What's Happening
Learn about the latest news and updates from Somos.
Somos is a Recipient of the 7th Annual IoT Innovator Awards
Somos is honored to receive the 2024 IoT Innovator Award from Compass Intelligence, recognizing our excellence in advancing IoT solution.
Trust & Transparency: The Pillars of a Secure Telecommunications Future
Learn more about how the Trust framework is shaping the future of telecommunication.
Insights
Navigating NIS2 and the Cyber Resilience Act: Requirements for IoT Device, Software & Vulnerability Documentation
With the rise of evolving cyber threats, securing connected devices and software has become a critical focus for both businesses and regulators. In response, cybersecurity regulations across the European Union (EU) are imposing more rigorous measures to safeguard digital infrastructures. Two significant pieces of legislation, the NIS2 Directive and the Cyber Resilience Act (CRA), are setting new standards for organizations, particularly regarding Internet of Things (IoT) devices security, software integrity and vulnerability management. While both aim to enhance the security and resilience of critical systems, their specific requirements concerning documentation provide vital guidance to companies that design, deploy or rely on these technologies.
NIS2 Directive: Strengthening Network and Information System Security
The NIS2 Directive enhances the EU's cybersecurity framework by setting higher standards for network and information system security, specifically focusing on critical sectors such as energy, transport and healthcare. It imposes obligations on operators of essential services and digital service providers to ensure that their systems are resilient against cybersecurity threats.
Key documentation requirements for IoT, software and vulnerability management under NIS2 include:
-
Risk Management: Organizations must establish and document cybersecurity risk management measures to safeguard the confidentiality, integrity and availability of IoT devices and software. This includes regular assessments of potential vulnerabilities.
-
Incident Reporting: NIS2 mandates the documentation and timely reporting of any significant security incidents, including incidents related to IoT devices or software vulnerabilities that could impact critical infrastructure.
-
Supply Chain Security: IoT vendors must document the cybersecurity measures taken across the supply chain to ensure that risks associated with third-party vendors or external software components are identified and mitigated.
-
Security by Design: IoT devices must be developed with security integrated into their design, and relevant documentation should be maintained to demonstrate compliance with secure development practices.
Cyber Resilience Act: Fostering Cybersecurity for Connected Products
The Cyber Resilience Act (CRA), introduced by the European Commission, focuses on improving the cybersecurity of connected products throughout their lifecycle. This regulation is particularly significant for manufacturers of IoT devices and connected software, addressing concerns related to vulnerability exploitation and supply chain attacks.
The CRA introduces a range of documentation requirements to ensure that devices and software meet established security standards:
-
Vulnerability Disclosure: Manufacturers must maintain and publicly document processes for identifying, managing and disclosing vulnerabilities within IoT devices or software. This includes ensuring that any discovered vulnerabilities are addressed promptly through patches or updates.
-
Security Updates and Patching: The CRA requires manufacturers to document their approach to providing regular security updates for connected products, ensuring devices remain resilient to emerging cyber threats.
-
Product Lifecycle Management: Documentation is required to demonstrate that the cybersecurity of IoT devices is maintained throughout their entire lifecycle, from design to decommissioning. This includes providing information about the duration of support for the device.
-
Testing and Certification: Compliance with security standards must be documented through rigorous testing and certification processes, ensuring that IoT devices meet both functional and security requirements before market release.
Both NIS2 and the Cyber Resilience Act emphasize the need for robust cybersecurity measures and transparent documentation, especially concerning IoT devices, software and vulnerabilities. Organizations must prioritize documenting security measures, vulnerability disclosures and the ongoing management of cybersecurity risks to meet compliance standards and protect their systems against evolving cyber threats.
Achieving this level of oversight can be challenging, but SomosID™ simplifies the process with an IoT asset registry solution that provides unmatched visibility and empowers organizations to:
-
Validate the identities of their IoT assets against multiple data sources.
-
Stay informed of vulnerabilities across their connected devices
-
Ensure compliance with evolving regulatory frameworks
Stay ahead of regulatory changes and strengthen your cybersecurity posture. Contact our team to learn more about how SomosID can help you stay compliant with upcoming regulations iot@somos.com.
Stay Connected
Stay in touch! Sign up for our monthly newsletter.
Need to reach us sooner? Call, text, or email us at:
844.HEY.SOMOS help@somos.com
