The Cyber Resilience Act (CRA) is set to transform cybersecurity accountability by requiring manufacturers—not just users—to ensure the security of digital products, from smart devices to industrial control systems. In this episode, Sean Martin speaks with Sarah Fluchs about what the CRA means for businesses, the challenges of compliance, and why this regulation could be a game-changer for product security and consumer trust.
⬥GUEST⬥
Sarah Fluchs, CTO at admeritia | CRA Expert Group at EU Commission | On LinkedIn: https://www.linkedin.com/in/sarah-fluchs/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
⬥EPISODE NOTES⬥
The European Commission’s Cyber Resilience Act (CRA) introduces a regulatory framework designed to improve the security of digital products sold within the European Union. In a recent episode of Redefining CyberSecurity, host Sean Martin spoke with Sarah Fluchs, Chief Technology Officer at admeritia and a member of the CRA expert group at the EU Commission. Fluchs, who has spent her career in industrial control system cybersecurity, offers critical insights into what the CRA means for manufacturers, retailers, and consumers.
A Broad Scope: More Than Just Industrial Automation
Unlike previous security regulations that focused on specific sectors, the CRA applies to virtually all digital products. Fluchs emphasizes that if a device is digital and sold in the EU, it likely falls under the CRA’s requirements. From smartwatches and baby monitors to firewalls and industrial control systems, the regulation covers a wide array of consumer and business-facing products.
The CRA also extends beyond just hardware—software and services required for product functionality (such as cloud-based components) are also in scope. This broad application is part of what makes the regulation so impactful. Manufacturers now face mandatory cybersecurity requirements that will shape product design, development, and post-sale support.
What the CRA Requires
The CRA introduces mandatory cybersecurity standards across the product lifecycle. Manufacturers will need to:
Fluchs notes that these requirements align with established security best practices. For businesses already committed to cybersecurity, the CRA should feel like a structured extension of what they are already doing, rather than a disruptive change.
Compliance Challenges: No Detailed Checklist Yet
One of the biggest concerns among manufacturers is the lack of detailed compliance guidance. While other EU regulations provide extensive technical specifications, the CRA’s security requirements span just one and a half pages. This ambiguity is intentional—it allows flexibility across different industries—but it also creates uncertainty.
To address this, the EU will introduce harmonized standards to help manufacturers interpret the CRA. However, with tight deadlines, many of these standards may not be ready before enforcement begins. As a result, companies will need to conduct their own cybersecurity risk assessments and demonstrate due diligence in securing their products.
The Impact on Critical Infrastructure and Industrial Systems
While the CRA is not specifically a critical infrastructure regulation, it has major implications for industrial environments. Operators of critical systems, such as utilities and manufacturing plants, will benefit from stronger security in the components they rely on.
Fluchs highlights that many security gaps in industrial environments stem from weak product security. The CRA aims to fix this by ensuring that manufacturers, rather than operators, bear the responsibility for secure-by-design components. This shift could significantly reduce cybersecurity risks for organizations that rely on complex supply chains.
A Security Milestone: Holding Manufacturers Accountable
The CRA represents a fundamental shift in cybersecurity responsibility. For the first time, manufacturers, importers, and retailers must guarantee the security of their products or risk being banned from selling in the EU.
Fluchs points out that while the burden of compliance is significant, the benefits for consumers and businesses will be substantial. Security-conscious companies may even gain a competitive advantage, as customers start to prioritize products that meet CRA security standards.
For those in the industry wondering how strictly the EU will enforce compliance, Fluchs reassures that the goal is not to punish manufacturers for small mistakes. Instead, the EU Commission aims to improve cybersecurity without unnecessary bureaucracy.
The Bottom Line
The Cyber Resilience Act is set to reshape cybersecurity expectations for digital products. While manufacturers face new compliance challenges, consumers and businesses will benefit from stronger security measures, better vulnerability management, and increased transparency.
Want to learn more? Listen to the full episode of Redefining CyberSecurity with Sean Martin and Sarah Fluchs to hear more insights into the CRA and what it means for the future of cybersecurity.
