SlideShare a Scribd company logo

Understanding the EU Cyber Resilience Act

ICS, profile picture
ICS

The European Union’s Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for all network-connected products sold in the EU, with particularly strong implications for software, electronics, and embedded systems. The regulation has global reach: if your company sells connected products in the EU, the CRA applies—regardless of where you're based. With enforcement deadlines approaching and GDPR-like penalties of up to €15 million or 2.5% of global annual revenue, the CRA demands urgent attention from product developers, compliance teams, and executive leadership in North America. In this webinar, we’ll demystify the CRA and explain what you need to know. Topics include: Key milestones and the regulatory timeline Device classification: how the CRA applies to your products Relevant cybersecurity standards that can aid compliance Required organizational commitments Essential product development practices: cybersecurity-by-design, vulnerability handling, and secure updates We'll also share practical strategies using modern solutions such as AI-based intrusion detection systems (IDS) and AI-powered threat modeling and risk assessment tools to streamline compliance. Whether you're building connected consumer devices, industrial IoT systems, or critical digital infrastructure, this session will equip you with the insight and tools needed to begin your CRA compliance journey with confidence.

Software
1 of 32
Download to read offline
1
2
3
4
Most read
5
6
Most read
7
8
9
10
11
12
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Understanding the EU Cyber Resilience Act: What IoT Manufacturers Need to Know
About Us 2 ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. BG Networks equips embedded engineers and penetration testers with easy-to-use software automation tools including the first AI-from-scratch Threat Modeling and Risk Assessment platform that saves 10x the time and does not require training. BG Networks automation tools are designed to help with adherence to regulations and standards from the FDA, NIST, ISO, and the EU. Cybersecurity Services Cyber Testing & Detection Barco is a market leader in professional visualization solutions and specializes in image processing, collaboration, and immersive experiences. It delivers high-end projectors, meeting rooms, video walls and displays for critical infrastructure. Barco is mainly active in markets like healthcare, cinema, control rooms, and live events. Market Leader in Visualization
Speaker Introductions Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity Jens Gellynck Product Security Officer – Healthcare
Questions for Us : Put in the Q&A as they come to mind And a Question for You We’ll ask now and at the end to see how to see how well we have done explaining things. What is your level of understanding of EU’s Cybersecurity Resilience Act? 4 POLL QUESTION RESPONSES (please respond now - choose one) a. Very high: (e.g., We’re ready to go. I understand processes and security features needed) b. High: (e.g., Have an understanding of what security features my company’s products need) c. Medium: (e.g., Understand what classification my company’s products fall into) d. Medium to Low: (e.g., Have an understanding about incident reporting requirements) e. Low (e.g., Don’t really know anything about it or how it will impact our processes and products)
5 • All software & hardware products that connect to network, sold in the EU • Definition is products with digital elements • Exceptions: products that have cybersecurity regulation already • Covers manufacturers, importers, and distributors selling in the EU. • Penalties up to €15M or 2.5% of global annual turnover for non-compliance. EU Cyber Resilience Act (CRA) Overview Companies Possibly Impacted In North America >6,000 Software Publishers >6000 Electronic Hardware Manufacturers* (**) European Commission, Commission Staff Working Document, Impact Assessment Report, Proposal for a Regulation of the European Parlament on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulation 2019/1020 The EU Impact Assessment Report** Lists 615,272 Companies Impacted but >99% are SMEs (*) NAICS 2022, Enterprise Size >$1M, Categories: 3341 – 3345, 5112
6 What is a Product with Digital Elements CRA ARTICLE 3 (Definitions) ‘Product with digital elements’ means a software or hardware product with a logical, physical, or indirect connection to data, electronic information systems, or a network; ‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions Colin’s simple definition for a digital element: Software or an IoT device, that is part of, or connected to a network and can be hacked Means does not apply to website or cloud applications if not supporting products with digital elements
11 September 2026 Notification Requirements: For notifying CSIRT(s) and ENISA on incidents 7 EU Cyber Resilience Act (CRA) Timeline 11 December 2027 All obligations apply But only for products introduced to market after this date 10 December 2024 CRA (EU 2024/2847) Entered into force October 30, 2026 Vertical standards for Class I Class II Critical products August 30, 2026 Horizontal Standards: Security Framework (ensuring cybersecurity) Vulnerability Handling October 30, 2027 Horizontal Standards: Technical measures
8 Obligations for Notification of Vulnerabilities and Incidents Applies to Anything that is Currently on the Market https://www.enisa.europa.eu/ CSIRT 11 September 2026 Considered to be severe where: It negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or It has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements. Requirements for notifying CSIRT(s) and ENISA on actively exploited vulnerabilities and severe incidents will apply Including all products with digital elements Reporting shortly after an incident : 24 hours (warning), 72 hours (mitigation), 14 days (final report)
9 Class-I Products 1. Identity management systems and privileged access management software and hardware 2. Authentication and access control readers, including biometric readers 3. Standalone and embedded browsers 4. Password managers 5. Software that searches for, removes, or quarantines malicious software 6. Products with digital elements with the function of virtual private network (VPN) 7. Network management systems 8. Security information and event management (SIEM) systems 9. Boot managers 10. Public key infrastructure and digital certificate issuance software 11. Physical and virtual network interfaces 12. Operating systems 13. Routers, modems intended for the connection to the internet, and switches 14. Microprocessors with security-related functionalities 15. Application specific integrated circuits (ASIC) and FPGAs with security-related functionalities 16. Smart home general purpose virtual assistants 17. Smart home products with security functionalities (e.g. smart locks, security cameras) 18. Internet-connected toys 19. Personal wearable health monitoring products not covered by MDR/IVDR Class I products perform security functions critical to other products
