EU CRA explained
@cyberresilienceact.bsky.social
Digital product cybersecurity EU requirements explained
An incident meaning - In cybersecurity and IT operations, an incident means any event that:
a) Disrupts or has the potential to disrupt normal operations,
b) Threatens confidentiality, integrity, or availability of information, or
c) Violates security policies or acceptable use.
a) Disrupts or has the potential to disrupt normal operations,
b) Threatens confidentiality, integrity, or availability of information, or
c) Violates security policies or acceptable use.
September 10, 2025 at 3:26 PM
An incident meaning - In cybersecurity and IT operations, an incident means any event that:
a) Disrupts or has the potential to disrupt normal operations,
b) Threatens confidentiality, integrity, or availability of information, or
c) Violates security policies or acceptable use.
a) Disrupts or has the potential to disrupt normal operations,
b) Threatens confidentiality, integrity, or availability of information, or
c) Violates security policies or acceptable use.
How EU CRA affects LoRaWan End-Nodes? The ones that are beyond gateway. Are they subject to EU-CRA?
May 21, 2025 at 4:34 PM
How EU CRA affects LoRaWan End-Nodes? The ones that are beyond gateway. Are they subject to EU-CRA?
What is the "Recommendation 2003/361/EC" mentioned in the EU CRA?
It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"
It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"
May 14, 2025 at 10:55 AM
What is the "Recommendation 2003/361/EC" mentioned in the EU CRA?
It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"
It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"
The EU CRA does not apply to spare parts that are made available on the market to replace identical components
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.
May 14, 2025 at 10:49 AM
The EU CRA does not apply to spare parts that are made available on the market to replace identical components
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.
In EU CRA, "cloud" in mentioned only in paragraph 12. "Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet
the definition laid down in this Regulation. ..." In the same paragraph, the "Directive (EU) 2022/2555" is mentioned. What is it?
the definition laid down in this Regulation. ..." In the same paragraph, the "Directive (EU) 2022/2555" is mentioned. What is it?
May 14, 2025 at 8:33 AM
In EU CRA, "cloud" in mentioned only in paragraph 12. "Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet
the definition laid down in this Regulation. ..." In the same paragraph, the "Directive (EU) 2022/2555" is mentioned. What is it?
the definition laid down in this Regulation. ..." In the same paragraph, the "Directive (EU) 2022/2555" is mentioned. What is it?
Reposted by EU CRA explained
Businesses Should Take a Lifecycle Approach to Device Security - Infosecurity Magazine www.infosecurity-magazine.com/opinions/bus...
Businesses Should Take a Lifecycle Approach to Device Security
HP's Alex Holland sets out how organizations can secure devices from procurement to end-of-life
www.infosecurity-magazine.com
May 11, 2025 at 10:04 AM
Businesses Should Take a Lifecycle Approach to Device Security - Infosecurity Magazine www.infosecurity-magazine.com/opinions/bus...
Secure by default. The EU CRA mentions that a couple of times. But what's the meaning behind that term?
May 9, 2025 at 12:20 PM
Secure by default. The EU CRA mentions that a couple of times. But what's the meaning behind that term?
19 billion passwords are available online right now to any hackers who want to seek them out.
www.forbes.com/sites/daveyw...
www.forbes.com/sites/daveyw...
Warning — 19 Billion Compromised Passwords Have Been Published Online
You must take action now, as security experts confirm 19 billion compromised passwords available to cybercriminals for use in account hacking attacks.
www.forbes.com
May 7, 2025 at 8:36 AM
19 billion passwords are available online right now to any hackers who want to seek them out.
www.forbes.com/sites/daveyw...
www.forbes.com/sites/daveyw...
By essential cybersecurity requirements of EU CRA, the products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces.
Here is a great experiment that shows why we need such requirement www.xda-developers.com/set-up-ssh-h...
Here is a great experiment that shows why we need such requirement www.xda-developers.com/set-up-ssh-h...
