In recent times, the European Union (EU) Cyber Resilience Act (CRA) is reshaping the landscape for organizations obliged to secure their products against cyber threats. Introduced to bolster cybersecurity across industries, the CRA poses implementation challenges as it lacks clear accountability directives.
A report by Düsseldorf-based company ONEKEY highlights the unresolved issue of departmental responsibilities in complying with the CRA. Their study, involving 300 organizations, revealed varying levels of accountability across departments. IT security leads CRA efforts in nearly half of the companies. Others allocate responsibility to compliance officers, top management, and product developers.
The CRA mandates a robust “security by design” approach throughout a product’s lifecycle. Manufacturers are also required to promptly report vulnerabilities to the EU’s cybersecurity agency ENISA and respective national Computer Security Incident Response Teams (CSIRTs). Jan Wendenburg, CEO of ONEKEY, stressed the involvement of IT security for timely incident reporting.
Furthermore, suppliers must maintain detailed documentation, known as a Software Bill of Materials (SBOM), to ensure product transparency. Surprisingly, only a small fraction of organizations assign SBOM tasks to software development teams, despite its critical role in CRA compliance. Wendenburg pointed out the complexity of managing frequent software vulnerabilities, emphasizing the need for automated verification processes.
In response to CRA’s cross-functional demands, more than 40% of firms have established specific teams and structures for compliance. These teams vary in size, though many still lack formalized structures. ONEKEY supports companies in streamlining these efforts through an automated Product & Cybersecurity Compliance Platform and by offering CRA Readiness Assessment Workshops. These workshops help businesses navigate regulation impacts and develop tailored compliance strategies.
In summary, the CRA represents a sweeping regulatory framework with extensive implications across industries. The lack of defined accountability poses a significant hurdle, demanding coordinated cross-departmental efforts. For companies, achieving compliance extends beyond regulatory adherence; it is about safeguarding against sophisticated cyber threats that could disrupt operations and compromise security.
