EU standardization body CEN CENELEC introduce CRA and call experts to help create harmonized standards
The Cyber Resilience Act (CRA) is a new EU legislation that makes cybersecurity mandatory for all hardware and software products with digital elements. The goal of this legislation is to ensure products are secure throughout their entire lifecycle, from design and development to vulnerability handling after they are on the market. In this webinar CEN CENELEC explain what the CRA is and ask for cybersecurity experts to contribute creating harmonized standards.
Webinar Objectives
The webinar’s key objectives were:
- To introduce the Cyber Resilience Act (CRA), its scope, key requirements, and implementation timeline.
- To explain the role and structure of harmonized standards in supporting CRA compliance and how they are being developed.
- To inform stakeholders about ongoing standardization work and encourage their participation and input, including through upcoming workshops.
Target Audience
The webinar is especially useful to the following roles:
- Technical engineers and engineering managers: To understand the technical requirements that need to be built into products and the standards they can leverage or contribute to.
- Product Managers: To understand how the CRA affects product design, development lifecycle, support periods, and market placement.
- Certification and Regulatory managers: To understand the new conformity assessment routes, the role of harmonized standards for presumption of conformity, and reporting obligations.
Presenters and their profiles:
- Philip Jones Mourao, DG Connect, European Commission: Introduced the Cyber Resilience Act (CRA) and the standardization request.
-
Lucia Lanfri, CEN/CENELEC: Explained CEN/CENELEC’s work and ongoing efforts on CRA standards.
-
Simon Steendam, JTC13 Working Group 9 / RDI (Dutch Authority for Digital Infrastructure): Detailed the development of horizontal standards for the CRA.
-
Steffen Zimmerman, VDMA (Europe’s largest trade association for machinery): Provided the industry’s view, focusing on manufacturers’ perspectives and challenges.
- Berit Adal, Danish Standards: Announced and provided details for a workshop in Copenhagen.
Key Aspects of the Cyber Resilience Act (CRA):
-
- Scope: The CRA covers all products with digital elements, including both hardware (e.g., mobile phones, smart appliances, network equipment) and software (e.g., operating systems, mobile apps, games). It also includes remote data processing solutions associated with these products.
-
- Exclusions: The CRA does not apply to non-commercial “hobby” products, services like standalone software-as-a-service (SaaS) and websites, or sectors with existing cybersecurity legislation, such as medical devices and automotive.
-
- Manufacturer Obligations: Manufacturers are responsible for conducting risk assessments, ensuring their products meet essential cybersecurity requirements, handling vulnerabilities, providing free security updates, and reporting actively exploited vulnerabilities and severe security incidents.
-
- Product Categorization: Products are categorized based on their criticality, which determines the conformity assessment process:
-
- Default Category: Most products fall into this category and can be self-assessed by the manufacturer.
-
- Important Products (Class I & II): These include products like password managers, browsers, firewalls, and operating systems. They require a third-party conformity assessment, though Class I products can be self-assessed if they follow a harmonized standard.
-
- Critical Products: These are products like smart cards and secure elements that may be subject to mandatory certification in the future.
-
- Product Categorization: Products are categorized based on their criticality, which determines the conformity assessment process:
-
- Timeline: The CRA was adopted in December 2024 and will come into full effect in 2027. Manufacturers will have a transition period to adapt to the new requirements.
Standardization and the CRA:
To support the implementation of the CRA, the European Commission has requested the development of harmonized standards. These standards will provide a framework for manufacturers to demonstrate compliance with the CRA’s essential requirements.
-
- Types of Standards:
-
- Type A (Framework Standards): These are horizontal standards that provide a general framework for all product-specific standards.
-
- Type B (Product-Agnostic Technical Measures): These standards address specific technical measures and vulnerability handling processes that can be applied across different product categories.
-
- Type C (Product-Specific Standards): These are vertical standards that apply to specific product categories and provide detailed requirements for those products.
-
- Types of Standards:
-
- Development of Standards: The development of these standards is being carried out by European standardization organizations, including CEN, CENELEC, and ETSI. The work is divided among different technical committees and working groups, with a focus on creating horizontal standards first to serve as a foundation for the vertical standards.
-
- Industry Involvement: The webinar emphasized the importance of industry participation in the standardization process to ensure that the standards are practical and effective. Manufacturers are encouraged to engage with their national standardization bodies and participate in the relevant working groups.
Other Initiatives
Several consortia have been funded by EU to create tools to help simplify or speed up compliance to CRA. The following webinars provide more handson tools to check impact and compliance.