10 Class-II Products and Critical Products 1. Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments 2. Firewalls, intrusion detection and prevention systems 3. Tamper-resistant microprocessors 4. Tamper-resistant microcontrollers 1. Hardware Devices with Security Boxes 2. Smart meter gateways within smart metering systems 3. Smartcards or similar devices, including secure elements CLASS-II PRODUCTS : Have the potential to cause damage to a large number of other products or cause physical harm CRITICAL PRODUCTS : Could impact essential entities (see NIS2), critical infrastructure, or impact supply chains
11 • Will make up 90% of the products with digital elements • Need to meet security requirements in Annex I and II • Self assessment and declaration allowed • Examples (our expectation – no official list yet) • Smart light bulbs • Hard drives • WiFi printers • Lab equipment • Word processing, spread sheets, slides presentation software • Streaming media apps • Inventory management software Default Products All others with a Digital Element that are not Class I, II, or Critical
Compliance and Certification • Manufacturers issue EU Declaration of Conformity. • CE marking required before placing product on market. 12 Products are classified into: -Default, (self-assessment is allowed without notified body – meet requirements in Annex 1) -Class I (Important), (self-assessment allowed – using harmonized standards.) -Class II (Important), (require mandatory third-party assessment by a notified body.) -Critical. (require mandatory third-party assessment by a notified body.) Vertical harmonized standards will be released for products types listed in previous slides (from Annex III, IV) Harmonized vertical standards expected October 30, 2026 Harmonized horizontal standards for framework & vulnerability monitoring expected September 2026 Harmonized horizontal standards for technical requirements October 2027
Which module applies to what 13 START Product with Digital Element Is the product Class-I ,Class-II or Critical? Yes Which one ? Use Module –A , only if harmonized standards are met .Third party optional) Module-B+C or H if no harmonized standard is used Use Module –A (Internal control, self assessment) Use Module –B +C or H (Third party mandatory) No Critical Class I Class II May undergo EU Cybersecurity certification based on a decision as per the delegated act mentioned in Article 8 or, if not; use Module –B +C or H (as it currently stands) (*) Summary information. The reader is encouraged to read article 32 and Annex VIII fully rather than relying solely on the summary information in this slide. (*) From DECISION No 768/2008/EC • Module A – Self assessment • Module B – 3rd party assessment of single product • Module C – Consistent with previous product • Module H – 3rd party assessment of cyber-QMS
Standards for Compliance Some List Security Features, Some Processes 14 An ENISA study in April 2024 no single standard today meets CRA requirements Standards for the CRA are coming (*) Cyber Resilience Act Requirements Standards Mapping (Joint Research Centre & ENISA Joint Analysis) It seems there is good coverage when ETSI EN 303 645 lists security features EN IEC 62443 includes features and processes (also includes process/frameworks for lifecycle that is a good reference).
Annex I: Essential Cybersecurity Requirements -Part I: Cybersecurity requirements • Security by Design: Products designed with appropriate level of cybersecurity based on risks • Horizontal standards expected by August 30, 2026 • Based on the risk assessment, where applicable, products shall have the following properties: 15 -No known exploitable vulnerabilities -Secure by default configuration -Vulnerabilities must be patchable through (automatic) security updates (possible to opt-out) -Protect against unauthorized access -Data confidentiality -Data integrity -Data minimization -Protect essential functions (during incidents) & be resilient against DoS attacks -Minimize negative impact on other devices or services -Minimize the attack surface (external interfaces) -Designed to reduce impacted of incidents (defense in depth) -Security logging & monitoring -Secure data deletion & portability Harmonized standards for these technical measure listed about expected October 30, 2027
Annex I: Essential Cybersecurity Requirements -Part II: Vulnerability handling requirements 16 Note: Bullet points are the summary of our interpretation of the requirements. The reader is encouraged to read full text on the requirements in Annex-I Manufacturers of products with digital elements shall: -Maintain machine-readable SBOM -Identify vulnerabilities in software components -Timely vulnerability remediation -Regular security testing and reviews -Transparency on fixed vulnerabilities -Coordinated vulnerability disclosure policy -Vulnerability reporting channels -Secure update delivery mechanism -Free and prompt security updates
How to get prepared for CRA as an organization 17 Build CRA compliance roadmap Monitor harmonized standards Train your employees and management Inform management and get buy-in Assign internal "CRA" owner Align affected teams List affected products Perform gap analysis Update designs and requirements Build technical documentation
Security by Design and by Default 18 Manufacturers of products with digital elements shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements Data protection by design and by default, and cybersecurity in general, are key elements of Regulation (EU) 2016/679 (GDPR) . By protecting consumers and organizations from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation (CRA) are also to contribute to enhancing the protection of personal data and privacy of individuals.
How to Determine What Security is Needed? 19 Two Important CRA sections 1. Risk Assessment Obligations of Manufacturers (Article 13, paragraphs 2-4) requires: documented cybersecurity risk assessment, with intended use, environment, expected lifetime 2. Identify which requirements apply and how they're applied. (Annex I) Asset Identification Asset Identification Vulnerability Identification Vulnerability Identification Impact Assessment Impact Assessment Risk Determination Risk Determination Risk Assessment Risk Assessment Tells You What Security You Need, What Security You Don’t
Risk Assessment in the Context of Risk Management 20 Mitigation & Control Design Residual Risk Identification Documentation & Tracability Monitoring & Surveillance Risk Assessment is a piece of Risk Management Asset Identification Threat Modeling (STRIDE) Damage Scenario Definition Attack Enum. & Exploitability Risk Assessment ... Risk Management Is the complete process that enables the assertion that the device is safe
Five Key Ingredients of Risk Management 21
