AI powered tools for SMEs to speed up compliance with EU CRA

The webinar introduces EU CRA, and provides an overview of which type of products are covered by CRA. Finally the presenters of the webinar introduce an AI tool to help with compliance and invite experts to be early adopters to test the tool.

Webinar Objectives

The webinar’s key objectives were:

1. Help companies determine if they and their products fall within the scope of the CRA.
2. Showcase practical tools and resources available to help SMEs assess their compliance level.
3. Introduce the broader support program so businesses know where to turn for help.

Target Audience

The webinar is especially useful to the following roles:

1. C-suite executives / Business Owners (especially of SMEs): To understand the business impact, potential costs, market access implications, and the overall need for CRA compliance.
2. Product Managers & Engineering Managers: To grasp how CRA affects product design (“security by design”), development lifecycle, vulnerability management, and ongoing
   maintenance.

Presenters and their profiles:

1. Mihai Rotariu: Communications, Marketing & Media Department Manager, Romanian National Cyber Security Directorate (DNSC) – the webinar host.

2. Patricia Shields: CEO, Cyber Cert Labs – coordinator for the Cyber Resilience Act AI project.

3. Connor McGoveran: CTO, Cyber Cert Labs – involved in CRA standardization committees. 

Summary of the webinar

Mihai introduced the “CRA AI Project,” a Europe-wide collaboration designed to simplify CRA compliance for SMEs by providing practical, AI-supported tools. The project aims to make compliance achievable for smaller companies, not just large corporations.

The project partners include:

• • CyberCert Labs (Coordinator): Leads the project and develops the AI-powered CRA compliance platform.

• • Refractis Security: Enhances vulnerability management and secure code analysis tools.

• • Zipo: Designs CRA-specific training modules.

• • NRD Cyber Security: Serves as a pilot SME to validate the platform with its own products.

• • DNSC (Romania): Leads dissemination and stakeholder engagement activities.

• • RHEA Labs: Supports the pilot phase and defines technical requirements for conformity assessments.

Overview of the Cyber Resilience Act (CRA)

Patricia, CEO of CyberCert Labs, provided a detailed overview of the CRA.

• • Purpose: To ensure the cybersecurity of products with digital elements placed on the EU market. The goal is to push responsibility from the consumer back to the manufacturer.

• • Core Principles: Requires security by design and security by default. Manufacturers have ongoing obligations for vulnerability management and disclosure throughout the entire product lifecycle.

• • CE Mark: Manufacturers will need to affix the CE mark for cybersecurity, legally attesting that their products are secure and released without known vulnerabilities.

• • Timeline:
    • • September 2026: Vulnerability reporting requirements come into effect. Manufacturers must report actively exploited vulnerabilities to their national CSIRT and ENISA.
    • • December 2027: The full regulation comes into effect (a 3-year transition period from its enactment in December 2024).

• • Harmonized Standards: The European Commission is developing harmonized standards. Complying with these standards will give a “presumption of conformity” with the CRA.

• • Enforcement: Each EU member state will appoint a Market Surveillance Authority to enforce the CRA, with the power to conduct market sweeps and issue penalties for non-compliance.

CRA Scope and Product Categories

Patricia explained the different risk-based product categories and the criteria for being in scope.

Product Categories:

• • Default Category: Most products will fall here. They can self-assess conformity.

• • Class 1 & Class 2 (Higher Risk): These include products like network-focused hardware, microprocessors, and firewalls. Depending on the class, they may require a third-party assessment or adherence to a harmonized standard.

• • Critical Products (Highest Risk): Products like smart meter gateways that will require a rigorous third-party assessment (e.g., under EUCC).

Who and What is in Scope?

• • Economic Operators: Manufacturers, importers, and distributors placing products on the EU market. “Manufacturer” is a broad term that includes developers of free software provided in the course of a commercial activity (e.g., a free app for a paid service).

• • Products: “Products with digital elements,” including hardware, software, and their remote data processing solutions (e.g., a cloud portal needed for a device to function). The product must have a direct or indirect data connection to a device or network.

What is Out of Scope?

1. Standalone Software as a Service (SaaS): Services like Dropbox or Microsoft 365 that don’t interact with other hardware are not in scope.
2. Products Covered by Other Legislation: Medical devices, aviation safety, military, and national defense products are covered by separate regulations. However, some related software (e.g., in-flight entertainment systems or certain health/wellness apps) may still fall under the CRA.

The Readiness Assessment Tool

Connor, CTO of CyberCert Labs, presented a practical example and demonstrated the project’s Readiness Assessment Tool.

• • Example (Home Security System): He used a home security system to illustrate how a “product” is often an ecosystem of components (sensors, cameras, key fobs, a phone app, remote data processing services). The CRA requires security considerations for the entire system, such as encrypting video streams and ensuring alerting systems cannot be suppressed.

• • Readiness Assessment Tool Demonstration:
    1. 1. Access: SMEs can receive a free coupon code from the DNSC to use the tool.
       2. Process: The tool is a comprehensive questionnaire (taking 20-30 minutes) that guides users through four stages of CRA compliance: General Information, Risk Assessment, Vulnerability Management, and Documentation.
       3. Output: After completion, the tool generates a detailed report that provides:
          • • An overall compliance score.
          • • A breakdown of scores for each section, highlighting strengths and weaknesses.
          • • Actionable advice and concrete steps to address compliance gaps in each area.

Call for Early Adopters

Connor extended an invitation for SMEs to become early adopters of the full AI-powered software platform. Early adopters will get free access to the platform and help shape its development.

The webinar concluded with a Q&A session, addressing key concerns:

• • Third-Party Components: The tool will help manage third-party components. The CRA will require component suppliers to provide more security information (e.g., Software Bill of Materials – SBOMs) to their customers.

• • Role of AI: The platform will use AI to analyze supplier documentation (e.g., PDFs) and to automatically generate required documents, such as user manuals and conformity assessment paperwork.

• • Risk of Stifling Innovation: The CRA includes provisions to support SMEs, such as reduced penalties and access to EU-funded support projects. The speakers argued that compliance will become a competitive advantage.

• • Data Security: The platform is cloud-based, and while an on-premise option isn’t planned, they are mindful of confidentiality and do not require the transfer of highly sensitive technical data.

• • Other Regulations (AI Act, GDPR): The current focus is the CRA. However, complying with the CRA’s security requirements will automatically cover the security aspects of the AI Act. GDPR is a foundational regulation that underpins all activities.

Similar webinars on tools to speed up compliance with EU CRA

1. https://iotregulations.com/security/cra-compliance-tools-cracowi/