Technical Guideline for Cyber Resilience Requirements

The European Cyber Resilience Act was adopted by the European Council on 10 October 2024 and will be published in the EU Official Journal in the coming weeks. As already reported in our technical article "The new Cyber Resilience Act (CRA)", the new regulation defines requirements for the security of products. These requirements are sometimes difficult for people without prior knowledge of IT or OT security to understand. The German Federal Office for Information Security (BSI) offers support with a publication.

‘The Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products aims to provide manufacturers with advance information on the type of requirements they will face under the future Cyber Resilience Act (CRA).’

The publication mentioned above consists of three parts. At the moment, only the second part (Software Bill of Materials – SBOM) has been published, which describes what the CRA requirement for proof of software supply chains might look like. The final version of part 2 was published in September 2024 in a new edition; the full text of this version can be accessed via the following link:

TR-03183: Cyber Resilience Requirements for Manufacturers and Products - Part 2: Software Bill of Materials (SBOM) Version 2.0.0
 

The first part, which specifies and explains the multitude of requirements from the Cyber Resilience Act for manufacturers, was published at the end of September 2020 as a so-called community draft. The same applies to part 3 of the technical rule, which deals with the ‘handling of incoming vulnerability reports’. Both documents can still be publicly commented on by knowledgeable persons until 30 November 2024! We will, of course, inform you as soon as we become aware that the final versions of these two parts have been published.
 

Planned requirements of the first part ‘General Requirements’

The first part of the technical rule already highlights fundamental requirements for manufacturers and products from the draft document:

1. Security design: Products with digital elements must be developed, produced and updated securely. Manufacturers are obliged to implement best practices in the software development cycle and ensure security requirements such as the protection of data confidentiality and integrity.

2. Risk assessment: Manufacturers must conduct a risk analysis over the entire life cycle of the product to identify potential threats and their impact. This analysis must be documented and regularly updated.

3. Security updates: Products must receive regular security updates to fix vulnerabilities. Manufacturers are obliged to provide an automatic update mechanism that is activated by default. In addition, users must be informed of available updates and be able to postpone updates temporarily.

4. Access control: Measures must be implemented to protect against unauthorised access, including strong authentication mechanisms and the ability to set individual passwords.

5. Vulnerability management: Manufacturers must operate a system to identify, assess and remediate vulnerabilities. They must inform users of any security vulnerabilities that are discovered and provide updates in a timely manner.

6. Documentation: Comprehensive technical documentation is required, including information on design, development processes and security risks. This documentation should also include details of tests performed and components supported.

In summary, the requirements aim to ensure that products are developed securely and continuously updated to withstand potential cyber threats and keep users safe.

Conclusion and further information

In our view, the work of the BSI makes a very valuable contribution to making the cyber security requirements for manufacturers of machines, systems and electrical equipment much more tangible. The full texts of the draft documents for parts 1 and 3, as well as the opportunity to comment on the two ‘community drafts’, can be found at on the BSI website.

Tip:

Register now for our free CE-InfoService and stay informed whenever relevant news in the field of product compliance (e.g. the publication of the first and third parts of TR-03183) occurs.

Posted on: 2024-10-28 (last amendment)

You are not yet registered? Register now for the free CE InfoService and receive information by e-mail when new technical papers, important standards publications or other news from the field of machinery and electrical equipment safety or product compliance are available.