Post Market Expectations 22 Free security updates (For at least 5 years (minimum support period) or product expected lifetime(support period) . Once an update is released, it must remain available for at least 10 years, even if the support period ends.) Free security updates (For at least 5 years (minimum support period) or product expected lifetime(support period) . Once an update is released, it must remain available for at least 10 years, even if the support period ends.) Annex I Part II Defines vulnerability handling requirements: patching, updates, coordinated disclosure, availability of security updates Annex I Part II Defines vulnerability handling requirements: patching, updates, coordinated disclosure, availability of security updates Report • Vulnerabilities and incidents to ENISA and national CSIRT through ENISA. o Early notification in 24 hours o Detailed notification in 72 hours o Final report in 14 days on exploited vulnerabilities o One month in case of severe incidents. Report • Vulnerabilities and incidents to ENISA and national CSIRT through ENISA. o Early notification in 24 hours o Detailed notification in 72 hours o Final report in 14 days on exploited vulnerabilities o One month in case of severe incidents. Provide user instructions. • Installation, instructions for using the product, known risks, security features accessible for at least 10 years or during the support period Provide user instructions. • Installation, instructions for using the product, known risks, security features accessible for at least 10 years or during the support period Single point of contact for vulnerability reporting Single point of contact for vulnerability reporting Monitoring for vulnerabilities • Periodic scans of new vulnerabilities in SBOM • Detect and log attacks • CISA vulnerability catalog Monitoring for vulnerabilities • Periodic scans of new vulnerabilities in SBOM • Detect and log attacks • CISA vulnerability catalog
23 What Needs to Be Done for Incident Reporting 1. Establish Product Security Incident Response Team (PSIRT) 2. Procedures written down • So, it is clear what needs to be done • Mandated response times are short (24 hours, 72 hours, 2 weeks) 3. Establish vulnerability disclosure policy • So, 3rd parties can report vulnerabilities or compromises • Create webpage that can easily be found, and reporting can be done easily 4. Definition of exploited vulnerability : • Reliable evidence device has been exploited without permission • If exploited once it is considered exploited 5. Evaluate the vulnerability in terms of CIA • Confidentiality – stolen data • Integrity – device or software functions compromised by attackers • Availability – performing it's intended use Need to be Ready by September 11, 2026 – Beginning of Enforcement www.CSIRT.org/incident_report/sslp/online_report.html
Final Takeaways Our Recommendations, Step by Step for your CRA journey 1. Management, Funding, People • Management supported needed for resources needed 2. Incident reporting • Establish CSIRT team, roles, and processes for September 2026 3. Establish Processes • Establish process for both for pre-market (i.e., product development) and for when the product is in market 4. Begin Managing Risk • Perform threat and risk assessment for products to be introduced after December 11, 2027 5. Schedule security activities • Plan schedule including time for conformity assessment 24
Let’s See How We Did Same Poll Question From the Beginning Expecting/hoping none in the “low” category!!! What is your level of understanding of EU’s Cybersecurity Resilience Act? 25 POLL QUESTION RESPONSES (please respond now - choose one) a. Very high: (e.g., We’re ready to go. I understand processes and security features needed) b. High: (e.g., Have an understanding of what security features my company’s products need) c. Medium: (e.g., Understand what classification my company’s products fall into) d. Medium to Low: (e.g., Have an understanding about incident reporting requirements) e. Low (e.g., Don’t really know anything about it or how it will impact our processes and products)
Cybersecurity Needed For the CRA: Practical Advice Webinar Series 26 This is the first of in a series of webinars on the CRA We’ll dive into topics from security by design to security controls We’ll also cover the harmonized standards as they come out
Q/A Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity Jens Gellynck Product Security Officer – Healthcare
28 Full Requirements: No Impact On Products On Market Before December 11, 2027 Expect If There is a Substantial Modification Transitional Provisions CRA ARTICLE 69 Paragraph 2 Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification. (Product placed on the market before that date, not the product type) Transitional Provisions CRA ARTICLE 69 Paragraph 2 Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification. (Product placed on the market before that date, not the product type)
Standards for Compliance 29 No harmonized standard specific to CRA exists as of today. (17 July 2025) On 3rd of February 2025 EC issued an implementing decision making a standardization request to all three ESOs (CEN, CENELEC and ETSI) for horizontal standards supporting CRA ENISA study (April 2024 ) concludes that “even if some of the standards do partially cover all of the requirements, harmonization is still needed to ensure a homogeneous horizontal coverage and addressing gaps.” (*) (*) Cyber Resilience Act Requirements Standards Mapping (Joint Research Centre & ENISA Joint Analysis) First of the Horizontal Harmonized Standards: End of August 2026 See the link to decision and its Annex-1 for the list of Horizontal and Vertical Harmonized Standards requested
How to get prepared for CRA as a manufacturer 30 Cybersecurity Training Following Regulation Changes and Overlaps ( RED, NIS2, GDPR, AI Act) Following Emergence of Harmonized Standards from ESOs Educate/Update your management Determine your product Category What is the applicable conformity assessment Find out the cybersecurity requirements Gap Analysis Adapt and prepare technical documents Synchronize with your suppliers
Products in Scope • IoT devices: smart home devices, wearables, industrial sensors. • Software: operating systems, productivity tools, device controllers. • Remote data processing: cloud services developed by/for manufacturers. • IoT devices: smart home devices, wearables, industrial sensors. • Software: operating systems, productivity tools, device controllers. • Remote data processing: cloud services developed by/for manufacturers. 31 Some Already Regulated Product Categories are excluded from the scope of the CRA. 1. Medical devices; 2. products used in vehicles, aircraft and maritime equipment. 3.Products developed for purposes of national security or defense. Some Already Regulated Product Categories are excluded from the scope of the CRA. 1. Medical devices; 2. products used in vehicles, aircraft and maritime equipment. 3.Products developed for purposes of national security or defense.
Stakeholder Obligations • Importers/Distributors: verify conformity, stop sales if non- compliant. • SaaS excluded unless performing a function absence of which would prevent the product with digital elements from performing one of its functions, then it can fall under CRA 32 Manufacturers: primarily responsible for compliance.

