Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?

Internet of Things (IoT) is an ecosystem of interconnected devices (IoT devices) that is capable of intelligent decision making. IoT devices can include everyday objects such as televisions, cars and shoes. The interconnectedness brought forth by IoT has extended the need for cybersecurity beyond the information security realm into the physical security sphere. However, ensuring cybersecurity of IoT devices is far from straightforward because IoT devices have several cybersecurity challenges associated with them. Some of the pertinent cybersecurity challenges of IoT devices in this regard relate to: (i) Security During Manufacturing, (ii) Identification and Authentication, (iii) Lack of Encryption, (iv) Large Attack Surface, (v) Security During Updates, (vi) Lack of User Awareness and (vii) Diverging Standards and Regulations.

Against this background, the Cyber Resilience Act (CRA) has been proposed to complement the existing EU cybersecurity framework consisting of legislations such as the Cybersecurity Act and the NIS2 Directive. However, does the CRA provide a framework for effectively combating the cybersecurity challenges of IoT devices in the EU? The central crux of the CRA is to lay down and enforce the rules required to ensure cybersecurity of ‘products with digital elements’, which includes IoT devices. To this end, several obligations are imposed on manufacturers, importers and distributors of IoT devices. Manufacturers are mandated to ensure that the essential cybersecurity requirements prescribed by the CRA are met before placing IoT devices in the market. While the cybersecurity requirements mandated by the CRA are commendable, the CRA suffers from several ambiguities which can hamper its potential impact. For instance, the CRA could provide guidance to manufacturers on how to conduct cybersecurity risk assessment and could clarify the meanings of terms such as “limit attack surfaces” and “without any known exploitable vulnerabilities”.

When the fundamental themes of the CRA is analysed from the prism of the cybersecurity challenges of IoT devices, it becomes clear that the CRA does provide a foundation for effectively addressing the cybersecurity challenges of IoT devices. However, the expansive wording in various parts of the CRA, including in the Annex I Requirements, leaves scope for interpretation on several fronts. Consequently, the effectiveness of the CRA in tackling the Security During Manufacturing Challenge, Identification and Authentication Challenge, Large Attack Surface Challenge and Diverging Standards and Regulations Challenge would be largely contingent on how harmonised standards develop and how the industry adopts them. The CRA seems to be more effective, albeit not fully so, in significantly addressing the Lack of Encryption Challenge, Security During Updates Challenge and Lack of User Awareness Challenge of IoT devices. However, the manner in which the CRA addresses all these cybersecurity challenges could be improved upon if an agency such as the ENISA was given the legal mandate to set elaborate standards for cybersecurity requirements under the CRA.