The EU is taking steps to increase the security of networked devices with the Cyber Resilience Act (CRA). The EU Commission presented a draft regulation in September 2022, which is undergoing adoption by the EU Parliament and the Council of Ministers. The CRA aims to increase the security level of devices, including medical devices and motor vehicles. The regulation establishes obligations for device manufacturers in design and production, including providing updates for devices.
The regulation differentiates between categories of products. Less critical products, such as computer games, should only require a declaration of conformity from manufacturers stating that the products fulfill technical security standards, contain no security gaps, and will receive updates for several years. The Commission also wants to prescribe third-party external testing for more critical products such as encryption processors, system controls, CNC controls, and operating systems for servers, desktop computers, and mobile devices.
The CRA is in response to the increasing networking of devices, including previously unconnected devices such as washing machines and smartwatches. Politicians and lawmakers are concerned about the threat of malicious software infiltrating these devices. The CRA seeks to establish stricter test criteria for products and centralize enforcement to the European Network and Information Security Authority (ENISA).
Nicola Danti is negotiating the CRA as the rapporteur for the EU Parliament. Danti wants to include smart home devices in the category requiring external conformity checks and centralize enforcement to ENISA. In contrast, the Commission proposes a stronger role for member state authorities. In Germany, the Federal Office for Information Security (BSI) would be responsible for implementing the regulation.
The CRA could significantly increase the BSI’s range of tasks from product testing to supervisory authority. The BSI hopes that the CRA will remove “consumer devices with uncertain status” from the market. However, deliberations on the distribution of roles and tasks resulting from the CRA are ongoing. The second point of contention is the extension of transitional periods from 24 months to 40 months for “products with digital elements” coming under new rules proposed by Danti. Grandfathering of existing products would also be extended as long as there are no significant changes.
The language models are improving, and AI search engines are scouring the web for sources. However, there are new security risks that arise due to this advancement. The upcoming end of support for Windows 10 and the requirements for Windows 11 are also causing concern. Many computers may not meet the requirements for the new operating system, leading to electronic waste. C’t magazine explores what politics and business have to say about this issue. Additionally, the magazine tests mini PCs, explains how to recover deleted files under Linux, and remembers the c’t “Hommingberger Gepardenforelle” campaign.
