The Cyber Resilience Act aims to close gaps in cyber security across the entire supply chain of products and protect consumers as well as companies from dangerous attacks by hackers. This means that importers and distributors are now also liable – and are sometimes even considered manufacturers by the EU. “We now have the situation that importers of OEM goods that are only labelled – all the way to internet providers who make devices available to their customers under their name – are considered manufacturers and must therefore also fully comply with the regulations for producers,” says Jan Wendenburg, CEO of ONEKEY. The consequence: Every product with digital elements – i.e. a microprocessor – must be protected during its entire life cycle against vulnerabilities that can be exploited by hackers. This entails reporting and due diligence obligations as well as the creation of a pedigree of all digital components in the form of a Software Bill of Materials (SBOM). Bisher sind Importeure und große Distributoren von OEM-Ware aus Asien allerdings kaum auf diesen Fall eingerichtet und notwendige Ressourcen und Kompetenzen müssen rasch aufgebaut werden, um diese Prüfungen vorzunehmen.
EU intervenes in trade chains
“The EU Commission is thus interfering in the established structures of the IT distribution model. Many companies order whitelabel goods from large Asian manufacturers who, however, rarely comply with the new security requirements of the Cyber Resilience Act and have no primary interest in compliance. The new regulation, which is right for consumers and users in the economy, thus requires a structural rethinking of the previous trade model,” Jan Wendenburg of Onekey explains further. His company enables a software-supported automated analysis of networked smart devices including all assemblies and components used to detect previously unknown vulnerabilities.
On this basis, ONEKEY can already create an SBOM with the complete DNA of a networked device.
Companies that adapt their processes in time can also optimise the time-to-market for new products based on the new regulations and reduce the liability risk. Automated analysis and testing routines are a prerequisite, however, because even if one of the components is updated, the security and integrity of the device must still be guaranteed.
Security also for existing devices
“We must be able to rely on the fact that products offered in the Single Market are safe,” said Commission Vice-President Margrethe Vestager, responsible for Digital Affairs, in an EU press statement. “To this end, we are holding those who place the products on the market accountable,” Vestager added. With the concept of “integrated cyber security”, the Commission wants to take countermeasures. “This step is right and important. In recent months, not only the frequency but also the danger of attacks has increased. In addition, it is becoming more and more clear that in networked production and corporate environments alone, countless systems are in use that still contain numerous vulnerabilities and urgently need to be investigated as well,” analyses cybersecurity specialist Wendenburg. Thus, ONEKEY is receiving an increasing number of enquiries from industry and business, and a multitude of security vulnerabilities up to possible zero-day exploits could be found and fixed.