en flag
en flag

CRA - Cyber Resilience Act

What needs to be done?

The CRA defines a cybersecurity regulation, which has been adopted by the end of 2024 and which is valid for all member countries of the EU.

Core of the legally binding requirements of the CRA is that products with "digital elements" need to be secure against cyber threat through the whole lifecycle and supply chain. Focus is on realizing Security-by-design and Security-by-default principles

Vulnerabilities need to be analyzed and addressed until the end of the support period of the product. A framework to allow vulnerability reporting for anyone towards the manufacturer needs to be established additionally

Security updates free of charge must be provided by the manufacturer during the whole product lifecycle to mitigate or remediate all known threat scenarios.

Deadlines:

  • June 2026: Vulnerability management must be established for all products

  • December 2027: Conformity with the CRA has been achieved


Who is affected? Every product - Hardware, Software or both - which established communication with an external partner and/or a network.

M-Sys does support in all phases

Overview of the CRA, best-practice approaches to achieve conformity and individual workshops.

Creation of project plans and roadmaps to meet the deadlines.

Which documentation is required?

Establishing of the necessary technical structures and concepts.

Assessment:

  • Penetration Testing

  • Support of the manual assessment procedure regarding CRA requirements

  • Preparation of the assessment through the Conformity Assessment Bodies (CAB)

CRA techincal topics

TARA - Threat Analysis and Risk Assessment

Definition of technical requirements for the product regarding cybersecurity specifications from the CRA.

Concept creation for the implementation of the requirements.

Evaluation and improvement of already existing cybersecurity concepts and mechanisms at product level.

Design, development and test of the specific product components.

Establishing of the structures for vulnerability management including SBOM (=Software Bill of Materials) generation.

For more details regarding the CRA or direct requests, please refer to the contact information at the bottom of the page. Visit us at LinkedIn, where we have recently published a sophisticated introduction to the topic.
Contact CRA
cra@msys-gmbh.de
+49 (0)9937/95960-11
Performance in Software

High-quality embedded software solutions in the automotive sector. Sophisticated solutions are our business.

M-Sys GmbH

Mail
info@msys-gmbh.de
Phone
+49 (0)9937/95960-0

Isarberg 4, Ettling
94522 Wallersdorf

© 2024. All rights reserved.