Tools to speed up compliance with EU CRA for SMEs
The webinar introduces EU CRA, and provides an overview of which mandates are included in the CRA. The presenter of the webinar introduces an AI tool to help with compliance and invites experts to be early adopters to test the tool.
Webinar Objectives
The webinar’s key objectives were:
- To raise awareness about the CRA, its requirements, and timelines for product manufacturers.
- To introduce the CRACoWi (Cyber Resilience Act Compliance Wizard) project and its goals.
- To explain how the CRACoWi project aims to help SMEs, manufacturers, distributors, and importers comply with the upcoming European Cyber Resilience Act (CRA).
Target Audience
The webinar is especially useful to the following roles:
- Technical engineers: dealing with firmware, SBOMs, vulnerability assessment.
- Engineering managers: overseeing product development and compliance processes.
- Product Managers: responsible for product lifecycle and meeting market requirements.
Presenters and their profiles:
Michael Biner, Bureau Veritas, Head of Cybersecurity Services in Düsseldorf. He focuses on IoT topics, particularly the Radio Equipment Directive and the Cyber Resilience Act (CRA) in Europe.
Introduction & Context
The webinar is a monthly series from the IoT Security Foundation (IoTSF). Biner introduced a tool to help comply with EU CRA. He discussed the CRACoWi project, an initiative designed to help organizations navigate the upcoming European Cyber Resilience Act (CRA).
The CRACoWi Project and the Cyber Resilience Act (CRA)
The Cybersecurity Landscape & The EU’s Response
Biner begins by highlighting the significant and growing threat of cybercrime, including the high financial and operational costs of attacks like ransomware. The European Union’s primary response to this threat in the product space is the Cyber Resilience Act (CRA).
- Purpose of the CRA: To protect the EU’s common market from cyber-attacks that target vulnerable products with digital elements (both hardware and software). The goal is to safeguard consumers and businesses.
- Timeline: The law was enacted in late 2024 and has a three-year transition period. By December 2027, all products with digital elements sold in the EU must comply with the CRA.
- Key Mandates of the CRA:
- Harmonized Rules: Creates a single, unified framework for cybersecurity requirements across the EU.
- Full Lifecycle Approach: Covers the entire product life cycle, from planning and design through development, production, and ongoing maintenance.
- Duty of Care: Imposes specific obligations on manufacturers to ensure product security.
- CE Marking: Uses the existing CE mark to signify compliance. By late 2027, the CE mark will indicate a product is not only safe but also cyber-secure.
- Standardization: Compliance is demonstrated through adherence to new, harmonized technical standards that will be established to provide clear implementation guidelines.
The CRACoWi Project: Simplifying CRA Compliance
Biner introduces the CRACoWi (Cyber Resilience Act Compliance Wizard) project, an EU-funded initiative designed to address the challenges of the CRA, particularly for Small and Medium-sized Enterprises (SMEs). The project’s goal is to make compliance easier and less burdensome.
- The CRACoWi Consortium: A group of 14 stakeholders from four EU countries, including industrial users, technology partners, and SMEs, ensuring the tool is practical and meets user needs. Bureau Veritas’s role is as the certification body.
How the CRACoWi “Compliance Wizard” Works
The project is built around a set of automated tools to support a company’s entire compliance journey.
- Core Technology: The process is based on an automated binary firmware scan.
- Step 1: SBOM & Vulnerability Analysis:
- The tool scans the product’s firmware binary to automatically extract the Software Bill of Materials (SBOM).
- It then assesses this SBOM against databases of known exploitable vulnerabilities, a critical requirement of the CRA.
- Step 2: Automated Compliance Check:
- The tool maps its findings from the scan against the CRA’s requirements and checklists.
- This provides an immediate, high-level “health check” of the product’s compliance status with a simple firmware upload.
- Step 3: Comprehensive Assessment & Certification:
- The automated scan is supplemented with information that cannot be extracted from firmware, such as results from active testing of communication interfaces and additional documentation.
- This complete package of evidence is used to achieve a final certification, demonstrating full compliance with the CRA.
Key Objectives and Lifecycle Support
The CRACoWi project has several core objectives:
- Empower SMEs: Provide structured processes and automated tools to simplify the compliance journey.
- Holistic Approach: Cover the entire product lifecycle and associated organizational processes.
- Increase Awareness: Run a capacity-building program (including webinars like this one) and share information through its website, LinkedIn, and mailing list.
- Vulnerability Management: A crucial feature is its ability to support products post-deployment. Since the wizard knows a product’s SBOM, it can alert manufacturers to newly discovered vulnerabilities affecting their products already in the market, helping them fulfill their lifecycle management obligations.
Conclusion & Next Steps
Biner concludeD by encouraging the audience to follow the CRACoWi project on LinkedIn and subscribe to its mailing list for updates on the CRA and other global cybersecurity regulations, such as the US Cyber Trust Mark.
Similar webinars on tools to speed up compliance with EU CRA
There are other automated tools that are created by different consortia to help companies speed up their compliance with EU CRA. Some of them are listed below:
