Today, an increasing number of products are incorporating digital components to meet the rising demands for connectivity and functionality. However, many products still suffer from inadequate cybersecurity, leaving users unsure about which products are truly cyber secure.

The EU Cyber Resilience Act (CRA) aims to protect consumers and businesses that purchase or use products or software with a digital component. The regulation requires manufacturers to implement comprehensive cyber security measures throughout the entire product lifecycle – from development and placing on the market to updates and vulnerability handling.

The CRA applies to products, software and hardware with digital elements and therefore affects a wide range of industries – from connected devices and embedded systems to software products, cloud services and sector-specific solutions. Manufacturers are required to ensure a secure product and development lifecycle, compliance with cyber security requirements, and continuous vulnerability management.

The Cyber Resilience Act (CRA) was adopted by the European Parliament at first reading in March 2024. Following its adoption by the European Council on 10 October 2024, the Regulation was published in the Official Journal of the European Union on 20 November 2024 and entered into force on 10 December 2024. Implementation will take place in several stages:

• 11 June 2026: Conformity Assessment Bodies (CABs) can assess the conformity of products with the CRA requirements.
• 11 September 2026: Manufacturers of connected products must report vulnerabilities and security incidents.
• 11 December 2027: All CRA requirements take full effect, including cybersecurity standards, vulnerability management, and transparency obligations.

By the end of 2027, all CRA requirements must be met for new products.

Introduction to the EU Cyber Resilience Act (CRA) – Workshop

• Cybersecurity risks for manufacturers
• Understanding the law on cyber resilience
• Resulting cybersecurity requirements for companies and their processes
• Resulting cybersecurity requirements for products with digital elements

Assessment and analysis of CRA gap

• Analysis of selected products in the customer portfolio
• Getting to know the product to be analysed and identifying the relevant requirements of the Cyber Resilience Act
• Analysis of the current status with regard to the CRA
• Identifying gaps compared to the CRA
• Drafting an action plan

Threat Analysis and Risk Assessment (TARA) – Workshops

• Analysis of selected products in the customer portfolio
• Workshop on product consolidation and identification of product assets
• Threat Analysis and Risk Assessment (TARA) by experienced security consultants
• Workshop on risk minimisation
• Detailed TARA report

Further services in the Secure Development Lifecycle (SDL):

• Security concept development and security architecture
• Secure product development
• Hardening of software and system components
• Consultancy on security engineering tools
• Testing of security functions
• Vulnerability assessments and penetration testing
• Support with conformity assessment

• Certified expertise
  In-house security development processes certified in accordance with ISO/IEC 27001 and Common Criteria (BSI-DSZ).
   
• Extensive IT security expertise
  Gained from numerous client projects and markets with a wide range of security requirements.
   
• Flexibility & availability
  Seamless integration of resources and measures into the various phases of the development lifecycle.
   
• Security by design
  Systematic and step-by-step integration of security requirements into your development processes.