EU Cyber Resilience Act (CRA) Discussion Topics

What is the CRA?

The EU Cyber Resilience Act (CRA) is an upcoming EU Regulation that aims to safeguard consumers and businesses who use software or products with a digital components. It creates mandatory cybersecurity requirements for manufacturers and retailers that extend throughout the product lifecycle and helps consumers and business identify such products through the CE mark.

Main elements of the law

• Cybersecurity rules for hardware and software that is placed on the market
• Obligations for manufacturers, distributors, and importers
• Cybersecurity essential requirements across the life cycle
• Harmonised standards to follow
• Conformity assessment
• Reporting obligations
• Market surveillance and enforcement

Scope

• Hardware products (e.g. laptops, smart appliances, mobile phones, network equipment, CPUs, etc.)
• Software products (e.g. operating systems, word processing, games or mobile apps, software libraries, etc.)
• Remote data processing solutions for any of the above

Conformity assessment

Verifying conformity assessment is different for each level of risk.

CRA Resources

• Final text of the CRA (pdf|docx)
• European Commission Draft standardisation request
• CRA Requirements Standards Mapping - Joint Research Centre & ENISA analysis of existing standards.

Discussion topics

Active topics

• Introduction to the Cyber Resilience Act
• Definition of Critical and Important Product in the CRA

Proposed topics

Proposed discussion topics need the support of 5 people on the mailing list to get started. Any WG member can propose a discussion topic.

• Open source stewards

WG Resources

• Mailing List (Archive)
• Matrix Chat
• Community Calendar (iCal format) - meeting times of the discussion groups
• Antitrust Policy
• Code of Conduct