⬥SPONSORS⬥
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/sarah-fluchs_aaand-its-official-the-cyber-resilience-activity-7250162223493300224-zECA/
Adopted CRA text: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdf
A list of Sarah's blog posts to get your CRA knowledge up to speed:
1️⃣ Introduction to the CRA, the CE marking, and the regulatory ecosystem around it: https://fluchsfriction.medium.com/eu-cyber-resilience-act-9e092fffbd73
2️⃣ Explanation how the standards ("harmonised European norms, hEN") are defined that will detail the actual cybersecurity requirements in the CRA (2023): https://fluchsfriction.medium.com/what-cybersecurity-standards-will-products-in-the-eu-soon-have-to-meet-590854ba3c8c
3️⃣ Overview of the essential requirements outlined in the CRA (2024): https://fluchsfriction.medium.com/what-the-cyber-resilience-act-requires-from-manufacturers-0ee0b917d209
4️⃣ Overview of the global product security regulation landscape and how the CRA fits into it (2024): https://fluchsfriction.medium.com/product-security-regulation-in-2024-93ddc6dd8900
5️⃣ Good-practice example for the "information and instructions to the user," one of the central documentations that need to be written for CRA compliance and the only one that must be provided to the product's users (2024): https://fluchsfriction.medium.com/how-to-be-cra-compliant-and-make-your-critical-infrastructure-clients-happy-441ecd859f52
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity:
🎧 https://www.itspmagazine.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Interested in sponsoring this show with an ad placement in the podcast? Learn more:
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode of Redesigning Cybersecurity. I'm Sean Martin, your host, who I get to talk to loads of cool people about cool topics. I think they're cool. Cybersecurity is cool, even if it's a bit nerdy. But, uh, it's an important piece of running a business and it's an important piece of, uh, keeping things safe and running smoothly in society.
Sometimes organizations, sometimes government needs to step in and give us a hand. And we're going to talk about one of those things coming from the European Commission, the Cyber Resilience Act. And I'm thrilled to have Sarah Fuchs on. Sarah, how are you?
Sarah Fluchs: Hello, good to see you.
Sean Martin: Good to see you as well. We've, uh, this has been a session in the making for a while. We finally connected, so I'm thrilled to have you on the show. Um, Perhaps you could take [00:01:00] a moment to kind of give folks a background on your role, uh, your connection to, uh, the EC, the European Commission, and then we'll get into the act itself.
Sarah Fluchs: Yeah, sure. So I do not work for the European Commission. That's very important to say at the very beginning. Um, uh, I'm from, from my background, I'm Mechanical engineer, automation engineer by, by background. Um, and I've been working on OT cybersecurity. So industrial control system, cybersecurity ever since.
Um, and I'm, uh, professionally, I'm the CTO of which is a consulting company, uh, working. Um, for 20 years now on OT cybersecurity, a variety of topics, but always in the, in the industrial sector, um, and as a CTO, I'm responsible for our research, our tooling and for the methods that we use. And, um, because [00:02:00] cybersecurity, as you rightly said in the introduction, is always a bit driven by standards and regulation and governments.
I'm also pretty active in standardization and in consulting governments on certain regulation. And regarding CRA, I'm a member, a type A member in my personal capacity. Of the CRA expert group at the EU commission, um, which was founded, uh, this year, um, to help consult with implementation and guidance around the CRA, the Cyber Resilience Act, um, beyond that, I'm also.
Working pretty much in standardization. So, um, industrial cyber security standardization at ISA 62443. And as these are all standards that are probably going to play a role in cyber and CRA and cyber resilience act, um, it actually makes sense to [00:03:00] have both of that, to have the whole picture. Okay. Okay.
Sean Martin: interesting, I want to touch on this quickly, uh, before we get into the, the actual act, because the, the ISA is the International Society, Society of Automation. And when I think of automation, um, I typically think of, well, ways to get the human out of the way, right? Let things move more smoothly, hopefully, and perhaps, uh, a little faster than, than a human can do things as well.
Um, It's big in the manufacturing space, certainly big in, in the, uh, critical infrastructure space when we look at, uh, yeah, valves and pressure systems and that whole, that whole thing working hand in hand with each other. Um,
a little bit
it can be a double edged sword, right? Automation. Uh, where If you automate something bad, it can explode it
the, uh,
in a bad way.
[00:04:00] Or, I don't want to say the word explode, but it can automate something bad and scale that bad, that bad trait throughout. But it can also, if done properly, kind of go to the point we're talking about, which is resilience. If you can build the resilience and the automation, it can really ensure something looks a little better, operates a little better.
