The CRA forces manufacturers to protect their embedded systems properly against cybersecurity threats. Otherwise, they face heavy penalties and sales bans. We provide practical tips, how to perform a risk assessment, which security measures are enough to satisfy the essential product requirements, how to tame the thousands of vulnerabilities, and whether it's worth to make an embedded system comply with the CRA at all.
A device violates essential CRA requirements. Although simple state-of-the-art security measures are available, the manufacturer mitigates the violations with legal disclaimers. This goes against the intention of the CRA: improving cybersecurity in real life and not just on paper.
Per definition, embedded devices are products with digital elements and, hence, must comply with the CRA. I'll give examples whether to classify devices as default, important or critical. The classification decides how expensive CRA compliance is. So, we better get it right.
Courts will do it! Cybersecurity experts throw a lot of security measures at the wall and see which ones stick. They seriously suggest that manufacturers must only do a "proper" risk assessment and all is fine. Manufacturers define what "proper" means. Isn't that circular reasoning?
If a machine sold in 2015 receives a feature update in 2028 or later, it must undergo full CRA compliance (Article 69.2). The best bet for the manufacturer might be to argue that the CRA violates legal certainty and non-retroactivity of law - constitutional rights in most EU countries.
Are you ready for the Cyber Resilience Act? If not sure, check out my new offering. In the CRA Survival Bootcamp, you'll learn how to do CRA compliance on your own. My related posts may help you as well.
What does the CRA require from you to avoid sales bans after 11 December 2027 and penalties threatening the existence of your company? Risk assessment, vulnerability handling and technical documentation. And tough decisions which products to retire.
Overview of my posts and talks about risk assessment of the essential product requirements of the EU Cyber Resilience Act (CRA).
The CRA requires manufactures to document the risk assessment. Architecture decision records (ADRs) are the ideal means for that. They also facilitate good discussions about different mitigation options.
Episode 66: Better Built By Burkhard
Episode 65: Better Built By Burkhard
Episode 64: Better Built By Burkhard
Episode 63: Better Built By Burkhard