Are you a start-up or IT&C company? Are you ready to apply for the EU Cyber Security Certificate? Do you know that without this Certificate you will not be able to sell an ICT product in the EU? … in the near future
If until 2023 the Cyber Security regulations targeted only key companies (corporations and companies with a large socio-economic NIS impact), starting from 2024 according to the Cyber Resilience Act we expect the regulation of the entire IT&C market (manufacturers, importers, and distributors of hardware and software).
The EU establishes uniform cyber security standards and imposes the obligation to obtain accreditation, which gives the right to sell hardware and software products connected directly or indirectly to the Internet.
The purpose of this initiative is to protect EU users from security flaws in the production and maintenance stage of software and hardware products.
For your company to be considered resilient from a Cyber perspective, we advise you to implement a Cyber Security Policy, that aims at strategies, procedures, techniques, and clear tools for evaluation, monitoring, and testing throughout the life of the product: concept, production, testing, implementation, commercialization, use, update, maintenance, uninstallation/termination.
Stage 1 | Concept
How do you design your product?
This is the moment when we recommend you to build your Cyber Security Policy taking into account every stage of development and technical detail of the product.
This Policy will be communicated and applied by all members of the development team and it will also be the one that will help you obtain the CE cyber accreditation for your product.
Stage 2 | Product development
How do you ensure and verify security and latest updates for:
1. a work device on which the code is generated
2. the applications used and their licenses
3. the development of code resistant to injections SQL, XSS, CSRF, etc.. See also Top OWASP
4. the servers where the code is stored
5. code integration with other algorithms and industry tools. Third-party policy and OSINT
6. code share techniques and platforms used between members of the development team
7. devices, tools, and the in-house scanning and testing team. Opt for RPA.
8. the behavior and ethics of the employees from the development and testing team. See also the current SecDevOps approach
9. installing/uninstalling the code on your hardware product
10. IP policy
Stage 3 | Testing the product on the market
Where does your product run? What are the vulnerabilities specific to the runtime environment? What cyber measures do you implement?
If you are a B2B, the market for you is the client’s intranet and the internet.
If you are a B2C or deliver for a B2C, the market is the internet and the devices of individual customers.
Stage 4 | Installation and use of the product at the customer
Are you technically, legally, and cyber-prepared to sell the product on the market?
Most start-ups are only now becoming aware and addressing cyber security issues under the pressure of some client demands.
This is also the moment when, within a maximum of 36 months from the entry into force of the Cyber Resilience Act, your company will have to accredit its product from a cyber point of view and receive the CE digital mark, for the right to market the product within the European space.
If you built your Cyber Security Policy at Stage 1, now you will use that documentation to obtain the CE cyber accreditation.
Stage 5 | Update & maintenance & upgrade
Is the update as cyber-resilient as the product? Are you prepared for maintenance in case of a cyber incident? Is your product compatible with new technologies?
We recommend that you include clear procedures for updating, maintaining, upgrading, and resolving security incidents within your Cyber Policy.
Given the development of new technologies (IoT, AI, blockchain, quantum computing, metaverse) and devices, don’t forget that something could go wrong on the cyber side of your product.
That’s why it is important to prepare in advance a procedure for incident alerts and ad-hoc maintenance and stay up to date with the technologies that will follow.
Stage 6 | Uninstallation & termination
How do you ensure your internal and your product’s security after the termination of the contract? What security guarantees do you offer the client after your legal collaboration has ended?
We recommend that you have the following chapter in the contract with your clients “Uninstallation policy and cyber security” through which you can receive and provide security guarantees for at least 1-2 years after the termination of the contract.
Probably, having read the article up to this point, you have already realized how important a Cyber Security Policy is, even if you have a start-up in the early stages (pre-seed or seed).
What happens if we do NOT have the CE accreditation?
1. we are legally vulnerable to cyber incidents (product, company, and distribution chain)
2. we lose customers
3. we receive fines
4. the product may be banned on the EU market
5. we cannot participate in auctions
6. we are not eligible for investors
7. the too late implementation of cyber procedures could be more expensive in terms of time, money, and human effort, and the final result may only be satisfactory.
So we can conclude that without an adequate Cyber Security Policy implemented on time, our work and financial and human investment can be dynamited exactly at a moment when our business is preparing to scale.
What can we do if we already have a product for which we have not applied any Cyber Policy so far?
Regarding this case, which is very frequent, we will come back in a future article.