I don't know if you have any Thoughts on that, uh, in, in regard to what we're, what we're going to talk about here in a moment.
Sarah Fluchs: Yeah, I mean, that's exactly right. I mean, what you described regarding automation, um, that's exactly what automation is. Industrial automation is about, so it can be manufacturing and robots, um, and it can be process industry, the valves and a lot of critical infrastructures are automated, um, a lot of utilities and.
Part of the power grid and things like that. And that's why resilience and these systems play such an important role. Definitely because it's always also [00:05:00] about the resilience of our critical infrastructure center for our large production facilities.
Sean Martin: So let's get into, uh, the act itself. Um, can you give us a little background on when it came together? Uh, maybe what some of the drivers were based on your understanding, what the triggers were for it to, uh, become, become, uh, law out of the EU.
Sarah Fluchs: Yeah, I think first of all, it's important to know about the CRA that it's, it has a huge scope. So it's not just about, um, automation systems to industrial automation that we just talked about, but it's really about every digital product. So that's basically really, if you look around at your desk at all the devices that are there, they're probably all in scope of the CRA.
Easier to find examples for what's not in scope than for what is in scope. So like a basic calculator that you've been [00:06:00] using at school, that's probably not in scope, but everything else really is. So all digital devices that you have are in scope. And that's also one reason why it's difficult for manufacturers of components in industrial space, um, often to interpret the CRA for them because it has not always been written specifically with these specific products in mind.
But that's, that's another issue. Um, the CRA in general is from an EU, European Union perspective. It's, The, the general framework that it uses is not new. So it's a CE marking that we have for different kinds of products, mostly for safety reasons. So for example, sunglasses, I have a CE marking on them that says that ensures that.
They have been produced in a way that they actually protect, uh, your eyes from UV rays. Um, [00:07:00] children's toys, uh, have a CE marking, um, to make sure that they're actually safe to play for children and things like that. So, so far the CE marking has been about safety. So it's really all about having, um, the same requirements across the entire European Union.
For everything that's safety or security relevant or safety relevant so far. And now the CRA really is a new legislation under this product harmonization legislation. So having, uh, harmonic rules for all products in the European union, uh, and first time it's aiming at cybersecurity. So. In the end, it's also about the safety of the user, but this time, um, it's more about the security from attacks that could come from this device, from these, these digital devices.
Um, and that's why it's the first time about security, but it makes sense to have them. And that is these entire frameworks and that's why it's so [00:08:00] new, really, in terms of regulation, um, because I, I'm not aware of any other regulation in the world that is, has such a broad scope. There are some for IOT devices in, in UK, for example, there are something for automotive, um, but that, For regulation that really has such a huge scope and it's really a hard regulation that says, okay, you need to meet these requirements or else you're not going to sell your product on the European markets.
Um, that's really pretty unique, I think. And it's also a reason why a lot of manufacturers are currently really trying to wrap their heads around CRA and saying, I have heard so many manufacturers. Saying, but do you commission can't possibly mean it. I mean, that's really, it's really a hard regulation.
And unfortunately, where they can. So, unfortunately, from infectious perspective, maybe,
Sean Martin: they can and they have. Oh, no, please continue.
Sarah Fluchs: sorry, what's [00:09:00] that?
Sean Martin: I always said, please continue. It sounds like you're going to say something else, but I want, I'll actually take this moment. The, um, we'll get into the, uh, well, they can and, and how they can. And cause it, it, how is it, how is it important? But I want to keep, keep on the scope for a moment because there's another point and it's right in the, Right in the opening, uh, part of the, the site that I'm looking at here.
Uh, so, in terms of, you, you mentioned not the calculator, but it does mention baby monitors, right, which sit in a home, smart watches, things like that. Um, and the software that makes them work, and the information that makes them run. And, it speaks to the, the entire life cycle of the product as well. So, from manufacturing to actually Running it, and there's a word in there, the retailers.
the, the,
makes me twig a little bit. How do the retailers know? I guess they're a part of the chain to say [00:10:00] we're only going to, not only can the, the EU allow something to be sold, but the retailer has to do that double check, I guess. Um,
Sarah Fluchs: It's really always about placing on the market. That's the key word. So it's always the CRA always aims at, um, the entity that places a certain product on the EU market. So the first one that sells a product on the EU market is responsible for that, that it complies with CRA requirements.
