Digitalisation has increased the risk of cyberattacks in all areas of the economy and everyday life. How does the EU intend to improve e-product safety?
Miriam Seyffarth: The Cyber Resilience Act (CRA) introduces EU-wide cybersecurity requirements for the design, development, production and deployment of hardware and software products on the market. The regulation aims to reduce the vulnerability of digital products and to ensure protection against unauthorised access – throughout the entire life cycle of a product. Specifically, this means, for example, that when purchasing a smartphone or a washing machine with a WI-FI connection, consumers must receive information on how long the manufacturer will provide security updates for the product. The minimum period here is five years. Products that comply with the CRA receive the already-established CE marking.
The CRA applies to products with digital components, such as smartphones or washing machines, and it also covers software as an independent product. What requirements does the regulation place on software?
The CRA focuses on the principle “security by design”, i.e., integrating security aspects into all phases of software development. This approach increases the resilience of hardware and software against attacks. Companies must also carry out comprehensive risk analyses and establish processes to identify and assess the cyber security risks of their products. Additionally, they have to take measures to address problems should they occur and publish information about the cyber security of their products commercially.
Which companies are affected by this?
All companies that launch and sell digital products in the course of commercial activity, i.e. hardware and software, on the market – regardless of whether they have developed 100 per cent of the digital components or whether they buy or integrate third-party components. Companies, therefore, have to consider not only their final product or finished software but also the entire supply chain. This is because software vendors bear responsibility for all components that they embed in their software as soon as they launch or sell the product.
“The Cyber Resilience Act calls on companies to make software development processes more secure and to keep an eye on the supply chain.”
Miriam Seyffarth
In its final version, which has already passed the EU Parliament, the CRA also takes into account the special nature of the open source ecosystem. The Open Source Business Alliance has strongly advocated for this. Why were you in favour of distinguishing between proprietary and open source software?
The development and distribution models of open source software differ considerably, in some cases, from the development and distribution models of proprietary software due to the open and cooperative approach and the freedoms granted by open source software licences. In particular, it is not so easy to distinguish between commercial and non-commercial players in the open source sector. A more differentiated categorisation is required here. We have therefore explicitly welcomed the European Commission’s decision to recognise the complex web of the open source ecosystem by distinguishing between producers of open source software – the manufacturers – and the developers and administrators of basic open source software components – the stewards.
What does this mean for the Open Logistics Foundation and its member companies?
Organisations such as the Open Logistics Foundation will fall into the category of stewards. The requirements for stewards are less strict, and the member companies are not responsible for the software development in the Foundation’s projects, as this is the responsibility of the Foundation as long as it only concerns standards and basic components. However, as the member companies themselves want to use and distribute the software they have developed in a business environment, they then bear the full responsibility for the commercial product they sell as a manufacturer; therefore, they will be keen to develop the software to be CRA-compliant from the outset. The entire logistics sector – i.e. all companies that subsequently use the software – will eventually benefit from the collaboration under the umbrella of the Foundation.
When the General Data Protection Regulation came into force in May 2018, many companies struggled with the changes, often making them at the last minute. What can they do better with the CRA?
Let’s be better prepared this time! Companies should find out now what they need to do and how they can fulfil the requirements of the CRA. This could include looking into existing security processes within the company and the business partners in the supply chain, as well as a detailed list of all the components of their software solutions, the so-called Software Bills of Material. Admittedly, the text of the regulation is long, unwieldy and abstract. However, the EU is currently developing concrete standards and a clear catalogue of criteria and is also planning to publish a guide for small and medium-sized enterprises in particular.
About the CRA
The European Parliament adopted the regulation in March 2024. The Council of the European Union must also approve the CRA before it enters into force. Companies must then apply the regulation 36 months after it comes into force, which is expected to be the case in 2027.
About the OSBA
The Open Source Business Alliance (OSBA) – Bundesverband for digitale Souveränität e. V. represents over 220 member companies in the open source industry in Germany. The Berlin-based organisation is committed to establishing open source as the standard of public procurement, research, and business development. The Open Source Business Alliance works together with the Open Logistics Foundation. The two organisations have signed a Memorandum of Understanding to this end. The common goal is to promote the exchange of information on digital sovereignty and open source – as well as to be in close contact with other business and industry organisations.
For more information on the cooperation, read official press releases in English and German.
This interview was published in the fourth edition of the Open Logistics Magazine. You can read the full magazine and register for future editions here.