Training for the European Cyber Resilience Act

Overview

Before the European Cyber Resilience Act (CRA), the EU legislation applied to certain products with digital elements, but there was no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken in the EU only partially addressed the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products, and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products.

To increase the overall level of cybersecurity of all products with digital elements placed on the EU internal market, it is necessary for the EU to introduce objective-oriented and technology-neutral essential cybersecurity requirements for these products that apply horizontally.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements are designed and developed in accordance with essential requirements laid down in this Regulation.

This includes both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.

Which are the "Critical products with digital elements?"

Class I

1. Identity management systems software and privileged access management software;
2. Standalone and embedded browsers;
3. Password managers;
4. Software that searches for, removes, or quarantines malicious software;
5. Products with digital elements with the function of virtual private network (VPN);
6. Network management systems;
7. Network configuration management tools;
8. Network traffic monitoring systems;
9. Management of network resources;
10. Security information and event management (SIEM) systems;
11. Update/patch management, including boot managers;
12. Application configuration management systems;
13. Remote access/sharing software;
14. Mobile device management software;
15. Physical network interfaces;
16. Operating systems not covered by class II;
17. Firewalls, intrusion detection and/or prevention systems not covered by class II;
18. Routers, modems intended for the connection to the internet, and switches, not covered by class II;
19. Microprocessors not covered by class II;
20. Microcontrollers;
21. Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) intended for the use by essential entities of the type referred to in the Directive NIS 2;
22. Industrial Automation & Control Systems (IACS) not covered by class II, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
23. Industrial Internet of Things not covered by class II.

Class II

1. Operating systems for servers, desktops, and mobile devices;
2. Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;
3. Public key infrastructure and digital certificate issuers;
4. Firewalls, intrusion detection and/or prevention systems intended for industrial use; 5. General purpose microprocessors;
6. Microprocessors intended for integration in programmable logic controllers and secure elements;
7. Routers, modems intended for the connection to the internet, and switches, intended for industrial use;
8. Secure elements; 9. Hardware Security Modules (HSMs);
10. Secure cryptoprocessors;
11. Smartcards, smartcard readers and tokens;
12. Industrial Automation & Control Systems (IACS) intended for the use by essential entities of the type referred to in Directive NIS 2, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
13. Industrial Internet of Things devices intended for the use by essential entities of the type referred to in Directive NIS 2;
14. Robot sensing and actuator components and robot controllers;
15. Smart meters.

Training program 1: Preparing for the European Cyber Resilience Act (CRA), for EU and non-EU firms (tailored-made training).

Possible modules of the tailor-made training program

Subject matter and scope.
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products.
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity.
- essential requirements for the vulnerability handling processes put in place by manufacturers, to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes.
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.

Understanding the important definitions.
- What is ‘product with digital elements’, ‘critical product with digital elements’, and ‘highly critical product with digital elements’?
- What is ‘economic operator’, ‘manufacturer’, ‘authorised representative’, ‘importer’, and ‘distributor’?
- What is ‘reasonably foreseeable use’ and ‘reasonably foreseeable misuse’?

Requirements for products with digital elements.
- Critical products with digital elements.
- General product safety.
- High-risk AI systems.
- Products with digital elements classified as high-risk AI systems, and the the AI Regulation.

Obligations of manufacturers.
- Reporting obligations of manufacturers.
- When placing a product with digital elements on the market, manufacturers must ensure that it has been designed, developed and produced in accordance with the essential requirements of the European Cyber Resilience Act (CRA) described in Annex I, below.

Annex I.
- Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks,
- Products with digital elements shall be delivered without any known exploitable vulnerabilities,
- On the basis of the risk assessment and where applicable, products with digital elements shall be delivered with a secure by default configuration, including the possibility to reset the product to its original state,
- Products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems,
- Products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms,
- Products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions,
- Products with digital elements shalle) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’),
- Products with digital elements shall protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks,
- Products with digital elements shall minimise their own negative impact on the availability of services provided by other devices or networks,
- Products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces,
- Products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques,
- Products with digital elements shall provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions,
- Products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

- Authorised representatives.

- Obligations of importers.

- Obligations of distributors.

- Cases in which obligations of manufacturers apply to importers and distributors.

- Identification of economic operators.

Presumption of conformity.
- Common specifications.
- EU declaration of conformity.
- Rules and conditions for affixing the CE marking.
- Technical documentation.
- Conformity assessment procedures for products with digital elements.

Notifying authorities.
- Member States designate notifying authorities responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessments.
- Requirements relating to notified bodies.
- Subsidiaries of and subcontracting by notified bodies.
- The notification procedure.
- Changes to notifications.

Market surveillance and control of products with digital elements in the EU market.
- Access to data and documentation.
- Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk.
- When the market surveillance authority finds that products with digital elements do not comply with the requirements laid down in this Regulation.
- Corrective actions to bring the products into compliance with requirements. - Wihdrawal of products from the market.
- Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk.
- "Sweeps", simultaneous coordinated control actions of particular products to check compliance with the European Cyber Resilience Act (CRA), or to detect infringements to this Regulation.

Confidentiality.

Penalties.

Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.

Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

Training program 2: Preparing for the European Cyber Resilience Act (CRA), the NIS 2 Directive, and the Critical Entities Resilience Directive (CER), for EU and non-EU firms (tailored-made training).

Possible modules of the tailor-made training program

a. The European Cyber Resilience Act

- Authorised representatives.

- Obligations of importers.

- Obligations of distributors.

- Cases in which obligations of manufacturers apply to importers and distributors.

- Identification of economic operators.

Presumption of conformity.
Common specifications.
EU declaration of conformity.
Rules and conditions for affixing the CE marking.
Technical documentation.
Conformity assessment procedures for products with digital elements.

Confidentiality.

Penalties.

b. The NIS 2 Directive

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasts of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.

c. The Critical Entities Resilience Directive (CER).

- Subject matter, Scope and Definitions.

- Understanding the definitions of a “critical entity”, "resilience", "incident", "critical infrastructure", and "essential service".

Strategy on the resilience of critical entities.
- strategic objectives and priorities;
- a governance framework;
- a description of measures necessary to enhance the overall resilience of critical entities;
- a description of the process by which critical entities are identified;
- a description of the process supporting critical entities;
- a policy framework for coordination between the competent authorities.

Risk assessment by Member States.
- the general risk assessment;
- other relevant risk assessments;
- the relevant risks arising from the dependencies between sectors.

- The risk assessment of the critical entities.

- Resilience measures of critical entities.

- Identification of critical entities.

- What is a "significant disruptive effect".

- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.

- Competent authorities and single point of contact.

- Member States’ support to critical entities.

- Cooperation between Member States.

Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, notably in relation with the resilience of the critical entity;
- are mandated to have direct or remote access to its premises, information or control systems including in connection with the security of the critical entity;
- are being considered for recruitment to positions that fall under criteria mentioned in the previous points.

Incident notification.
- the number and share of users affected;
- the duration;
- the geographical area affected, taking into account whether the area is geographically isolated.

- Identification of Critical entities of particular European significance.

- The Critical Entities Resilience Group.

- Supervision and enforcement.

- Penalties.

- Sectors, subsectors and categories of entities.