The development of technology and digitization have a wide-ranging effect on our work tasks, our time off and our whole society. In recent years, the European Union has tried to strengthen the cyber security of the digital world. New European Union legislation coming into effect in 2024 and 2025 mandates stricter cybersecurity requirements for all electronics, from consumer IoT devices to critical infrastructure.
The recently updated Cyber Security Directive (NIS2 Directive) to protect critical functions of society and the Cyber Resilience Act (CRA) requiring information security for products will affect the development of technology products. The cyber security regulation coming into use will require the software industry to monitor vulnerabilities, report deviations and fix security gaps throughout the entire life cycle of the software. The requirements apply to both application programs installed on computers and embedded software in smart devices.
NIS2 obliges organizations to include cyber security risks as part of the organization's risk management. The national application of the European Union's network and information security directive, or NIS2 directive, in Finland begins on October 18, 2024. The goal of NIS2 is to strengthen the level of cyber security in sectors and actors considered critical for the functioning of society. According to the directive, the responsibility for cyber security rests with the company's management, and executives can be held personally liable for negligence.
The NIS2 directive particularly affects industries that provide critical or essential services to society. The directive automatically applies to all medium-sized (50+ employees and more than 10 million turnover) and large companies operating in critical industries. The directive also applies to all nationally defined critical operators, regardless of size.
According to the directive, companies must identify, evaluate and manage risks that affect the security of communication networks and information systems used in the organization's operations. Cybersecurity risk management must prevent or minimize the impact of deviations on operations. With the directive, it is the responsibility of the management to create and maintain a corporate culture that supports cyber security. This means appropriate, well-defined and trained operating models and instructions, as well as the staff's efforts to comply with them. The information security management and management system (ISMS) at the heart of the ISO/IEC 27001 standard largely covers the requirements set by NIS2.
In addition to operating models, controls are needed, such as firewalls, intrusion detection systems, security logs of operating systems and programs, and various terminal device protection software. Malware detection should take place on several layers, including devices at the edge of the network, and should have the ability to centrally analyze security events and generate alerts about them. For embedded systems, this means that devices used in mission-critical applications should support strong user identification, threat detection, and reporting of security events to a centralized monitoring system.
The EU's cyber resilience act (Cyber Resilience Act, CRA) is the European Union's proposal for a regulation, which aims to improve the cyber security of products containing digital elements, such as devices and software connected to the Internet. The CRA regulation applies to all products that have a digital component and whose intended and foreseeable use includes a direct or indirect data connection to the Internet or another Internet-connected device. The product of the CRA regulation may be subject to either voluntary or mandatory certification, depending on the safety risks of the product. In addition, the manufacturer must report cyber security problems found in the products and repair the products to comply with CRA requirements for at least five years.
According to the original plans, the CRA regulation was supposed to enter into force at the beginning of 2024, but according to current information, the regulation will enter into force at the end of 2024 or during 2025. When the regulation goes into effect, the products must have a CE marking, which informs consumers that the product meets the requirements of the CRA and related directives.
Radio devices are electrical and electronic devices that transmit and receive radio waves or that have a built-in radio component for wireless connection. Typical wireless connection technologies are WiFi, Bluetooth, NB-IoT and LTE-M. The Radio Equipment Directive (RED) is a regulation that regulates the design, manufacturing and marketing of radio equipment in the European Union. The updated radio equipment directive (RED 2) includes not only the traditional requirements related to radio technology, but also requirements for the cyber security of the equipment. ETSI EN 303 645 and IEC 62443 standards related to demonstrating a sufficient level of cyber security.
Manufacturers and importers of radio equipment must ensure that their products meet the criteria of the directive and that the equipment can be updated if necessary. All individual radio products that are placed on the EU market after 1 August 2025 must meet these new cyber security requirements. Old devices that have already been placed on the EU market before the entry into force can continue to be used without special adaptations until the end of their life cycle.
In the future, the regulation will force industry operators to pay attention to cyber security. Cyber security is something that must be constantly developed so that digital devices and software that perform important tasks work reliably. Managing cyber security requires extensive expertise and know-how at different levels of the organization, as well as continuous monitoring of one's own operational and threat environment.
CVG Convergens is a long-term partner that offers services over the entire life cycle of products and systems containing electronics. We offer services for the development of embedded systems, from business-level analysis to the implemented and marketed product. We have solid experience in both software and physical hardware solutions. Typical products we develop are board computers, computer and control modules, IoT sensors and actuators, telecommunications equipment, user interfaces, portable devices and related software. In addition to development, we offer services across the product lifecycle, including design, compliance and certifications, manufacturing and maintenance. We help your company design and develop secure embedded solutions.