And that can be, of course, if you think about who could that the manufacturer. So producing something, it was a placing on the market. Um, it could be. Um, but it could also be a, a retailer that really just takes the product, uh, buys it from another manufacturer and then places it first time on the EU market and they then have to comp, have to make sure the product complies with CRA.
Of course, they can only do that to a certain [00:11:00] extent, um, and Um, because they, they, they don't have insights about the production process and things like that. Um, but they need to make sure that all products that they sell at the very least have the CE marking, um, and make sure that they don't have products in their store that's. Important for online stores, for example, and it's also a big problem that we have in the European Union, for example, with online stores and apps from from China, for example, because they just place these products on the market. And if you buy something from these stores as a consumer, um, depending on where the legal entity is, it could.
Be that you are the importer of that product. And that is really a complicated, complicated issue. So yeah, retailers, manufacturers, or importers of the product, um, are the ones that are responsible for, um, complying with the CRA requirements, or at least making sure that nothing in their store, nothing they import, nothing that they offer [00:12:00] to European market does not comply.
Sean Martin: So, there's the making of it, placing it in the market, um, what about operating? So I'm thinking kind of in terms of the supply chain perhaps in the middle, but also customer facing where they might provide a service on top of or around the product. And I'm thinking, thinking smart cameras or something where they might, they might buy a device and then wrap, wrap a service around it to To, uh, offer additional capabilities or cloud store.
I'm just, I'm making stuff up here, but how does that scenario look in respect to the, to this?
Sarah Fluchs: So you mean if you are the manufacturer of a, of a camera or something, and then, and then what, I mean, you place it on the market, you're the one responsible for complying with the CRA
Sean Martin: I'm thinking is somebody makes the camera security camera, and then [00:13:00] I provide a service to the home user. For monitoring and cloud storage. I'm just Often times that's the same person, or the same entity. The manufacturer and the service provider. But there may be cases where a service provider uses a device.
So, I presume they're a retailer, even though they're operating
Sarah Fluchs: Well, I mean, if you, um, it's, it's principally the, the series for products, so it would be for the, for the camera manufacturer. If you as a reseller, like have another product where you use the camera, That would be something that would be an additional product. So you're responsible for the entire thing and you have to claim some things from the camera manufacturer, um, in your supply chain, if you just have service at offer a service using that camera, um, then it's not technical new product.
So then you're, you're, you're not responsible for the, I mean, you're responsible for making sure that the project that you put up, that you buy [00:14:00] has to see marking, but you're. Your product is the service and not the product, right? So it's about, it's about products, about really hardware or software products, not about services.
There are other regulations for services.
Sean Martin: Okay, so there is a, it's literally tied to the physical piece, not the, any service around it, cloud service or things like that. Because it does speak to
Sarah Fluchs: you do have a product, so if you sell a camera as a, as an, um, as a manufacturer, if you have camera and to have another cloud service or an app that is required to operate the camera, then that would be in scope of the CRA as well.
Sean Martin: Got it.
Sarah Fluchs: So everything, it's always the product as the consumer would, would understand it.
So, um, and the consumer doesn't care if you have a, um, cloud back in your back there, that does something for that, for you. If you have an app or something, it's just a camera that does something and everything that's required to provide this [00:15:00] functionality of the camera or any surrounding services are in scope of the CRA.
If you are the manufacturer of the camera, absolutely.
Sean Martin: So, I'm gonna, I'm completely ignorant here, which is why I'm throwing all these questions out. You're doing great. Um, you mentioned supply chain. So, Does the, a component entering, I guess, does it have to be an end user facing product? Or can it be a B2B product, so part of the supply chain to build something bigger?
So let's say the lens on the camera being brought in and then used in a camera that's sold to the consumer. Does that, the manufacturer of the camera need to have a CE compliant component? Or a
Sarah Fluchs: So it really is for all components down to comply chain that are. So a pure lens probably [00:16:00] wouldn't be a product with a digital element, but if you take a computer, for example, um, then the computer has a CPU in it and it has a, uh, maybe a camera in it. And maybe there are some, some other things that the manufacturer of the computer buys from another party.
