wide variety of standards, and companies predominantly adhere to ISO 27001, which is an international standard to manage information security, originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005. The CRA aims to harmonize the various cybersecurity standards–the goal is to compel all manufacturers of any internet-connected product to remain up-to-date with all the latest patches and security updates, with penalties in place for any shortcomings.
The open source community has been vocal about their concern over the CRA. These are developed by programmers in their spare time and at their own expense, free of charge. It is estimated that around 70% of software today consists of open-source components. The community worries that this act will create a chilling effect on the community, as the penalties can be up to €15 million. The CRA has made adjustments accordingly.
The CRA signals a shift from an entirely voluntary approach to a mandatory approach when it comes to cybersecurity. This report, specifically, identifies the most relevant existing cybersecurity standards for each CRA requirement, analyzes the coverage already offered on the intended scope of the requirement and highlights possible gaps to be addressed. There are concrete suggestions on what has to change, meaning that we’ll see increased product cost since there will be direct liability to making production decisions that makes sense financially, but risky for the consumer.
There will be three levels of compliance.
- First, self assessment: Goes for products that aren’t considered critical or of importance. These are not bound by more than being able to show compliance with annex 1 in the report.
- Second, harmonized standards: These are products of higher importance, which are required to show compliance with the harmonized standards. They may have to go through industry testing organizations such as IDIADA— the standard required for motor vehicles (See: UN ECE R155 and R156)
- Third, highly critical components, software or Saas (Software as a Service): They’ll be audited and have to show full compliance which will be tested by third parties.Taiwan will see a lot of their products being tested since the majority of tech manufacturing in Taiwan is for critical control systems and tech. This includes ASUS (Taiwanese multinational computer, phone hardware and electronics manufacturer ), TSMC (Semiconductor Manufacturing Company), or Continental (automotive in Taichung)
Given Taiwan’s significance as a trading partner, the proactive adoption of specific security measures, such as aligning with the CRA, by some governmental actions could reduce both research and development expenses and certification processing times. This may include regulatory or non-regulatory measures. By already meeting mandated standards, companies in Taiwan would streamline their ability to market their products. In the meantime, Taiwanese companies should ensure they stay abreast of the CRA to remain compliant.
Leave a Reply