DA SV
legislation

Implementing the Cyber Resilience Act with IEC 62443 and ETSI EN 303 645

7 minutes read
Implementing the Cyber Resilience Act with IEC 62443 and ETSI EN 303 645

Learn how combining IEC 62443, ETSI EN 303 645 and EN 18031 helps you meet the requirements of the CRA.

Process and technical requirements of the CRA

The Cyber Resilience Act (CRA) places requirements on both product development processes and the technical characteristics of the products themselves. This two-track approach requires a differentiated view of the available standards and norms.

Process requirements largely covered by IEC 62443-4-1

The process-related requirements of the CRA are largely covered by IEC 62443-4-1 “Secure product development lifecycle requirements”. This standard provides a comprehensive framework for developing secure products and addresses aspects such as:

  • Security management
  • Requirements analysis
  • Secure design and implementation
  • Verification and validation
  • Handling of vulnerabilities and updates
  • Creation of user information

By consistently applying IEC 62443-4-1, manufacturers can effectively implement the process-related mandates of the CRA and integrate them into their development processes.

Software Bill of Materials (SBOM) in IEC 62443-4-1

It is important to note that IEC 62443-4-1 does not make explicit requirements for creating a Software Bill of Materials (SBOM) as demanded by the CRA. However, a correct and thorough implementation of the standard often results in the creation of an SBOM or similar documentation in practice:

  • Requirements management: The standard requires detailed documentation of all components and their security requirements.
  • Configuration management: Accurate tracking of all software components and their versions is required.
  • Supplier management: The standard calls for careful monitoring and documentation of third-party components.
  • Patch management: Effective patch management requires precise knowledge of all software components.

Together, these processes lead to comprehensive documentation of software components that can be readily transformed into a formal SBOM. Companies that fully implement IEC 62443-4-1 will therefore find that they already capture and manage much of the information needed for an SBOM.

Technical requirements: gaps in IEC 62443-3-3 and IEC 62443-4-2

The technical properties the CRA requires from products are not fully covered by IEC 62443-3-3 “System security requirements and security levels” and IEC 62443-4-2 “Technical security requirements for IACS components”. These standards, primarily designed for industrial applications, show some gaps:

  • Missing privacy requirements: IEC 62443 parts -3-3 and -4-2 do not include specific privacy requirements, which play an important role in the CRA.
  • Limited scope of application: The focus on industrial systems does not cover all product categories addressed by the CRA.
  • Lack of detail in certain areas: Some specific technical properties required by the CRA are not, or not sufficiently, covered.

Supplementary standards to close the gaps

To close the gaps in the technical requirements, manufacturers can rely on supplementary standards:

  • ETSI EN 303 645
    This standard defines cybersecurity requirements for consumer IoT devices. It addresses many of the technical properties required by the CRA, particularly in the areas of privacy and consumer product security.
  • EN 18031
    This standard sets cybersecurity requirements for radio equipment and supports the implementation of the delegated act to the Radio Equipment Directive. It offers valuable provisions for the security of products with radio interfaces, which also fall under the CRA.

An extensive mapping of the CRA requirements to various standards was published some time ago by ENISA. Further details are provided in our article Mapping the CRA to standards.

To illustrate the differences and gaps in the technical requirements, here are some concrete examples:

CRA IEC 62443 ETSI EN 303 645
Products should only process data necessary for their function. Contains no specific requirements on data minimization. Explicitly requires minimization of personal data (Provision 5.8-1).
Protection against unauthorized access through appropriate controls. Requirements from area FR 1 (Identification and authentication control) describe detailed requirements for various aspects of access control, including identification and authentication. Contains requirements for authentication, for example the demand for unique passwords per device or user-defined passwords if the device is no longer in factory default. These are, however, significantly less detailed than those in IEC 62443-4-2.
Products must be delivered with a secure default configuration. IEC 62443-4-2 requires in requirement CR 7.7 “Least functionality” that components can be configured so only necessary functions are enabled. Requires that all passwords not equal to the factory default are either unique per device or set by the user.

EN 18031 becomes relevant where neither IEC 62443-4-2/-3-3 nor ETSI EN 303 645 provide requirements. An example is minimizing negative impacts on other devices or networks, which EN 18031 addresses.

Complementary application despite different scopes

Although the standards mentioned have different application domains, together they provide a solid foundation for implementing CRA requirements:

  • IEC 62443: Focus on industrial applications
  • ETSI EN 303 645: Aimed at consumer IoT devices
  • EN 18031: Applicable to radio equipment in both consumer and industrial sectors

Despite these different focuses, manufacturers can use the standards complementarily to cover the wide range of CRA requirements. The combination allows consideration of both industrial and consumer-oriented aspects and integration of specific requirements for radio equipment.

Conclusion holistic approach required

Implementing the Cyber Resilience Act (CRA) requires a holistic approach that addresses both process-related and technical aspects. The analysis shows that no single standard fully covers all CRA requirements, but a combination of standards provides a solid basis.

IEC 62443-4-1 proves an excellent basis for the CRA's process requirements. Companies already working to this standard have a significant advantage in implementing the CRA. Although the standard does not explicitly mandate creating a Software Bill of Materials (SBOM), a thorough implementation of IEC 62443-4-1 often leads to collecting the necessary information in practice.

For the technical requirements, a combination of IEC 62443-4-2/-3-3, ETSI EN 303 645 and EN 18031 provides the most comprehensive coverage:

  • IEC 62443-4-2/-3-3 offers detailed technical requirements, particularly for industrial systems.
  • ETSI EN 303 645 complements with specific requirements for consumer IoT devices, especially in areas like data minimization and privacy.
  • EN 18031 fills important gaps, particularly regarding requirements for radio equipment and their impact on other devices and networks.

Despite the different application areas of these standards, manufacturers can use them complementarily to cover the broad spectrum of CRA requirements. This approach enables consideration of both industrial and consumer aspects and the integration of specific radio equipment requirements.

Manufacturers should, when implementing the CRA:

  1. Implement IEC 62443-4-1 as the basis for their development processes.
  2. Use the technical requirements of IEC 62443-4-2/-3-3 as the basis for their products.
  3. Apply ETSI EN 303 645 and EN 18031 for additional requirements not covered by IEC 62443.
  4. Identify gaps not fully covered by any standard and develop their own solutions.

This integrated approach enables companies to develop resilient and compliant products that meet both regulatory requirements and security needs across different application areas. It is important to note that the standards landscape will continue to evolve, and companies should be prepared to adapt their approaches when new or updated standards are published.

Ultimately, successful implementation of the CRA will depend on companies' ability to integrate these various standards and best practices into a coherent, product-specific security concept. This requires not only technical expertise but also a deep understanding of regulatory requirements and the specific risks in the relevant application areas.

If you need support applying these standards or implementing CRA requirements, contact us without obligation. Our experts are ready to assist with their extensive experience in implementing standards and regulatory requirements and help you develop a tailored strategy for your company.