With the Cyber Resilience Act (CRA), the European Union (EU) is creating a uniform framework for the cybersecurity of products with digital components. It supplements existing special regulations, but does not replace them. Instead, it defines a horizontal minimum standard that covers almost all digital products – regardless of whether they are hardware with integrated software or pure software solutions. The aim of the CRA is to increase cybersecurity within the European Union.
Requirements of the Cyber Resilience Act for manufacturers
The CRA combines technical and organisational security requirements: manufacturers of digital products must identify risks in a structured manner, introduce appropriate protective measures, remedy vulnerabilities and provide regular security updates. In addition, they must submit meaningful technical documentation that enables authorities to carry out a thorough conformity assessment.
EN 40000 series of standards as a normative guideline
In order to be flexible and applicable to different technologies and industries, the provisions of the Cyber Resilience Act have been deliberately formulated in a technology- and sector-neutral manner. However, this openness leaves room for interpretation, which can make it difficult to implement the requirements in practice.
This is where the EN 40000 series of standards comes in. It was developed to close implementation gaps and provide binding guidance. The family of standards is intended to serve as a technical foundation for the CRA and to create a uniform framework of terms and understanding throughout Europe. The aim is to provide manufacturers, testing laboratories and supervisory authorities with a common framework for the consistent interpretation of regulatory requirements.
White paper: "Cyber Resilience Act and EN 40000: Guidance for manufacturers in the new EU regulatory framework"
Our white paper explains the scope of the Cyber Resilience Act as a regulatory starting point for uniform security standards and shows how the EN 40000 series of standards specifies these requirements and creates a uniform reference framework across Europe.
Three core parts of the EN 40000 architecture are particularly relevant for manufacturers, as they together form the foundation of the standards family. They define the language (vocabulary), the basic principles (principles for cyber resilience) and the handling of vulnerabilities (vulnerability handling) that are required for a CRA-compliant design.
The white paper describes these three parts of the standard in detail, focusing in particular on the significance of the modular architecture for manufacturers. The publication also contains a timeline for EN 40000 standardisation and an outlook on further announced parts of the EN 40000 family.
Manufacturers of digital products should start early to align their organisation with the requirements of the Cyber Resilience Act and the standards in order to create regulatory certainty and strengthen the long-term trustworthiness of their products. Our compact white paper summarises the relevant information and provides recommendations for action to offer manufacturers guidance in the new EU regulatory framework.
Further interesting content on this topic
Your contact
