The Cyber Resilience Act (CRA) is a new European regulation aimed at strengthening the security of connected objects. Although the effective date is not yet known, IoT manufacturers and providers must begin to anticipate the CRA to develop safe hardware products. The CRA promotes security by default (by design) by integrating encryption and authentication practices, as well as security keys. New connected objects must also be designed to ensure their security from the outset.
However, for connected objects already deployed in the field, their security will require software updates. IoT manufacturers and providers therefore encourage their customers to have good visibility of the objects already in place and their environment to assess their level of security. Software updates are a way to ensure the security of connected objects deployed in the field, but it can also lead to costs and philosophy changes for IoT actors.
The security of connected objects must also be explained to end users to ensure a good understanding of security practices. According to Alexandre Chaverot, CEO of French connected object manufacturer Avidsen, pedagogy is essential to ensure the security of connected objects. Indeed, if security is integrated by design, it will be transparent. If, on the other hand, security is perceived as a constraint, it will not be accepted. Pedagogy is therefore the second pillar of the CRA.
Anticipating the Cyber Resilience Act
The advantage of this security lies in “increasing the life of equipment by maintenance,” rejoices Stéphane Henry, business line general manager at the Lacroix Group. For Avidsen, security has become a commercial argument to establish itself in the market. For many, the CRA is an opportunity to remind companies that all are concerned with cybersecurity and must assume their vulnerability.
The CRA broadens the scope of IoT security, but specific standards for industrial and consumer objects already exist. Industrial products are already subject to specific security standards, and standard EN 303 645 applies to connected objects intended for consumers. For IoT actors, the CRA is therefore a reminder of the practices to be implemented.
Exclusivité DPO PARTAGE
Trouver le DPO d'une société
Nouveau service pour trouver le DPO d'une société et lui ecrire pour rectifier vos données.Annuaiare des DPO
The main advice from interviewed actors is to ensure the pedagogy of end users. It is also essential to consider security from the design of connected objects to ensure security by design. Cybersecurity projects must be launched now, even before the application of the texts, as security is a long cycle. Indeed, according to Michele Sartori, engineer at Quarkslab, a cybersecurity project requires at least “between six months and a year of work.”
In summary, the CRA is a new European regulation aimed at strengthening the security of connected objects. It promotes security by default (by design) by integrating encryption and authentication practices, as well as security keys. For IoT manufacturers and providers, it will become essential, although its effective date is not immediate. IoT actors encourage their customers to have good visibility of the objects already in place and their environment to assess their level of security. Pedagogy is essential to ensure the security of connected objects, and cybersecurity projects must be launched now, even before the application of the texts.