More Related Content

PDF
EU and you - EU and You: Upcoming regulation
xistogarcia
 
PDF
Standards IT/OT-Security Forschung Universität
Test916806
 
PDF
Introduction to the proposed EU cyber resilience act (CRA)
Olle E Johansson
 
PDF
CRA – Security with a Seal of Approval
team-WIBU
 
PDF
Cyberwatching - Niccolo Zazzeri
ATMOSPHERE .
 
PDF
Eurosmart etsi-e-io t-scs-presentation
Stefane Mouille
 
PDF
SFScon19 - Eugenio Bettella Marco Reguzzoni - Internet of Things & cybersecur...
South Tyrol Free Software Conference
 
PDF
Cyber Resilience Act - CTO Lunch Club 20241129
Chris Swan
 
EU and you - EU and You: Upcoming regulation
xistogarcia
 
Standards IT/OT-Security Forschung Universität
Test916806
 
Introduction to the proposed EU cyber resilience act (CRA)
Olle E Johansson
 
CRA – Security with a Seal of Approval
team-WIBU
 
Cyberwatching - Niccolo Zazzeri
ATMOSPHERE .
 
Eurosmart etsi-e-io t-scs-presentation
Stefane Mouille
 
SFScon19 - Eugenio Bettella Marco Reguzzoni - Internet of Things & cybersecur...
South Tyrol Free Software Conference
 
Cyber Resilience Act - CTO Lunch Club 20241129
Chris Swan
 

Similar to Understanding the EU Cyber Resilience Act (20)

PPTX
NIS 2 and details about implementation - WatchGuard
zcexve
 
PDF
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Ulrich Seldeslachts
 
PDF
Cybersecurity and continuous intelligence
NISIInstituut
 
PPTX
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PPTX
The Present and Future of IoT Cybersecurity
Onward Security
 
PPTX
How digital technology is shaping the future of marthab
Argelich Networks
 
PPTX
An American Legal Perspective
Agustin Argelich Casals
 
PDF
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
BigData_Europe
 
PDF
Is your codebase ready for NIS2 and the Cyber Resilience Act?
Mindtrek
 
PDF
Trends in Cybersecurity - DNUG Stammtisch Wien
DNUG e.V.
 
PDF
EU Cyber Resilience Act (CRA) - new insights 14.11.2023EU Cyber Resilience Ac...
Terry London
 
PDF
[EU cyberact conf2021] a proposal for an eu iot certification scheme-final_re...
Roland Atoui
 
PDF
Towards a certification scheme for IoT security evaluation
Axel Rennoch
 
DOCX
Cybersecurity regulation will be challenging
Joe Orlando
 
PPTX
CIP eu 2016 114(-8)
Jan Biets [jan_biets@hotmail.com]
 
PDF
Ethical hacking, the way to get product & solution confidence and trust in an...
Pierre-Jean Verrando
 
PDF
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
PDF
ECIL: EU Cybersecurity Package and EU Certification Framework
Deutsche Telekom AG
 
NIS 2 and details about implementation - WatchGuard
zcexve
 
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Ulrich Seldeslachts
 
Cybersecurity and continuous intelligence
NISIInstituut
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Advanced IT Governance
University of Hertfordshire
 
The Present and Future of IoT Cybersecurity
Onward Security
 
How digital technology is shaping the future of marthab
Argelich Networks
 
An American Legal Perspective
Agustin Argelich Casals
 
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
BigData_Europe
 
Is your codebase ready for NIS2 and the Cyber Resilience Act?
Mindtrek
 
Trends in Cybersecurity - DNUG Stammtisch Wien
DNUG e.V.
 
