Upcoming Cyber Resilience Act (CRA)
Earlier in 2024 the European Parliament agreed on the proposal of the Cyber Resilience Act, which was then published by the European Commission in September 2024 in in the Official Journal of the European Union (OJEU). Manufacturers and importers have to deliver secure products to market and maintain product security thoughout products' lifetime. The CE-label will encompass these cybersecurity properties for products that are attached to networks.
For 2027 vendors and importers have to prepare cyber security of their products, if these products use networking capabilities:
Implement Security by Design in planning, design, development, production, delivery and maintenance phases. As importer you have to present that the product was designed with security in mind.
Make products' security updates available for at least 5 years and instruct customers on how to update the product.
Handle vulnerabilities effectively when they appear for the expected product lifetime or for a period of five years. There are exceptions.
Report any actively exploited vulnerabilities & incidences.
Assessing the fulfilment of security requirements depends on the CRA-defined risk classes depending on the type of products. The European Commission send out standardisation request to European Standardisation Organisations CEN, Cenelec and ETSI. The aim is to draft new or revise existing European standards that have been identified as candidates. These candidates fall into three classes: horizonal (general requirments e.g. for risk assessment), vertical (classes of products e.g. security for routers) and vulnerability handling.
Offerings
I offer you, based on technical security and privacy knowledge, scientific research, practical experiences in technology developments and active particpation during the definition of the Cyber Resilience Act:
Security Engineering and Safety Compliance Comprehensive security engineering services, ensuring potential safety requirements are addressea,d while also considering data protection regulations and breach reporting protocols.
Comprehensive Cybersecurity and Technology Consulting Consulting services covering a wide range of topics, including cybersecurity, software development, governance, compliance, cloud, open source, artificial intelligence, technical planning, and technical evaluation; supporting businesses, organisations, and individuals in navigating complex technical landscapes.
Strategic Cybersecurity Consulting I provide expert guidance on strategic and business-related cybersecurity challenges for your products, validating your processes, helping you align the CRA's security measures with business objectives.
That's all at a very high-level. Let's get in contact to prepare a deep dive ...