And. The CRA applies to all components and to the finished product. So, um, it would apply to everybody that supplies a part of the. Computer to the manufacturer of the computer and applies to the manufacturer of the computer that puts it all together to one product. So, the manufacturer of the computer basically has a due diligence to do to say, okay, I buy the CPU from someone else.
I need to make sure that they have the CE marking as well. Um. And it always depends on, and that's where it becomes tricky if you're just the manufacturer of the computer, it always depends on, um, on which market you place it, because the CRA only applies to if you place a product on the European market.
So [00:17:00] if you, as the manufacturer of the computer, um, buy a CPU, um, from a manufacturer in, I don't know, some other country, and, They don't sell it, um, on the European market, but you are the only, the first one who places it on the European market, you're technically the importer. And that's, that, that makes it difficult for computer manufacturers, for example, because really the CRL requirements trickle down to all components.
Um, so they have to do their due diligence and make sure that all components also comply. Um,
Sean Martin: Talk to me a little bit [00:18:00] about Who's checking? What are they checking? How are they checking? Are they looking at the manufacturing process? Are they looking at the The import thing? What's that whole world look like in terms of validation that this is actually going as they expect?
Sarah Fluchs: Well, technically, there's really a lot of things that nobody knows yet in detail because nobody has done it yet. Um, there are some, um, it's called conformity assessment procedures that are defined. Um, and since the CRA is. One of the, one of many regulations that we have, uh, under this new legislative framework for these harmonized EU requirements, they also have the same conformity assessment procedures.
So you can have a procedure. Um, there are different modules, um, how you can, uh, that you can apply to do this conformity assessment. Um, and there are different [00:19:00] procedures that you can follow. Uh, it depends on which, which procedures you can follow. It depends on the type of your product. So there are. Uh, products in the CRA, there are annexes three and four that say, okay, um, you have important and critical products.
And if your product has a certain characteristics, for example, if it's a hypervisor or firewall or a smart card, then it qualifies as a. Uh, important or critical product, and then your choice of procedures or conformity assessment procedures narrows down, um, because for these kind of products, you need to have a third party assessment, so really an external party that will come to your, to your place and check your technical documentation and your product, and if you really do comply with CRA, otherwise, An internal assessment is sufficient.
So you have to check it internally and document that you checked it. So that if your market surveillance authority, um. [00:20:00] takes a look at all this, they can see that you actually checked it, that you comply. And then there are different modules, um, how you can beyond these third party and internal, there are different flavors, how you can, how you can prove compliance.
So, there is one flavor that says, okay, you don't have to check every product individually, but you can have like a, um, A pattern that says, okay, I usually put my products this way and you have that checked, or you can have a quality management system that also applies to your design process and your production process.
And then you have the quality management system checked and then there's also a. Um, European cybersecurity certification scheme underway that is currently being defined. Um, that's also going to play a big role, um, in the future in cybersecurity and for the CRA, because that's also going to be one way how conformity [00:21:00] can be checked.
So you obtain such a certificate and then that counts as a conformity check. And that, of course, Would also be a good, good way to do it efficiently because, um, having third party checks for all these products. And even if it's only the important critical products, it's just a huge scope and it's just a lot of products.
And that's probably going to be, um, the scarcity of external bodies that can actually do these conformity assessments.
Sean Martin: You mentioned a couple really important things there So it When, when I first think about this, I think of the, the final product. And it being resilient. But then there's that product in an environment, which we'll get into in a moment, that it, the environment needs to be resilient with that product operating in it.
But you mentioned earlier as well, the, the quality process. So the, the manufacturing process, the [00:22:00] quality control process within the manufacturing process. And I know in the, in the U. S., uh, If you deliver something to, uh, to the Department of Defense, for example, you have to have a certification that doesn't just check the product.
It checks your team, it checks your build environment, it checks your quality process.
Sarah Fluchs: processes. Yeah, that's right. So your vulnerability handling process and your production process and your design process, I mean, in the end, security by design is a lot about how you actually. Build security and during designing and producing a product. So that's always the one part of really having product characteristics.