I set up an SSH honeypot, and the internet is a scary place
Don't try this at home.
www.xda-developers.com
May 6, 2025 at 7:41 PM
By essential cybersecurity requirements of EU CRA, the products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces.
Here is a great experiment that shows why we need such requirement www.xda-developers.com/set-up-ssh-h...
Here is a great experiment that shows why we need such requirement www.xda-developers.com/set-up-ssh-h...
Subsidiaries of and subcontracting by notified bodies
May 6, 2025 at 1:49 PM
Subsidiaries of and subcontracting by notified bodies
Member States shall strive to ensure, by 11 December 2026 that there is a sufficient number of notified bodies in the
Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.
webgate.ec.europa.eu/single-marke...
Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.
webgate.ec.europa.eu/single-marke...
EUROPA – European Commission – Growth – Regulatory policy - SMCS
webgate.ec.europa.eu
May 6, 2025 at 12:43 PM
Member States shall strive to ensure, by 11 December 2026 that there is a sufficient number of notified bodies in the
Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.
webgate.ec.europa.eu/single-marke...
Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.
webgate.ec.europa.eu/single-marke...
Where a hardware product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version of the operating system for the support period.
May 5, 2025 at 1:44 PM
Where a hardware product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version of the operating system for the support period.
Cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at a distance fall within the scope of EU CRA.
May 2, 2025 at 11:23 AM
Cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at a distance fall within the scope of EU CRA.
Reposted by EU CRA explained
Lessons I Wish I Learned Before Starting in Cybersecurity
Cybersecurity is a vast field, much like the shadow of IT itself. There are as many sectors in cybersecurity as there are in IT. Here are key lessons I wish I knew earlier: 1. Cybersecurity is Extremely Diverse The field spans network…
Cybersecurity is a vast field, much like the shadow of IT itself. There are as many sectors in cybersecurity as there are in IT. Here are key lessons I wish I knew earlier: 1. Cybersecurity is Extremely Diverse The field spans network…
Lessons I Wish I Learned Before Starting in Cybersecurity
Cybersecurity is a vast field, much like the shadow of IT itself. There are as many sectors in cybersecurity as there are in IT. Here are key lessons I wish I knew earlier: 1. Cybersecurity is Extremely Diverse The field spans network security, ethical hacking, digital forensics, cloud security, and more. Advice: Start with one specialization (e.g., penetration testing) before branching out.
undercodetesting.com
May 2, 2025 at 4:51 AM
Lessons I Wish I Learned Before Starting in Cybersecurity
Cybersecurity is a vast field, much like the shadow of IT itself. There are as many sectors in cybersecurity as there are in IT. Here are key lessons I wish I knew earlier: 1. Cybersecurity is Extremely Diverse The field spans network…
Cybersecurity is a vast field, much like the shadow of IT itself. There are as many sectors in cybersecurity as there are in IT. Here are key lessons I wish I knew earlier: 1. Cybersecurity is Extremely Diverse The field spans network…
Reposted by EU CRA explained
'To issue these two first certificates at assurance level high, ANSSI has been accredited by the French Accreditation Body, Cofrac and authorised. The certified products were evaluated by SERMA Safety & Security'.
certification.enisa.europa.eu/news/first-e...
certification.enisa.europa.eu/news/first-e...
First EUCC Cybersecurity Certificates Set Sails from France
First EUCC Certificates celebrated at the InCyber Forum
certification.enisa.europa.eu
May 1, 2025 at 6:01 AM
'To issue these two first certificates at assurance level high, ANSSI has been accredited by the French Accreditation Body, Cofrac and authorised. The certified products were evaluated by SERMA Safety & Security'.
certification.enisa.europa.eu/news/first-e...
certification.enisa.europa.eu/news/first-e...
