In our previous article, we talked about the EU regulations aimed at cybersecurity of hardware and software products from 2024.
Although this provision protects customers in this industry, the Cyber Resilience Act still imposes stringent standards on manufacturers, traders, and importers of hardware and software products.
From 2024, digital CE cybersecurity certification will be required to sell such products in the European market.
If you're a creative team and your startup is in the seed or pre-seed stage, you probably have some specific questions that we'll answer in this article.
1. Does the Cyber Resilience Act also apply to pre-seed/seed phase startups?
yes – If your startup is developing hardware and software products that connect to the Internet directly or through a third party.
yes – If your startup sells hardware and software products.
yes – If your startup is importing hardware and software products for sale in the EU.
no – If you develop software as a service rather than as a product, as digital services are regulated by other European cyber security laws (see NIS 2 Directive and CE website).
2. Why is this also true for start-up companies with products in the first stages of development?
That's because startups need to develop and apply cybersecurity policies throughout a product's entire lifecycle, including concept, manufacturing, testing, installation, maintenance, and marketing.
More precisely, it establishes a set of steps, strategies, and techniques to address risks, vulnerabilities, and estimated risks and vulnerabilities at each stage.
When talking about risks and vulnerabilities, remember to consider device, application, platform, tool, license security, and team behavior.
In startups, these early stages are characterized by great flexibility in approach and interaction within the team. Today, we are often exposed to risks that are difficult to remediate at advanced stages of product development.
We know that most startups tackle aspects of cybersecurity policy when bringing their products to market, but as you can read in our previous article, future rules say that getting certified will be difficult. may be too slow and insufficient. For the EU market.
3. What if my startup doesn't have the money to buy consultants, licenses, or cyber tools?
This is a question we often get asked by the startups we mentor. That's why we've created a short list of suggestions that you can easily implement.
- Learn about cybersecurity through the product lifecycle (SDLC).
- Reach out to the startup business ecosystem (hubs, accelerators, mentors).
- Contact our hub of IT&C companies supporting startups.
- Seek free credit from companies with testing, penetration, and cyber surveillance technology.
- The co-founders of Co-opt specialize in cyber security (politics and technology).
- We offer barter services with our partners to ensure cyber security and cyber resilience testing during product development.
Don't forget to read the previous article, follow the steps there to create your cyber security policy, and contact us for feedback.
4. My startup only trades/imports hardware and software products. What do I need to do to comply with cyber resilience laws?
At this time we recommend the following:
- Follow the European Commission website to find out when the Cyber Resilience Act will be approved.
- Read the final approval to find out what the specific provisions are for companies in the distribution chain of hardware and software products.
- Take steps to obtain CE digital certification within the terms of the law.
At the moment, the European Commission has announced that the Cyber Resilience Act will come into force in early 2024 and that relevant companies will have to comply within 36 months of publication in the Official Gazette.