One of the main pillars of the EU Cyber Resilience Act (CRA) is to make sure that manufacturers take responsibility for their customer’s cyber security and resilience. Today a vendor can give instructions to the customer on how to protect themselves by applying firewall and other protective measures while the vendor is supplying insecure software. Most of the industry have pushed the responsibility for cyber security towards the customer. The EU is changing that, as are governments all over the world. Vendors will have to deliver software that is cyber resilient and secure by design. The vendor will be responsible for keeping their products secure during the product’s life time.
This not only changes how we design, code and deliver software but also the long term management of both products and the installed base. The CRA forces vendors to freely provide customers with security updates during the product’s life time. These changes will mean that it is going be more expensive to both create the software and to maintain it over time.
The CRA clearly states that while the cost for the manufacturer will go up, so will the cost for the customer. But they also state that the costs for society in general will go down when our IT infrastructure is more resilient to attacks. The current costs are too high, according to the EU. A clear win for society – but what is the impact for the vendors?
It’s not only the risks of a hefty fine – up to 15 million Euro – that makes this an issue for the CEO and the board, it is also the huge impact of the business model.
The CRA forces a huge change on the business model for software vendors – in just two years
The EU Cyber Resilience Act is implemented in two phases. The first one applies to all products sold, regardless if it is new products or product developed before the act came into action. In this phase, the vendor needs full vulnerability management, public disclosure of security fixes and more.
The second phase applies to new products or old products that get new features. In this phase, the product has to be secure by design and secure by default. Based on a risk assessment, the vendor needs to do what’s needed to protect their customers and keep the products secure.
The first phase comes into power 21 months after the CRA is published in the official EU Journal, the second phase after 36 months. The current estimate says the the first phase will start 2026 and the second 2027. For a manufacturer, a lot will have to change during what seems to be a very short time. This change will clearly affect the business model.
Changing on existing budgets will require sacrificing development of new features
In order to adopt to the CRA, teams will have to get training, all products will need a complete SBOM and processes for vulnerability management, the company needs to implement coordinated vulnerability disclosure and much more needs to be in place. The marketing department needs to make sure that communication channels exists to all customers and that the change is communicated without harm to sales. The legal and compliance departments needs to make sure that the risk assessments are where they need to be and that all product comply with the new regulation as well as company policies. Purchasing needs to do due diligence with all vendors – are they ready for the CRA? Product managers needs to analyse the gap – will they be able to bring existing products into this new era or do they have to ask for a budget for creating a replacement?
All of these actions will require more resources than before. If they have to be taken from the existing budget – will there be any resources left to develop new features, to fix existing bugs? In short – will the company be able to protect the market share and launch new attractive functions to the market in time?
For a manufacturer who has been ignoring security in their software development process this will have a severe impact of the business model.
The development cost will raise, but who wants to be a leader in raising customer pricing?
In the long run, after the first change to reach CRA compliance, there has to be resources for continuous development and vulnerability management. Developers need to continuously upgrade third-party components, maybe update code to work with new and supported libraries. The product team needs to have tight integration with upstream vendors and strategic open source projects to get information about issues, fixes and plans for new releases, supported releases and end-of life for components. Product managers need to constantly update risk assessments, threat models and perform regular pen-tests on the software. In some cases, go through a new third-party certification of the product. In addition, they need to create a secure supply chain for the software – from design and first commit to release.
For a manufacturer who has been ignoring security in their software development process this will have a severe impact of the business model. With constant work to keep the software secure, a one time price for buying an IoT product, a mobile app or laptop software may need to be adjusted. Recurring fees would help, but security updates has to be free by law. Who wants to be the first mover to raise prices in a competitive market?
The time to start is now and the decision is in the hands of upper management
The CRA will certainly change the market for products with software – standalone software or embedded systems like OT systems, IoT and mobile devices. It’s not only the risks of a hefty fine – up to 15 million Euro – that makes this an issue for the CEO and the board, it is also the huge impact of the business model. There is not a lot of time to act and changes like this takes time.
If the company wants to remain competitive and expand the market share, there has to be funding for staying competitive while going through this regulation revolution.
In summary: there is no time to wait for the CRA implementation details or coming horizontal standards. They will come and support the process as we get closer. The time to start acting is now. Are you ready?
Register now for the Nordic Software Security Summit 2024 – Stockholm, Sweden, September 23-24 to learn more!