Learn how to navigate the Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (CRA), which becomes law on December 11th 2024, extends the CE marking scheme, by mandating that all products with digital elements that can be connected to a device or network must adhere to a strict set of rules in their design, documentation and support before claiming conformance.

Says William White, Direct Insight Co-Founder & Technical Director: “The EU Cyber Resilience Act will have a significant impact on embedded developers – who are generally unfamiliar with the world of CVEs (Common Vulnerabilities and Exposures) and SBOMs (software bill of materials), and unprepared to implement requirements like encryption, secure boot and OTA (over-the-air) updating. All products shipped in the EU must comply by December 2027, so it’s time to start planning – and in that respect, knowledge is power.”

Presented by CRA subject matter expert, Direct Insight co-founder & Managing Director, David Pashley, the upcoming webinar on how to prepare for the CRA in practical terms will comprise of a 40-minute talk, followed by a 15-minute Q&A session, encompassing the following topics:

• Scope, timing and enforceability
• Threat modelling and risk assessment
• Shipping a product without “known exploitable vulnerabilities”
• Firmware integrity: secure boot
• Product lifecycle and updates
• Documentation and conformity

Primarily aimed at embedded systems engineers and their managers, the workshop is also relevant to senior managers and business owners who are actively contemplating and planning for compliance with the CRA, as well as other similar or complementary regulations and standards.

Industry veteran, Pashley began his career in embedded design as a teenager and holds a master’s degree in Electrical Engineering from Imperial College London. Having worked in a variety of technical and commercial roles in the aerospace, design tools and embedded systems industries, resilience of digital systems is an area of special interest and expertise.