Training for the Board of Directors, Cyber Resilience Act



Which are the "Critical products with digital elements?"

Class I

1. Identity management systems software and privileged access management software;
2. Standalone and embedded browsers;
3. Password managers;
4. Software that searches for, removes, or quarantines malicious software;
5. Products with digital elements with the function of virtual private network (VPN);
6. Network management systems;
7. Network configuration management tools;
8. Network traffic monitoring systems;
9. Management of network resources;
10. Security information and event management (SIEM) systems;
11. Update/patch management, including boot managers;
12. Application configuration management systems;
13. Remote access/sharing software;
14. Mobile device management software;
15. Physical network interfaces;
16. Operating systems not covered by class II;
17. Firewalls, intrusion detection and/or prevention systems not covered by class II;
18. Routers, modems intended for the connection to the internet, and switches, not covered by class II;
19. Microprocessors not covered by class II;
20. Microcontrollers;
21. Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) intended for the use by essential entities of the type referred to in the Directive NIS 2;
22. Industrial Automation & Control Systems (IACS) not covered by class II, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
23. Industrial Internet of Things not covered by class II.


Class II

1. Operating systems for servers, desktops, and mobile devices;
2. Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;
3. Public key infrastructure and digital certificate issuers;
4. Firewalls, intrusion detection and/or prevention systems intended for industrial use; 5. General purpose microprocessors;
6. Microprocessors intended for integration in programmable logic controllers and secure elements;
7. Routers, modems intended for the connection to the internet, and switches, intended for industrial use;
8. Secure elements; 9. Hardware Security Modules (HSMs);
10. Secure cryptoprocessors;
11. Smartcards, smartcard readers and tokens;
12. Industrial Automation & Control Systems (IACS) intended for the use by essential entities of the type referred to in Directive NIS 2, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
13. Industrial Internet of Things devices intended for the use by essential entities of the type referred to in Directive NIS 2;
14. Robot sensing and actuator components and robot controllers;
15. Smart meters.


Our Briefings for the Board:

We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive (60 minutes), or longer, depending on the needs, the content of the program and the case studies.

Alternatively, you may choose one of our existing briefings:


1. The European Cyber Resilience Act (CRA) for the Board of Directors and executive management of EU and non-EU legal entities (tailor-made training).

2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.

You can find all information below.



1. The European Cyber Resilience Act (CRA) for the Board of Directors and executive management of EU and non-EU legal entities (tailor-made training).

Course Synopsis

Subject matter and scope.

Understanding the important definitions.

Requirements for products with digital elements.
- Critical products with digital elements.
- General product safety.
- High-risk AI systems.
- Products with digital elements classified as high-risk AI systems, and the EU AI Regulation.

Obligations of manufacturers.
- Reporting obligations of manufacturers.
- When placing a product with digital elements on the market, manufacturers must ensure that it has been designed, developed and produced in accordance with the essential requirements of the European Cyber Resilience Act (CRA) described in Annex I, below.

Annex I.
- Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks,
- Products with digital elements shall be delivered without any known exploitable vulnerabilities,
- On the basis of the risk assessment and where applicable, products with digital elements shall be delivered with a secure by default configuration, including the possibility to reset the product to its original state,
- Products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems,
- Products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms,
- Products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions,
- Products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’),
- Products with digital elements shall protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks,
- Products with digital elements shall minimise their own negative impact on the availability of services provided by other devices or networks,
- Products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces,
- Products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques,
- Products with digital elements shall provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions,
- Products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

- Authorised representatives.

- Obligations of importers.

- Obligations of distributors.

- Cases in which obligations of manufacturers apply to importers and distributors.

- Identification of economic operators.

Market surveillance and control of products with digital elements in the EU market.
- Access to data and documentation.
- Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk.
- When the market surveillance authority finds that products with digital elements do not comply with the requirements laid down in this Regulation.
- Corrective actions to bring the products into compliance with requirements.
- Wihdrawal of products from the market.
- Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk.
- "Sweeps", simultaneous coordinated control actions of particular products to check compliance with the European Cyber Resilience Act (CRA), or to detect infringements to this Regulation.

Penalties.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.

Course Synopsis

The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.

The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.

Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.

For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.

Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.

In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.

Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.

The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.

Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.

Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.

When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:

- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,

- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,

- makes services and products of non-EU companies accepted in the EU,

- allows third-country firms to provide services without establishment in the EU single-market.

We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.

We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.

After this presentation, the Board and executive management will have a clear understanding or what is mandatory and what is "nice to have", and the consequences of non-compliance.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Cyber Risk GmbH, some of our clients