Reposted by EU CRA explained
How Hack: The Future of Industrial Automation and Cybersecurity Challenges
The rapid adoption of industrial automation, especially in Asia, presents both opportunities and cybersecurity risks. As manufacturing systems integrate more software-driven solutions, vulnerabilities in operational…
The rapid adoption of industrial automation, especially in Asia, presents both opportunities and cybersecurity risks. As manufacturing systems integrate more software-driven solutions, vulnerabilities in operational…
How Hack: The Future of Industrial Automation and Cybersecurity Challenges
The rapid adoption of industrial automation, especially in Asia, presents both opportunities and cybersecurity risks. As manufacturing systems integrate more software-driven solutions, vulnerabilities in operational technology (OT) become critical attack surfaces. You Should Know: Industrial Automation Security Risks & Mitigations 1. Insecure Protocols in OT Environments Many industrial control systems (ICS) rely on outdated protocols like Modbus, PROFINET, or DNP3, which lack encryption.
undercodetesting.com
May 1, 2025 at 6:01 AM
How Hack: The Future of Industrial Automation and Cybersecurity Challenges
The rapid adoption of industrial automation, especially in Asia, presents both opportunities and cybersecurity risks. As manufacturing systems integrate more software-driven solutions, vulnerabilities in operational…
The rapid adoption of industrial automation, especially in Asia, presents both opportunities and cybersecurity risks. As manufacturing systems integrate more software-driven solutions, vulnerabilities in operational…
Contains useful ISA/IEC 62443 compliance checks, such as verifying open ports on Linux or checking firewall rules on Windows.
ICS Cybersecurity: Ensuring Availability Through Environmental Design in ISA/IEC 62443
In industrial control systems (ICS), cybersecurity isn't just about protecting infrastructure from cyberattacks—it's also about ensuring availability as the top priority. Foundational Requirement 7, "Resource…
In industrial control systems (ICS), cybersecurity isn't just about protecting infrastructure from cyberattacks—it's also about ensuring availability as the top priority. Foundational Requirement 7, "Resource…
ICS Cybersecurity: Ensuring Availability Through Environmental Design in ISA/IEC 62443
In industrial control systems (ICS), cybersecurity isn't just about protecting infrastructure from cyberattacks—it's also about ensuring availability as the top priority. Foundational Requirement 7, "Resource Availability," in ISA/IEC 62443 emphasizes this. Recent power outages in Europe highlight the need to integrate environmental conditions into ICS design, as specified in ZCR 6.5 (ISA/IEC 62443-3-2) "Operating Environment Assumptions." This requirement mandates that the Cybersecurity Requirements Specification (CRS) for ICS must document:
undercodetesting.com
April 30, 2025 at 1:07 PM
Contains useful ISA/IEC 62443 compliance checks, such as verifying open ports on Linux or checking firewall rules on Windows.
NIS2 adoption is delayed as a total of 13 countries still have not incorporated the NIS2 cybersecurity directive into domestic legislation as required.
April 30, 2025 at 12:40 PM
NIS2 adoption is delayed as a total of 13 countries still have not incorporated the NIS2 cybersecurity directive into domestic legislation as required.
In the area of cybersecurity, there have not yet been any harmonized standards at all — because all EU harmonization regulations concerning the cybersecurity of products are still quite recent.
But...
But...
'… no standard reinvents security; you’re certainly not going in the wrong direction [in re CRA compliance] with EN 18031 … the foundation has been laid'.
industrialcyber.co/regulation-s...
industrialcyber.co/regulation-s...
EN 18031: The stepping stone for product security standardization
Read the latest: EN 18031: The stepping stone for product security standardization on Industrial Cyber. Explore insights, analysis, and news about EN 18031: The stepping stone for product security sta...
industrialcyber.co
April 30, 2025 at 10:17 AM
In the area of cybersecurity, there have not yet been any harmonized standards at all — because all EU harmonization regulations concerning the cybersecurity of products are still quite recent.
But...
But...