EU Cyber Resilience Act (CRA) - new insights 14.11.2023EU Cyber Resilience Ac...
Terry London
 
[EU cyberact conf2021] a proposal for an eu iot certification scheme-final_re...
Roland Atoui
 
Towards a certification scheme for IoT security evaluation
Axel Rennoch
 
Cybersecurity regulation will be challenging
Joe Orlando
 
CIP eu 2016 114(-8)
Jan Biets [jan_biets@hotmail.com]
 
Ethical hacking, the way to get product & solution confidence and trust in an...
Pierre-Jean Verrando
 
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
ECIL: EU Cybersecurity Package and EU Certification Framework
Deutsche Telekom AG
 
Ad

More from ICS (20)

PDF
Porting Qt 5 QML Modules to Qt 6 Webinar
ICS
 
PDF
Medical Device Cybersecurity Threat & Risk Scoring
ICS
 
PDF
Exploring Wayland: A Modern Display Server for the Future
ICS
 
PDF
Threat Modeling & Risk Assessment Webinar: A Step-by-Step Example
ICS
 
PDF
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
PDF
Future-Proofing Embedded Device Capabilities with the Qt 6 Plugin Mechanism.pdf
ICS
 
PDF
Choosing an Embedded GUI: Comparative Analysis of UI Frameworks
ICS
 
PDF
Medical Device Cyber Testing to Meet FDA Requirements
ICS
 
PDF
Threat Modeling and Risk Assessment Webinar.pdf
ICS
 
PDF
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
PDF
Webinar On-Demand: Using Flutter for Embedded
ICS
 
PDF
A Deep Dive into Secure Product Development Frameworks.pdf
ICS
 
PDF
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
PDF
Practical Advice for FDA’s 510(k) Requirements.pdf
ICS
 
PDF
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 
PDF
Overcoming CMake Configuration Issues Webinar
ICS
 
PDF
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
ICS
 
PDF
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS
 
PDF
Quality and Test in Medical Device Design - Part 1.pdf
ICS
 
PDF
Creating Digital Twins Using Rapid Development Techniques.pdf
ICS
 
Porting Qt 5 QML Modules to Qt 6 Webinar
ICS
 
Medical Device Cybersecurity Threat & Risk Scoring
ICS
 
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Threat Modeling & Risk Assessment Webinar: A Step-by-Step Example
ICS
 
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
Future-Proofing Embedded Device Capabilities with the Qt 6 Plugin Mechanism.pdf
ICS
 
Choosing an Embedded GUI: Comparative Analysis of UI Frameworks
ICS
 
Medical Device Cyber Testing to Meet FDA Requirements
ICS
 
Threat Modeling and Risk Assessment Webinar.pdf
ICS
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
Webinar On-Demand: Using Flutter for Embedded
ICS
 
A Deep Dive into Secure Product Development Frameworks.pdf
ICS
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
Practical Advice for FDA’s 510(k) Requirements.pdf
ICS
 
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 
Overcoming CMake Configuration Issues Webinar
ICS
 
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
ICS
 
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS
 
Quality and Test in Medical Device Design - Part 1.pdf
ICS
 
Creating Digital Twins Using Rapid Development Techniques.pdf
ICS
 
Ad

Recently uploaded (20)

PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPT
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
AI in Product Development-omnex systems
omnex systems
 
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Introduction to Artificial Intelligence
lohedi9363
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
System and Network Administration Chapter 2
jaramharo
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 

