Cyber Resilience Act (CRA) | Instructor-led Training

Overview

Before the European Cyber Resilience Act (CRA), the EU legislation applied to certain products with digital elements, but there was no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken in the EU only partially addressed the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products, and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products.

To increase the overall level of cybersecurity of all products with digital elements placed on the EU internal market, it is necessary for the EU to introduce objective-oriented and technology-neutral essential cybersecurity requirements for these products that apply horizontally.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements are designed and developed in accordance with essential requirements laid down in this Regulation.

This includes both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.

---

In-House Instructor-Led Training, or Online Live Training.

Possible modules of the tailor-made training program

Part 1 - The European Union. How does the legislative process work?
• Key institutions.
• The European Commission, the most important institution for risk and compliance professionals.
• How does the legislative process work?
• The European System of Financial Supervision (ESFS).
• Legal acts after the Treaty of Lisbon.
• Delegated acts, supplementing or amending certain non-essential elements of a basic act.
• Implementing acts.
• Regulatory technical standards (RTS).
• Implementing technical standards (ITS).
• The European Data Protection Supervisor and the European Data Protection Board.
• The Committee of European Auditing Oversight Bodies (CEAOB).
• The European External Action Service.
• The Common Foreign and Security Policy (CFSP).
• The Common Security and Defence Policy (CSDP).
• The European Network and Information Security Agency (ENISA).
• The NIS Cooperation Group.
• The European cyber crisis liaison organisation network (EU-CyCLONe).
• The High-Level Expert Group on Artificial Intelligence (AI HLEG).

Part 2 - Before the Cyber Resilience Act.
• The EU’s Cybersecurity Strategy for the Digital Decade.
• The need for the Cyber Resilience Act.

Part 3 - The Cyber Resilience Act.

CHAPTER I, GENERAL PROVISIONS.
• Article 1, Subject matter.
• Article 2, Scope.
• Article 3, Definitions.
• Article 4, Free movement.
• Article 5, Procurement or use of products with digital elements.
• Article 6, Requirements for products with digital elements.
• Article 7, Important products with digital elements.
• Article 8, Critical products with digital elements.
• Article 9, Stakeholder consultation.
• Article 10, Enhancing skills in a cyber resilient digital environment.
• Article 11, General product safety.
• Article 12, High-risk AI systems.

CHAPTER II, OBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWARE.
• Article 13, Obligations of manufacturers.
• Article 14, Reporting obligations of manufacturers.
• Article 15, Voluntary reporting.
• Article 16, Establishment of a single reporting platform.
• Article 17, Other provisions related to reporting.
• Article 18, Authorised representatives.
• Article 19, Obligations of importers.
• Article 20, Obligations of distributors.
• Article 21, Cases in which obligations of manufacturers apply to importers and distributors.
• Article 22, Other cases in which obligations of manufacturers apply.
• Article 23, Identification of economic operators.
• Article 24, Obligations of open-source software stewards.
• Article 25, Security attestation of free and open-source software.
• Article 26, Guidance.

CHAPTER III, CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTS.
• Article 27, Presumption of conformity.
• Article 28, EU declaration of conformity.
• Article 29, General principles of the CE marking.
• Article 30, Rules and conditions for affixing the CE marking.
• Article 31, Technical documentation.
• Article 32, Conformity assessment procedures for products with digital elements.
• Article 33, Support measures for microenterprises and small and medium sized enterprises, including start-ups.
• Article 34, Mutual recognition agreements.

CHAPTER IV, NOTIFICATION OF CONFORMITY ASSESSMENT BODIES.
• Article 35, Notification.
• Article 36, Notifying authorities.
• Article 37, Requirements relating to notifying authorities.
• Article 38, Information obligation on notifying authorities.
• Article 39, Requirements relating to notified bodies.
• Article 40, Presumption of conformity of notified bodies.
• Article 41, Subsidiaries of and subcontracting by notified bodies.
• Article 42, Application for notification.
• Article 43, Notification procedure.
• Article 44, Identification numbers and lists of notified bodies.
• Article 45, Changes to notifications.
• Article 46, Challenge of the competence of notified bodies.
• Article 47, Operational obligations of notified bodies.
• Article 48, Appeal against decisions of notified bodies.
• Article 49, Information obligation on notified bodies.
• Article 50, Exchange of experience.
• Article 51, Coordination of notified bodies.

CHAPTER V, MARKET SURVEILLANCE AND ENFORCEMENT.
• Article 52, Market surveillance and control of products with digital elements in the Union market.
• Article 53, Access to data and documentation.
• Article 54, Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk.
• Article 55, Union safeguard procedure.
• Article 56, Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk.
• Article 57, Compliant products with digital elements which present a significant cybersecurity risk.
• Article 58, Formal non-compliance.
• Article 59, Joint activities of market surveillance authorities.
• Article 60, Sweeps.

CHAPTER VI, DELEGATED POWERS AND COMMITTEE PROCEDURE.
• Article 61, Exercise of the delegation.
• Article 62, Committee procedure.

CHAPTER VII, CONFIDENTIALITY AND PENALTIES.
• Article 63, Confidentiality.
• Article 64, Penalties.
• Article 65, Representative actions.

CHAPTER VIII, TRANSITIONAL AND FINAL PROVISIONS.
• Article 66, Amendment to Regulation (EU) 2019/1020.
• Article 67, Amendment to Directive (EU) 2020/1828.
• Article 68, Amendment to Regulation (EU) No 168/2013.
• Article 69, Transitional provisions.
• Article 70, Evaluation and review.
• Article 71, Entry into force and application.

Part 4 - NIS 2, DORA, CER, and the Cyber Resilience Act.
• The “lex specialis derogat legi generali” (special law repeals general laws) doctrine.
• The CRA is not lex specialis. It is designed to complement the other legal acts.

Part 5 - Other EU Directives and Regulations.
Strategic consolidation of compliance projects for multiple EU Regulations and Directives.
1. The NIS 2 Directive.
2. The Digital Operational Resilience Act (DORA).
3. The Critical Entities Resilience Directive (CER).
4. The European Data Act.
5. The European Data Governance Act (DGA).
6. The Digital Services Act (DSA).
7. The Digital Markets Act (DMA).
8. The Artificial Intelligence Act (AI Act).
9. The European Digital Identity Regulation (eIDAS 2.0).
10. The European Chips Act.
11. The EU Cyber Solidarity Act.
12. The Corporate Sustainability Due Diligence Directive (CSDDD).
13. The Artificial Intelligence Liability Directive.
14. The Digital Networks Act (DNA).
15. The European ePrivacy Regulation.
16. The European Health Data Space (EHDS).
17. The European Financial Data Space (EFDS).
18. The Financial Data Access (FiDA) Regulation.
19. The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR).
20. The Internal Market Emergency and Resilience Act (IMERA).
21. The European Media Freedom Act (EMFA).
22. The Digital Fairness Act.
23. The European Space Law (EUSL).

Instructor.

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

---