In a modern car, there are about 1,500 microchips. By 2030, this number is expected to rise to 3,000. www.theguardian.com/business/202...
EU microchip strategy ‘deeply disconnected from reality’, say official auditors
Plan to supply 20% of the world’s chips by 2030 described as ‘essentially aspirational’
www.theguardian.com
April 30, 2025 at 9:37 AM
In a modern car, there are about 1,500 microchips. By 2030, this number is expected to rise to 3,000. www.theguardian.com/business/202...
A good discussion about UK adapting EU's harmonized standards and CE marking
Very significant intervention! Leading industry groups now back the @uktradebusiness.bsky.social policy recommendation for EU and UK to agree mutual recognition of each others' product safety standards. It would save many millions £, reduce border friction and grow our economies. I hope HMG listens.
🚨NEW: 19 UK & EU industry bodies have joined forces to call for a mutual recognition agreement on conformity assessment.
Sounds technical - but CRUCIALLY this is a practical, achievable measure to reduce unnecessary barriers to UK-EU trade. Proposed by @uktradebusiness.bsky.social in 2023!
Sounds technical - but CRUCIALLY this is a practical, achievable measure to reduce unnecessary barriers to UK-EU trade. Proposed by @uktradebusiness.bsky.social in 2023!
April 30, 2025 at 8:11 AM
A good discussion about UK adapting EU's harmonized standards and CE marking
The EU CRA is well explained from a software development and product management perspective by software development veteran Olle E. Johansson.
Watch my recent talk about the EU Cyber Resilience Act at OWASP BeneluxDays. It talks about how the CRA affects your software development, how the SBOM plays a role and how it affects your business model.
youtu.be/XMAfeQQ2ZOM?...
#CRA #SBOM #OWASP
@owasp.org
youtu.be/XMAfeQQ2ZOM?...
#CRA #SBOM #OWASP
@owasp.org
How The EU Cyber Resilience Act Will Change The Software Industry Forever - Olle E. Johansson
YouTube video by OWASP Netherlands
youtu.be
April 30, 2025 at 7:33 AM
The EU CRA is well explained from a software development and product management perspective by software development veteran Olle E. Johansson.
The two sectors with the most mature SRMAs were energy and finance, but according to the model scored only a 3 out of a possible 5. The rest fell dismally below that line. www.darkreading.com/remote-workf...
US Critical Infrastructure Still Struggles With OT Security
How does a company defend itself from cyberattacks by a foreign adversary? A collection of experts gathered at this year's RSAC Conference to explain how the US can help.
www.darkreading.com
April 30, 2025 at 6:29 AM
The two sectors with the most mature SRMAs were energy and finance, but according to the model scored only a 3 out of a possible 5. The rest fell dismally below that line. www.darkreading.com/remote-workf...
EU CRA leaves to end-users to decide if they want to update their device software or not. Including security hotpaches.
The obligation of device manufacturers is to provide such security updates.
The obligation of device manufacturers is to provide such security updates.
Half of Mobile Devices Run Outdated Operating Systems vapt.me/OutOS
Half of Mobile Devices Run Outdated Operating Systems
50% of mobile devices run outdated operating systems, increasing vulnerability to cyber-attacks, according to the latest report from Zimperium
buff.ly
April 30, 2025 at 5:07 AM
EU CRA leaves to end-users to decide if they want to update their device software or not. Including security hotpaches.
The obligation of device manufacturers is to provide such security updates.
The obligation of device manufacturers is to provide such security updates.
Companies should adopt this document and start the process of ensuring that their web applications minimize these risks
owasp.org/www-project-...
owasp.org/www-project-...
OWASP Top Ten | OWASP Foundation
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software devel...
owasp.org
April 29, 2025 at 3:48 PM
Companies should adopt this document and start the process of ensuring that their web applications minimize these risks
owasp.org/www-project-...
owasp.org/www-project-...