Understanding the EU Cyber Resilience Act

  • 1. Understanding the EU Cyber Resilience Act: What IoT Manufacturers Need to Know
  • 2. About Us 2 ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. BG Networks equips embedded engineers and penetration testers with easy-to-use software automation tools including the first AI-from-scratch Threat Modeling and Risk Assessment platform that saves 10x the time and does not require training. BG Networks automation tools are designed to help with adherence to regulations and standards from the FDA, NIST, ISO, and the EU. Cybersecurity Services Cyber Testing & Detection Barco is a market leader in professional visualization solutions and specializes in image processing, collaboration, and immersive experiences. It delivers high-end projectors, meeting rooms, video walls and displays for critical infrastructure. Barco is mainly active in markets like healthcare, cinema, control rooms, and live events. Market Leader in Visualization
  • 3. Speaker Introductions Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity Jens Gellynck Product Security Officer – Healthcare
  • 4. Questions for Us : Put in the Q&A as they come to mind And a Question for You We’ll ask now and at the end to see how to see how well we have done explaining things. What is your level of understanding of EU’s Cybersecurity Resilience Act? 4 POLL QUESTION RESPONSES (please respond now - choose one) a. Very high: (e.g., We’re ready to go. I understand processes and security features needed) b. High: (e.g., Have an understanding of what security features my company’s products need) c. Medium: (e.g., Understand what classification my company’s products fall into) d. Medium to Low: (e.g., Have an understanding about incident reporting requirements) e. Low (e.g., Don’t really know anything about it or how it will impact our processes and products)
  • 5. 5 • All software & hardware products that connect to network, sold in the EU • Definition is products with digital elements • Exceptions: products that have cybersecurity regulation already • Covers manufacturers, importers, and distributors selling in the EU. • Penalties up to €15M or 2.5% of global annual turnover for non-compliance. EU Cyber Resilience Act (CRA) Overview Companies Possibly Impacted In North America >6,000 Software Publishers >6000 Electronic Hardware Manufacturers* (**) European Commission, Commission Staff Working Document, Impact Assessment Report, Proposal for a Regulation of the European Parlament on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulation 2019/1020 The EU Impact Assessment Report** Lists 615,272 Companies Impacted but >99% are SMEs (*) NAICS 2022, Enterprise Size >$1M, Categories: 3341 – 3345, 5112
  • 6. 6 What is a Product with Digital Elements CRA ARTICLE 3 (Definitions) ‘Product with digital elements’ means a software or hardware product with a logical, physical, or indirect connection to data, electronic information systems, or a network; ‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions Colin’s simple definition for a digital element: Software or an IoT device, that is part of, or connected to a network and can be hacked Means does not apply to website or cloud applications if not supporting products with digital elements
  • 7. 11 September 2026 Notification Requirements: For notifying CSIRT(s) and ENISA on incidents 7 EU Cyber Resilience Act (CRA) Timeline 11 December 2027 All obligations apply But only for products introduced to market after this date 10 December 2024 CRA (EU 2024/2847) Entered into force October 30, 2026 Vertical standards for Class I Class II Critical products August 30, 2026 Horizontal Standards: Security Framework (ensuring cybersecurity) Vulnerability Handling October 30, 2027 Horizontal Standards: Technical measures
  • 8. 8 Obligations for Notification of Vulnerabilities and Incidents Applies to Anything that is Currently on the Market https://www.enisa.europa.eu/ CSIRT 11 September 2026 Considered to be severe where: It negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or It has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements. Requirements for notifying CSIRT(s) and ENISA on actively exploited vulnerabilities and severe incidents will apply Including all products with digital elements Reporting shortly after an incident : 24 hours (warning), 72 hours (mitigation), 14 days (final report)
  • 9. 9 Class-I Products 1. Identity management systems and privileged access management software and hardware 2. Authentication and access control readers, including biometric readers 3. Standalone and embedded browsers 4. Password managers 5. Software that searches for, removes, or quarantines malicious software 6. Products with digital elements with the function of virtual private network (VPN) 7. Network management systems 8. Security information and event management (SIEM) systems 9. Boot managers 10. Public key infrastructure and digital certificate issuance software 11. Physical and virtual network interfaces 12. Operating systems 13. Routers, modems intended for the connection to the internet, and switches 14. Microprocessors with security-related functionalities 15. Application specific integrated circuits (ASIC) and FPGAs with security-related functionalities 16. Smart home general purpose virtual assistants 17. Smart home products with security functionalities (e.g. smart locks, security cameras) 18. Internet-connected toys 19. Personal wearable health monitoring products not covered by MDR/IVDR Class I products perform security functions critical to other products
  • 10. 10 Class-II Products and Critical Products 1. Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments 2. Firewalls, intrusion detection and prevention systems 3. Tamper-resistant microprocessors 4. Tamper-resistant microcontrollers 1. Hardware Devices with Security Boxes 2. Smart meter gateways within smart metering systems 3. Smartcards or similar devices, including secure elements CLASS-II PRODUCTS : Have the potential to cause damage to a large number of other products or cause physical harm CRITICAL PRODUCTS : Could impact essential entities (see NIS2), critical infrastructure, or impact supply chains
  • 11. 11 • Will make up 90% of the products with digital elements • Need to meet security requirements in Annex I and II • Self assessment and declaration allowed • Examples (our expectation – no official list yet) • Smart light bulbs • Hard drives • WiFi printers • Lab equipment • Word processing, spread sheets, slides presentation software • Streaming media apps • Inventory management software Default Products All others with a Digital Element that are not Class I, II, or Critical