Is your stored data encrypted or do you have, what kind of authentication do you have of things like that? And there's also these big process requirements where say, okay, you need to consider security during your process. You need to have a process for continuous vulnerability checking, for example, so that you at least, um.[00:23:00]
Uh, have a way of noticing if there are unpatched vulnerabilities in your product, for example. And then you need to have a process of really making these vulnerabilities known to your customers, advising them what to do with that. So all these things, uh, are things that you can't really see in a product, but that is in a, in the process surrounding this product.
And you also have to do a cybersecurity risk assessment. That's also something that you can't see in the product, but that's very essential in CRA because it really is the linchpin for a lot of cybersecurity decisions where you can say, okay, based on the risk assessment, um, you can fine tune how you meet certain requirements and also if they apply.
Sean Martin: Does it, is the, does the objective include ensuring resilience for the manufacturing process? I'm thinking for key, key components that we use. Um, I don't know if this is just specifically for consumer [00:24:00] products, or, because I know we're going to talk about IT and, or I'm sorry, OT and critical infrastructure, which, things delivered into that space, have a big, big role in society, not just an individual perspective.
Sarah Fluchs: what do you say about about the zones? What kind of zones
Sean Martin: Uh, does it speak to resilience of the
Sarah Fluchs: are resilient?
Sean Martin: of the manufacturing process? So, if something is important to be built and we need, we know we're going to need a lot of it, does it ensure that that manufacturing process is resilient so it can meet the needs of,
Sarah Fluchs: Well, see, I mean, that's a bit how it's different. How CIA is different from, for example, NIST 2 or other critical infrastructure protection. It's not really about protecting the manufacturer. It's about protecting the customer. Of this manufacturer, so it is about, um, making sure in the design process that the product actually has the characteristics to protect the customer.
It is not about the resilience of [00:25:00] production facility of the manufacturer. So that's not a target.
Sean Martin: Okay. Perfect. Perfect. So let's talk about, uh, I don't know if you have any view into how this is being accepted and how it's impacting manufacturers. Are they because they don't see teeth, they're not acting because they don't, it's not, I don't know, is it clear enough to actually act upon? Are there enough details in the, in the
Sarah Fluchs: Well, that's a lot
Sean Martin: one, two, three.
Sarah Fluchs: I think there's, I mean, you probably need to differentiate because for every regulation, there's a lot of people saying, um, criticizing it because of course it's work. And admittedly, the CRA really is. a lot of work and it is really concerning manufacturers because, um, they really see it's potentially revenue stream, stream disrupting.
So they can potentially not sell products anymore if they don't [00:26:00] comply or if they have a vulnerability in their product. And that is really something that worries them. Um, and also, um, I mean, you have to pull up more documentation than you had before. Um, there's always, the European Union is always, uh, under, um, attack for producing too much bureaucracy.
And then, of course, there's also one point of criticism, um, I need to say at this point, I mean, there is documentation, but I really don't see that there's unnecessary documentation in the CRA because some things, I mean, how are you going to check them if you don't document them? It's just, it just doesn't really work.
There's also a lot of debate and insecurity around the, um, requirements not being very specific, they're quite generic, I mean, the essential requirements in the CRA that's. It's just one and a half pages. So that's not really much. And it's really, it compared [00:27:00] to other regulation, uh, also other regulation for, for product, uh, safety.
For example, they have pages and pages like 30 to a hundred pages of detailed requirements in there. And compared to that, the security requirements are really generic. And that, of course, depending on. What you approach is to cyber security, that's good or bad news, um, because I mean, they leave a lot of leeway for interpretation and I think that's a good thing.
It's, it's better than suffocating companies in detailed requirements that you need to check and that wouldn't even be possible because the scope is so big. How are you actually going to work requirements that apply to this big kind of scope and these devices that are covered are so different. But of course, that's also one point of criticism and I mean, there are the harmonized standards.
That's also one thing that's, um, typical about this kind of regulation in, in Europe that the legislation actually only has essential requirements. And then there are harmonized [00:28:00] standards that specify, uh, and concretize these requirements for, different kinds of products. So as a, for comparison, for example, the machinery regulation, that is the same kind of regulation that applies to machinery, having safety requirements for machinery.
And recently there was some security requirements were added. They have more than 800 harmonized standards. So for every kind of, um, machine that would be in the scope, there are different harmonized standards. So depending on if you have a crane or a tractor or whatever, um, you really have specified requirements.
