Greater cyber security for products

It is on the agenda of two lift sector events at once: the Cyber Resilience Act – both at the Annual General Meeting of the VDMA Trade Association Lifts and Escalators as well as a the Schwelm Symposium.

What does this involve and what can the lift sector expect from this European regulation?

By Alexey Markert

What is the CRA?

Alexey Markert, advisor for technology policy and standardisation at the VDMA. Photo: © LIFTjournal / Ulrike Lotze

The Cyber Resilience Act (CRA) is one of the first statutes worldwide to regulate cyber security matters. It is a European regulation, which will join CE labelling regulations, such as the Machinery Directive and does not have to be incorporated in national law - which is true of all regulations. The CRA is intended to ensure that products with fewer weaknesses are distributed and that the cyber security of products is enhanced both for consumers as well as for companies.

By creating a uniform legal framework in the European Union (EU), the goal is to improve cyber security and avoid a patchwork of different national regulations. The CRA is intended to bring about legal certainty for economic players and users regarding product requirements and expand the internal market to this area.

Who does this affect?

The CRA affects products with digital characteristics distributed in the EU market. This covers both hardware as well as software products, which could be potential targets for attack. The potential for data exchange is decisive in this respect.

If this exists, the product is covered by the regulation and must comply with it. Consequently, products such as computers, smartphones and machinery as well as lifts are covered by the regulation. In addition, software products are considered for the first time, which ought to lead to a massive improvement in the software offered.

When is it to come into use?

In all probability, the draft legislation will enter into force in autumn 2024. Thirty-six months later, it must then be applied in full to all products affected. However, the reporting of weakness will occur earlier in summer 2026 and also apply to existing products! However, manufacturers of standardised products, which are in current production and are to remain so, must bear in mind that these products will also have to adapted to the CRA.

What are the obligations of the manufacturer?

Photo: © VDMA

Manufacturers must ensure that their products comply with the basic cyber security requirements according to Annex I of the legislation. On the one hand, this requires technical measures, such as "security by design", distribution without weaknesses and much more. On the other, it also applies to organisational measures, such as weaknesses management or drawing up a "software bill of material" (SBOM), i.e. a list of the software used.

Technologically, this faces many manufacturers with considerable challenges, since the controls of machines are often based on completely outdated operating systems. Everyone should realise that this will be a thing of the past at the latest in autumn 2027. Manufacturers affected by this should in particular use the time before then. I urgently appeal to all manufacturers to exploit the time before autumn and ideally to already begin with the implementation. Furthermore, manufacturers must provide free security updates throughout the life cycle of the product and at a minimum for a period of five years.

What will happen to manufacturers who do not comply?

Manufacturers who along with their products are covered by the CRA and fail to comply with it may no longer affix any CE mark after it comes into force in autumn 2027. De facto, this would mean a complete halt to sales on the European market. If this is not observed, fines up to 15 million euros or 2.5 percent of global turnover would be due – whichever is higher.

The author is the advisor for technology policy and standardisation at the VDMA.

More information (1):Angenommene Texte - Horizontale Cybersicherheitsanforderungen für Produkte mit digitalen Elementen und Änderung der Verordnung (EU) 2019/1020 - Dienstag, 12. März 2024 (europa.eu)

EU Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)

More information (2): Photo: © VDMA"We have received news from Brussels regarding important directive and regulations about IT and cyber security, such as the so-called Data Act, the Cyber Resilience Act and the NIS 2 Directive. These are regulations that are of very great relevance to digital product manufacturers. This regulatory tsunami and other plans of Brussels along similar lines raises the serious questions regarding the to which extent additional lift-specific regulations on cyber security are really needed!"
Dr Peter Hug, Managing Director VDMA Trade Association Lifts and Escalators