  • 12. Compliance and Certification • Manufacturers issue EU Declaration of Conformity. • CE marking required before placing product on market. 12 Products are classified into: -Default, (self-assessment is allowed without notified body – meet requirements in Annex 1) -Class I (Important), (self-assessment allowed – using harmonized standards.) -Class II (Important), (require mandatory third-party assessment by a notified body.) -Critical. (require mandatory third-party assessment by a notified body.) Vertical harmonized standards will be released for products types listed in previous slides (from Annex III, IV) Harmonized vertical standards expected October 30, 2026 Harmonized horizontal standards for framework & vulnerability monitoring expected September 2026 Harmonized horizontal standards for technical requirements October 2027
  • 13. Which module applies to what 13 START Product with Digital Element Is the product Class-I ,Class-II or Critical? Yes Which one ? Use Module –A , only if harmonized standards are met .Third party optional) Module-B+C or H if no harmonized standard is used Use Module –A (Internal control, self assessment) Use Module –B +C or H (Third party mandatory) No Critical Class I Class II May undergo EU Cybersecurity certification based on a decision as per the delegated act mentioned in Article 8 or, if not; use Module –B +C or H (as it currently stands) (*) Summary information. The reader is encouraged to read article 32 and Annex VIII fully rather than relying solely on the summary information in this slide. (*) From DECISION No 768/2008/EC • Module A – Self assessment • Module B – 3rd party assessment of single product • Module C – Consistent with previous product • Module H – 3rd party assessment of cyber-QMS
  • 14. Standards for Compliance Some List Security Features, Some Processes 14 An ENISA study in April 2024 no single standard today meets CRA requirements Standards for the CRA are coming (*) Cyber Resilience Act Requirements Standards Mapping (Joint Research Centre & ENISA Joint Analysis) It seems there is good coverage when ETSI EN 303 645 lists security features EN IEC 62443 includes features and processes (also includes process/frameworks for lifecycle that is a good reference).
  • 15. Annex I: Essential Cybersecurity Requirements -Part I: Cybersecurity requirements • Security by Design: Products designed with appropriate level of cybersecurity based on risks • Horizontal standards expected by August 30, 2026 • Based on the risk assessment, where applicable, products shall have the following properties: 15 -No known exploitable vulnerabilities -Secure by default configuration -Vulnerabilities must be patchable through (automatic) security updates (possible to opt-out) -Protect against unauthorized access -Data confidentiality -Data integrity -Data minimization -Protect essential functions (during incidents) & be resilient against DoS attacks -Minimize negative impact on other devices or services -Minimize the attack surface (external interfaces) -Designed to reduce impacted of incidents (defense in depth) -Security logging & monitoring -Secure data deletion & portability Harmonized standards for these technical measure listed about expected October 30, 2027
  • 16. Annex I: Essential Cybersecurity Requirements -Part II: Vulnerability handling requirements 16 Note: Bullet points are the summary of our interpretation of the requirements. The reader is encouraged to read full text on the requirements in Annex-I Manufacturers of products with digital elements shall: -Maintain machine-readable SBOM -Identify vulnerabilities in software components -Timely vulnerability remediation -Regular security testing and reviews -Transparency on fixed vulnerabilities -Coordinated vulnerability disclosure policy -Vulnerability reporting channels -Secure update delivery mechanism -Free and prompt security updates
  • 17. How to get prepared for CRA as an organization 17 Build CRA compliance roadmap Monitor harmonized standards Train your employees and management Inform management and get buy-in Assign internal "CRA" owner Align affected teams List affected products Perform gap analysis Update designs and requirements Build technical documentation
  • 18. Security by Design and by Default 18 Manufacturers of products with digital elements shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements Data protection by design and by default, and cybersecurity in general, are key elements of Regulation (EU) 2016/679 (GDPR) . By protecting consumers and organizations from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation (CRA) are also to contribute to enhancing the protection of personal data and privacy of individuals.
  • 19. How to Determine What Security is Needed? 19 Two Important CRA sections 1. Risk Assessment Obligations of Manufacturers (Article 13, paragraphs 2-4) requires: documented cybersecurity risk assessment, with intended use, environment, expected lifetime 2. Identify which requirements apply and how they're applied. (Annex I) Asset Identification Asset Identification Vulnerability Identification Vulnerability Identification Impact Assessment Impact Assessment Risk Determination Risk Determination Risk Assessment Risk Assessment Tells You What Security You Need, What Security You Don’t
  • 20. Risk Assessment in the Context of Risk Management 20 Mitigation & Control Design Residual Risk Identification Documentation & Tracability Monitoring & Surveillance Risk Assessment is a piece of Risk Management Asset Identification Threat Modeling (STRIDE) Damage Scenario Definition Attack Enum. & Exploitability Risk Assessment ... Risk Management Is the complete process that enables the assertion that the device is safe
  • 21. Five Key Ingredients of Risk Management 21
