I spoke in a previous article about the EU rules, which aim at the cyber security of hardware and software products starting in 2024.
Although the provisions protect the customers of this industry, the Cyber Resilience Act still imposes rigorous standards on manufacturers, traders, and importers of hardware and software products.
From 2024, obtaining a digital CE cyber security accreditation will be mandatory to sell such products on the European market.
If you are a creative team and your start-up is in the seed or pre-seed stage, you probably have some specific questions, which we will answer in this article.
1. Does the Cyber Resilience Act also apply to a start-up in the pre-seed/seed phase?
YES – if your start-up develops hardware and software products that connect directly or through a third party to the Internet.
YES – if your start-up sells hardware and software products.
YES – if your start-up imports hardware and software products for sale in the EU.
NO – if you develop software as a service, not as a product, because your digital service is regulated by other European cyber security laws (see the NIS 2 Directive and the CE website).
2. Why does it also apply to a start-up with a product in the first stages of development?
Because your start-up must build and apply a Cyber Security Policy throughout the life of the product: concept, production, testing, installation, maintenance, and marketing.
More precisely, at each stage you establish your risks, vulnerabilities, and a set of procedures, strategies, and techniques by which you combat the estimated risks and vulnerabilities.
When we talk about risks and vulnerabilities, don’t forget to take into account the security of devices, applications, platforms, tools, licenses, and the behaviors of your team.
In start-ups, these early phases are characterized by a lot of flexibility in approach and interaction in the team. Now we often expose ourselves to risks that are difficult to remedy in the advanced phases of product development.
We know that most start-ups address the Cyber Security Policy aspects when they launch their product on the market, but as you can read in our previous article, according to the future rules, it might be too late and insufficient to obtain accreditation for the EU market.
3. What do I do if the start-up does not have money for consultants, licenses, and cyber tools?
This is a frequent question we receive from the start-ups we mentor, that’s why we made a short list of suggestions that are easy to implement:
- Educate yourself about cybersecurity throughout the product life cycle (SDLC);
- Contact the start-up business ecosystem (hubs, accelerators, mentors);
- Contact the hubs around the IT&C corporations that support start-ups;
- Ask for a free credit from companies with test, penetration and cyber monitoring technology;
- Co-opt co-founders specialized in cyber security (political and tech);
- Offer barter services with partners to ensure your cyber security and cyber resistance testing during product development.
Don’t forget to read our previous article, build a Cyber Security Policy following the steps there and contact us if you need feedback.
4. My start-up only trades/imports hardware and software products. What do I need to do to comply with the Cyber Resilience Act?
For now we recommend:
- Follow the European Commission website to see when the Cyber Resilience Act is approved;
- Read the final approved content and see what are the specific provisions for companies in the hardware and software product sales chain;
- Go through the steps to obtain the CE digital authorization within the terms of the Act.
At this moment, the European Commission has announced that the Cyber Resilience Act will enter into force at the beginning of 2024, and the companies concerned must comply within 36 months from publication in the Official Journal.
