Using trust and visibility to comply with EU cybersecurity regulations

As cybersecurity threats grow, European regulators are scrambling to tame this digital frontier, with far-reaching implications for all companies doing business in the EU. This is happening mainly through two new pieces of legislation due in 2024 –

this EU Cyber ​​Resilience Act (CRA) and the Network and Information Security Directive 2 (NIS2).

To address these challenges and meet regulatory requirements, organizations are turning to innovative solutions to increase transparency and trust in their systems and supply chain.

These solutions included software bill of materials (SBOM), hardware bill of materials (HBOM), and root of trust (RoT) technology, such as the open-source OpenTitan RoT silicon that recently went on sale.

Cyber ​​Resilience Act

The CRA is a proposed piece of legislation that is currently in the advanced stages of preparation. This legislation would introduce mandatory cybersecurity requirements for hardware and software products throughout their lifecycle.

The theory behind the CRA is that it will reduce the number of products on the European market that have cybersecurity vulnerabilities, increase transparency of security measures for the benefit of consumers, and ensure that manufacturers remain accountable for the security of their products.

The European Commission says the current proposal is set to come into force in 2024, with EU member states and affected companies having 36 months to comply. The CRA will introduce significant penalties for non-compliance, with fines of up to €15 million ($16.2 million) or 2.5% of the annual global turnover for the previous financial year, whichever is higher.

The obligations placed on manufacturers, importers and distributors are significant. They require products to be designed and developed in accordance with specific cybersecurity standards, and to report threats and vulnerabilities to products throughout their lifecycle, including for uses that were not anticipated during product development.

NIS2: More urgent matter

On 16 January 2023, EU Directive 2022/2555 (NIS2 Directive) entered into force. The NIS2 Directive must be transposed into national law by EU Member States by 17 October 2024, after which companies in sectors deemed highly critical and critical operating in the EU will have to comply.

This applies to companies from sectors such as energy, transport, banking and finance, healthcare and digital infrastructure that meet certain criteria (e.g. employ at least 50 people and achieve an annual turnover of more than EUR 10 million).

Businesses should also be aware that the NIS2 Directive authorises EU Member States to expand the scope of companies and sectors that will have to comply with the rules at national level, which is already visible in the draft regulation in Germany.

To comply with the regulations, these companies must have appropriate measures in place by October 2024, such as business continuity plans, cybersecurity risk management policies and procedures, appropriate cybersecurity training for staff, and compliance with regulatory audits and reporting obligations.

As with the CRA, penalties for non-compliance with the NIS2 Directive are severe and can result in fines of up to €10 million ($10.8 million) or 2% of the company’s annual global group turnover (whichever is higher), as well as suspension of relevant operating licenses.

In addition, governing bodies, such as boards of directors and senior management, have obligations to comply with regulations, breach of which may result in personal liability for damages.

Increasing Supply Chain Transparency and Security

At the heart of this paradigm shift in cybersecurity are SBOM and HBOM. These frameworks provide detailed inventories of software and hardware components, including version details, licensing information, provenance, and dependencies. By providing visibility into software and hardware supply chains, SBOM and HBOM enable organizations to make informed decisions about the products they deploy and effectively manage potential vulnerabilities.

One significant catalyst for the adoption of SBOM and HBOM was U.S. President Joe Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity. The directive directed federal agencies to implement SBOM requirements, which provided the basis for broader industry adoption. Additionally, U.S. regulatory bodies such as the Department of Defense (DOD), General Services Administration (GSA), and NASA have integrated SBOM and HBOM requirements into their procurement processes, further increasing their adoption across sectors.

The HBOM framework is designed to provide suppliers and buyers with a consistent and repeatable way to communicate about hardware components, enabling effective risk assessment and mitigation throughout the supply chain and increasing resilience.

Silicon Root of Trust

If SBOM and HBOM are the essence of cybersecurity resilience, then SiRoT is its mind – and that mind is a steel trap.

SiRoT sits beneath the operating system in the stack, providing a constrained and trusted secure execution environment and offering a set of hardware security features designed to ensure that the core components of the system are trusted from power-on and throughout its lifecycle.

In the context of regulatory compliance such as CRA, SiRoT plays a key role in ensuring that cybersecurity is prioritized during product planning, design and development.

Manufacturers can leverage a SiRoT solution such as OpenTitan to implement secure boot processes, detect and report unauthorized system modifications, monitor system integrity throughout the lifecycle, ensure trustworthy execution of cryptographic updates, and facilitate secure software updates.

With built-in protection against side-channel and fault-injection attacks, a well-designed SiRoT can significantly contribute to host tamper resistance, making it harder for attackers to compromise the integrity of the product. Manufacturers can leverage SiRoT capabilities to detect and report any unauthorized system modifications, in line with regulatory requirements to document and report cybersecurity threats and incidents.

In addition, SiRoT can facilitate secure remote software updates by ensuring that only authenticated and verified changes are applied. This supports regulatory requirements for manufacturers to provide security updates throughout the product’s useful life, and also provides a way to revert to a “known good” state in the event that a system is compromised by some higher-level stack vulnerability that was not anticipated at the time of release.

Putting it all together

The convergence of SBOM, HBOM, and SiRoT mitigates cybersecurity risk by addressing vulnerabilities at different levels of the software/hardware stack. Adhering to these security measures can help organizations comply with evolving regulatory requirements that focus on deployed system security, such as NIS2.

For manufacturers, adopting SBOM and HBOM enables them to comply with regulatory requirements such as the upcoming CRA, enhance supply chain security, and demonstrate commitment to cybersecurity best practices. By incorporating SiRoT technology into their products, manufacturers can significantly strengthen their defenses against cyber threats, protecting their assets and customer trust.

For end users, adopting SBOM, HBOM, and SiRoT represents a positive step toward the security and integrity of the products they use and will go a long way toward instilling trust in the manufacturers who adopt them. With greater transparency into software and hardware components, such as the flexibility and accessibility that open source software offers, users can make informed decisions about their digital investments and take proactive steps to protect their data and privacy.