The increasing number of cyberattacks affecting digital products, coupled with widespread vulnerabilities and insufficient timely security updates, creates heavy financial burdens on society. In response, the European Commission has drafted the Cyber Resilience Act (CRA), a new proposal for regulation to define the legislative framework of essential cybersecurity requirements that manufacturers must meet when placing any product with digital elements on the internal market. To facilitate adoption of the CRA provisions, these requirements need to be translated into the form of harmonised standards, with which manufacturers can comply. In support of the standardisation effort, this study attempt to identify the most relevant existing cybersecurity standards for each CRA requirement, analyses the coverage already offered on the intended scope of the requirement and highlights possible gaps to be addressed.
Introduction
On 15 September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA) [1], a proposal for a first ever EU-wide legislation of its kind, aimed at introducing mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.
The CRA proposal covers all products with digital elements put on the market which can be connected to a device or a network, including their building blocks (i.e., hardware and software) and encompassing also solutions provided in a Software as a Service (SaaS) fashion if they qualify as remote data processing solutions, as defined by Article 3(2) of the CRA proposal.
The CRA proposal provides two sets of essential requirements:
- Product cybersecurity requirements in Annex I, Section 1 of the CRA proposal
- Vulnerability handling process requirements in Annex I, Section 2 of the CRA proposal
These requirements should be the subject of a standardisation process by the European Standardisation Organizations (ESOs) to express them in the form of specifications in harmonised standards.
The general principle is that for the products on the market, a self-assessment of compliance with the requirements specified in Annex I will be sufficient. For certain categories of more critical products, the application of harmonised standards will be required. For even more critical products, a third-party assessment will be mandatory.
This report details the available standardisation outputs on the cybersecurity of products (hardware and software products, including hardware and software components of more complex products) carried out mainly by ESOs and international Standards Development Organizations (SDOs). Specifically, the study aim at presenting a mapping of the existing cybersecurity standards against the essential requirements listed in Annex I of the CRA proposal, along with a gap analysis between the mapped standards and the requirements. In view of the development of harmonised standards, this analysis offers a possible overview about the current coverage of the requirements by existing specifications, highlighting possible lacks that may be compensated by further standardisation work.
Upon request of DG CNECT, this study has been developed jointly by the Joint Research Centre (JRC) and the European Union Agency for Cybersecurity (ENISA). This was also in line with the expectations of the proposal of regulation, in which it is stated that synergies on standardisation aspects should be considered between the Commission and ENISA.
In Section 2, the methodology adopted to carry out this study is summarised. Section 3 is devoted to the presentation of the mapping between requirements and standards, giving an analysis of the coverage offered by the standards and possible gaps. In Section 4, a summary of all identified standards and their respective mapping is offered along with some overall remarks, while Section 5 is for conclusions.
Views: 10
