Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Make onsite appointment

Forums it-sa Expo Knowledge Forum A

The EU Cyber Resilience Act: Changes and Challenges for Manufacturers

The EU's Cyber Resilience Act requires manufacturers of products with deigital elements to comply with essential security requirements.

Buy trade fair ticket

You can register for this action soon.

You can register for the digital action soon.

Please come back at the scheduled date and time.

The action is currently live. Please scroll down to watch.

This action is only available onsite: Forums it-sa Expo

Add action to bookmarks and download as iCal

Join now

Note: If you continue, the contact data you provided during registration may be transmitted to the respective provider in accordance with our General Terms and Conditions.

Please log in or register in advance so that you can take part in actions or watch the action videos!

This action has already taken place. This action will soon be available as a video.

This action has already taken place. Please scroll down to watch the video.

This action has already taken place. Please login or register to watch the video.

This action has already taken place. It's not available any more.

You are in!

Your ticket / access to the action was sent to you by email.

There is a problem with the action at the moment. Please come back later or contact support.

calendar_today Wed, 23.10.2024, 10:00 - 10:30

event_available On site

place Hall 6, Booth 6-215

Action description

south_east

Speaker

south_east

Themes

Data security / DLP / Know-how protection Legislation, standards, regulations

Key Facts

CRA will be mandatory in at most 36 months; high penalties
Affects all manufacturers of products with digital elements
Requirements on processes and products

Organizer

Fraunhofer SIT

Event

This action is part of the event Forums it-sa Expo

Action description

In this talk, we highlight the Cyber Resilience Act (CRA) enacted by the European Union. The CRA applies to manufacturers of products with digital elements and establishes a common baseline level of IT security across all products. With the CRA, mandatory security requirements apply to products that are not yet covered by (usually stricter) sector-specific regulation as we know it from, e.g., the aerospace industry or healthcare devices. This makes the CRA a highly relevant topic specially for companies that do not have experience with security regulation yet as, e.g., industrial machines ("shopfloor hardware") are now affected for the first time. The same applies to smaller companies, e.g., SMEs working on mobile apps.

The CRA provides procedural as well as technical requirements. For example, manufacturers need to create and maintain a software bill of materials (SBOM), and establish a coordinated vulnerability disclosure (CVD) process that allows arbitrary external entities, not only the manufacturer's customers and partners, to report vulnerabilities in the products. Further, manufacturers must establish a monitoring for potential vulnerabilities being disclosed in the libraries and third-party dependencies of their products. If such a vulnerability becomes known and affects the security of the product, the manufacturer must provide a remedy, e.g., via an update. All of these processes need to be designed and/or adapted for the specific circumstances of the manufacturer and must be integrated into the design, development, implementation and support of products. This also includes the preparation of updates in compliance with the CRA.

On the technical requirements, the CRA requires manufacturers to safeguard the confidentiality and integrity of all data processed with the product. In contrast to existing regulation such as the GDPR, this requirements also affects data that is not personal or privacy-sensitive. Other requirements focus on ensuring the availability of devices and services, reducing the attack surface, providing secure default settings, and many other topics.

In this talk, we will give an overview of the most important topics and will provide guidance on how to get started on ensuring CRA compliance.

Similar in spirit to the GDPR, violations of the CRA will be punishable with fees relative to the annual yearly worldwide turnover of the manufacturer. With only (at most, depending on the topic) 36 months left to prepare for the CRA, manufacturers should get started on reviewing their processes and products and on identifying any shortcomings they still need to address. Aside from new requirements, the CRA also provides the opportunity for manufacturers to improve the security of their products in a structured way and to make these effects transparent to their customers. ... read more

Language: English

Questions and Answers: No