  • 22. Post Market Expectations 22 Free security updates (For at least 5 years (minimum support period) or product expected lifetime(support period) . Once an update is released, it must remain available for at least 10 years, even if the support period ends.) Free security updates (For at least 5 years (minimum support period) or product expected lifetime(support period) . Once an update is released, it must remain available for at least 10 years, even if the support period ends.) Annex I Part II Defines vulnerability handling requirements: patching, updates, coordinated disclosure, availability of security updates Annex I Part II Defines vulnerability handling requirements: patching, updates, coordinated disclosure, availability of security updates Report • Vulnerabilities and incidents to ENISA and national CSIRT through ENISA. o Early notification in 24 hours o Detailed notification in 72 hours o Final report in 14 days on exploited vulnerabilities o One month in case of severe incidents. Report • Vulnerabilities and incidents to ENISA and national CSIRT through ENISA. o Early notification in 24 hours o Detailed notification in 72 hours o Final report in 14 days on exploited vulnerabilities o One month in case of severe incidents. Provide user instructions. • Installation, instructions for using the product, known risks, security features accessible for at least 10 years or during the support period Provide user instructions. • Installation, instructions for using the product, known risks, security features accessible for at least 10 years or during the support period Single point of contact for vulnerability reporting Single point of contact for vulnerability reporting Monitoring for vulnerabilities • Periodic scans of new vulnerabilities in SBOM • Detect and log attacks • CISA vulnerability catalog Monitoring for vulnerabilities • Periodic scans of new vulnerabilities in SBOM • Detect and log attacks • CISA vulnerability catalog
  • 23. 23 What Needs to Be Done for Incident Reporting 1. Establish Product Security Incident Response Team (PSIRT) 2. Procedures written down • So, it is clear what needs to be done • Mandated response times are short (24 hours, 72 hours, 2 weeks) 3. Establish vulnerability disclosure policy • So, 3rd parties can report vulnerabilities or compromises • Create webpage that can easily be found, and reporting can be done easily 4. Definition of exploited vulnerability : • Reliable evidence device has been exploited without permission • If exploited once it is considered exploited 5. Evaluate the vulnerability in terms of CIA • Confidentiality – stolen data • Integrity – device or software functions compromised by attackers • Availability – performing it's intended use Need to be Ready by September 11, 2026 – Beginning of Enforcement www.CSIRT.org/incident_report/sslp/online_report.html
  • 24. Final Takeaways Our Recommendations, Step by Step for your CRA journey 1. Management, Funding, People • Management supported needed for resources needed 2. Incident reporting • Establish CSIRT team, roles, and processes for September 2026 3. Establish Processes • Establish process for both for pre-market (i.e., product development) and for when the product is in market 4. Begin Managing Risk • Perform threat and risk assessment for products to be introduced after December 11, 2027 5. Schedule security activities • Plan schedule including time for conformity assessment 24
  • 25. Let’s See How We Did Same Poll Question From the Beginning Expecting/hoping none in the “low” category!!! What is your level of understanding of EU’s Cybersecurity Resilience Act? 25 POLL QUESTION RESPONSES (please respond now - choose one) a. Very high: (e.g., We’re ready to go. I understand processes and security features needed) b. High: (e.g., Have an understanding of what security features my company’s products need) c. Medium: (e.g., Understand what classification my company’s products fall into) d. Medium to Low: (e.g., Have an understanding about incident reporting requirements) e. Low (e.g., Don’t really know anything about it or how it will impact our processes and products)
  • 26. Cybersecurity Needed For the CRA: Practical Advice Webinar Series 26 This is the first of in a series of webinars on the CRA We’ll dive into topics from security by design to security controls We’ll also cover the harmonized standards as they come out
  • 27. Q/A Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity Jens Gellynck Product Security Officer – Healthcare
  • 28. 28 Full Requirements: No Impact On Products On Market Before December 11, 2027 Expect If There is a Substantial Modification Transitional Provisions CRA ARTICLE 69 Paragraph 2 Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification. (Product placed on the market before that date, not the product type) Transitional Provisions CRA ARTICLE 69 Paragraph 2 Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification. (Product placed on the market before that date, not the product type)
  • 29. Standards for Compliance 29 No harmonized standard specific to CRA exists as of today. (17 July 2025) On 3rd of February 2025 EC issued an implementing decision making a standardization request to all three ESOs (CEN, CENELEC and ETSI) for horizontal standards supporting CRA ENISA study (April 2024 ) concludes that “even if some of the standards do partially cover all of the requirements, harmonization is still needed to ensure a homogeneous horizontal coverage and addressing gaps.” (*) (*) Cyber Resilience Act Requirements Standards Mapping (Joint Research Centre & ENISA Joint Analysis) First of the Horizontal Harmonized Standards: End of August 2026 See the link to decision and its Annex-1 for the list of Horizontal and Vertical Harmonized Standards requested
  • 30. How to get prepared for CRA as a manufacturer 30 Cybersecurity Training Following Regulation Changes and Overlaps ( RED, NIS2, GDPR, AI Act) Following Emergence of Harmonized Standards from ESOs Educate/Update your management Determine your product Category What is the applicable conformity assessment Find out the cybersecurity requirements Gap Analysis Adapt and prepare technical documents Synchronize with your suppliers
  • 31. Products in Scope • IoT devices: smart home devices, wearables, industrial sensors. • Software: operating systems, productivity tools, device controllers. • Remote data processing: cloud services developed by/for manufacturers. • IoT devices: smart home devices, wearables, industrial sensors. • Software: operating systems, productivity tools, device controllers. • Remote data processing: cloud services developed by/for manufacturers. 31 Some Already Regulated Product Categories are excluded from the scope of the CRA. 1. Medical devices; 2. products used in vehicles, aircraft and maritime equipment. 3.Products developed for purposes of national security or defense. Some Already Regulated Product Categories are excluded from the scope of the CRA. 1. Medical devices; 2. products used in vehicles, aircraft and maritime equipment. 3.Products developed for purposes of national security or defense.
  • 32. Stakeholder Obligations • Importers/Distributors: verify conformity, stop sales if non- compliant. • SaaS excluded unless performing a function absence of which would prevent the product with digital elements from performing one of its functions, then it can fall under CRA 32 Manufacturers: primarily responsible for compliance.