Are you a producer of digital products doing business within the European Union? If so, the recently approved European Cyber Resilience Act (CRA) 2024 is likely to bring more stringent product security requirements.
In response to the CRA, we're rolling out a set of actionable tools, all accessible for free on our website soon. These resources will include:
A detailed breakdown of CRA requirements tailored to different stakeholders, allowing you to focus on the specific obligations relevant to your role, whether you're a manufacturer or a conformance assessor. Additionally, you can home in on the specific requirements e.g. documentation needs, conformance process, enforcement timelines etc.
Essential CRA requirements outlined alongside methods for compliance, with mappings to established frameworks like NIST 800-218 (SSDF) and NIST 800-53, potentially aligning with controls you may have already implemented.
Here are some key points to keep in mind about the CRA:
Essential product cybersecurity requirements include addressing exploitable vulnerabilities, encryption, security updates, coordinated disclosure, and minimizing attack surfaces are highlighted in Annex I. Conformity with CRA is closely tied to these requirements and supporting documentation.
Don't mistake it for DORA or the NIS 2 directive; each serves distinct purposes. We're working on harmonized controls to streamline compliance across these regulations, supporting a 'measure once, apply to many' approach." Feel free to reach out to us if this is of interest to you.
EU has other regulations focused on Medical, Defense, Civil Aviation and Vehicle products. These products are not in scope of CRA.
There is a significant focus on the conformity assessments including third-party assessor role in it.
CRA is mostly focused on the “what”. The “how” e.g. Threat modeling, Static Code Analysis, DAST, SCA etc. are not mentioned explicitly. Interestingly, SBOMs are mentioned a few times.
Non-compliance with the essential requirements shall be subject to administrative fines of up to EUR 15,000,000 or, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Parts of the regulation will start getting enforced late 2025 with full enforcement starting 2027.
Organizations are spending significant amount of time deciphering and implementing evolving requirements from regulations, customers, internal stakeholders, and frameworks. Our goal at Cyvidia is to save you time and effort in harmonizing these obligations to facilitate practical compliance.
Stay tuned for our upcoming resources and let us help you stay ahead of the curve in meeting CRA obligations.
Comments