Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Header of ATHENE | Fraunhofer SIT
Forums it-sa Expo Knowledge Forum A

The EU Cyber Resilience Act: Changes and Challenges for Manufacturers

The EU's Cyber Resilience Act requires manufacturers of products with deigital elements to comply with essential security requirements.

calendar_today Wed, 23.10.2024, 10:00 - 10:30

event_available On site

place Forum, Booth 6-215

Action Video

south_east

Action description

south_east

Speaker

south_east

Themes

Data security / DLP / Know-how protection Legislation, standards, regulations

Key Facts

  • CRA will be mandatory in at most 36 months; high penalties
  • Affects all manufacturers of products with digital elements
  • Requirements on processes and products

Event

This action is part of the event Forums it-sa Expo

Action Video

grafischer Background
close

This video is available to the it-sa 365 community. 
Please register or log in with your login data.

Action description

In this talk, we highlight the Cyber Resilience Act (CRA) enacted by the European Union. The CRA applies to manufacturers of products with digital elements and establishes a common baseline level of IT security across all products. With the CRA, mandatory security requirements apply to products that are not yet covered by (usually stricter) sector-specific regulation as we know it from, e.g., the aerospace industry or healthcare devices. This makes the CRA a highly relevant topic specially for companies that do not have experience with security regulation yet as, e.g., industrial machines ("shopfloor hardware") are now affected for the first time. The same applies to smaller companies, e.g., SMEs working on mobile apps.

The CRA provides procedural as well as technical requirements. For example, manufacturers need to create and maintain a software bill of materials (SBOM), and establish a coordinated vulnerability disclosure (CVD) process that allows arbitrary external entities, not only the manufacturer's customers and partners, to report vulnerabilities in the products. Further, manufacturers must establish a monitoring for potential vulnerabilities being disclosed in the libraries and third-party dependencies of their products. If such a vulnerability becomes known and affects the security of the product, the manufacturer must provide a remedy, e.g., via an update. All of these processes need to be designed and/or adapted for the specific circumstances of the manufacturer and must be integrated into the design, development, implementation and support of products. This also includes the preparation of updates in compliance with the CRA.

On the technical requirements, the CRA requires manufacturers to safeguard the confidentiality and integrity of all data processed with the product. In contrast to existing regulation such as the GDPR, this requirements also affects data that is not personal or privacy-sensitive. Other requirements focus on ensuring the availability of devices and services, reducing the attack surface, providing secure default settings, and many other topics.

In this talk, we will give an overview of the most important topics and will provide guidance on how to get started on ensuring CRA compliance.

Similar in spirit to the GDPR, violations of the CRA will be punishable with fees relative to the annual yearly worldwide turnover of the manufacturer. With only (at most, depending on the topic) 36 months left to prepare for the CRA, manufacturers should get started on reviewing their processes and products and on identifying any shortcomings they still need to address. Aside from new requirements, the CRA also provides the opportunity for manufacturers to improve the security of their products in a structured way and to make these effects transparent to their customers.
... read more

Downloads

Language: English

Questions and Answers: No

Speaker

show more
close

This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.