Um, and that's a bit what manufacturers are used to, and that's why they're understandably a bit taken aback by the CRA, which only has one and a half pages of requirements and no harmonized standards yet. And the European Commission has required European standardization organizations to pull up and to create these harmonized standards, but [00:29:00] there's Only a really short time frame, it is really hard to produce standards that in a certain quality in a consensus based, um, manner, how standards, international standards need to be produced.
There are certain rounds of where comments are collected and they need to be resolved and everybody needs to be. Needs to be asked for their opinion and all national bodies need to be able to comment and things like that. It just takes time so The harmonized standards are for the majority of products are just not likely to be issued in time and that of course is something that raises insecurity among manufacturers because they don't really have a clear checklist to um, Boxes to tick to say okay I just have these requirements and I follow these and then i'm good and that Means that you have to do a lot of interpretation and of the. One and a half pages of requirements that are actually there. And I think that's not just a bad thing, but [00:30:00] it's a point of insecurity.
Sean Martin: Yeah. So a checklist is one thing. Um, and it's something presumably, whether it's a, even if it's just a page and a half long of checklist and not 600 pages or 800 pages, whatever it might be, it's a checklist, right? So checklists would be good. But then when I, when I think of this from a security perspective, and you mentioned the word vulnerability, a vulnerability assessment of the application or the product, There's no such thing as 100%.
So it, that isn't a, removing vulnerabilities isn't a checklist, in my opinion. It's a bar.
Sarah Fluchs: right. Yeah. It's a
Sean Martin: who knows how that bar sits and what's important for a different product and who determines that. Has
Sarah Fluchs: I
Sean Martin: any thought or presentation?
Sarah Fluchs: a product on the market. That's free of known and exploitable vulnerabilities. [00:31:00] That's pretty clear. This also was worrying,
Sean Martin: Okay, so, known.
Sarah Fluchs: many, many manufacturers. Yeah.
Sean Martin: So known vulnerability is clear, but introducing your own new ones is more likely the case. Um, does it, how does it address that? Does it address that?
Sarah Fluchs: that you're not producing more vulnerabilities in, in product or
Sean Martin: Yeah, how does, is it addressing the potential, very likely potential of new vulnerabilities being introduced that can be exploited? Or is it solely focused on known and keeping those out?
Sarah Fluchs: I mean, that's why you have these entire vulnerability handling requirements that really take up a big, big portion of the CRA requirements for a reason, because obviously you can, I mean, you can securely design a product, you have kind of all the processes, you can have a risk assessment, and then it's really about, um, following up on vulnerabilities that may become known and they may not.
Even be your [00:32:00] fault. I mean, if you have a product and you integrate someone else's product and that has a vulnerability in there, but then you also have the vulnerability in your product and you need to do something about that. And that's why there are so many requirements on vulnerability handling. So you have to scan your product for vulnerabilities.
Um, Um, In, in frequently in certain frequencies, you have to, um, disclose vulnerabilities. You have to have a procedure for responsible disclosure. So if someone finds a vulnerability in your product, they can responsibly give that to you and give. Provide you with time to fix it, uh, before you disclose it to the public, you have to, if there is an exploited vulnerability, so that would be more incident than vulnerability.
So you have knowledge of X of actual exploitation of your vulnerability and your product. You have to, uh, make that known to national security authorities and also to. In ESA, [00:33:00] which is the European Security Authority. Um, and you also have to notify your customers of vulnerabilities that you have in your product.
And you have, you are also, um, required, it's mandatory that you offer free security patches over the product's lifetime. And the lifetime, that was a point of discussion, uh, during, um, CRA creation. Because I mean, we have such a broad scope of products. What, what is a good lifetime for a product? I mean, do I produce, do I, do I have to ensure security updates for one year, five years, 10 years, 20 years?
It really matters on, it depends on the industry that you have there. And I think the first draft, it was five years and nobody was happy with that because on the one hand, um, like it, consumer products said, okay, but sometimes our product isn't even used for five years. Um, take the. Good example, for example, [00:34:00] are, um, covered warning apps or things like that, that we had only as long as the pandemic, um, lasted and then they weren't used anymore.
And in other cases in industry where I'm, where I'm mostly, mostly working. I mean, they have life cycles of decades, so five years is nothing for a POC, for example, for a control system. Um, and then it makes sense to have much longer lifespans. And now there's a compromise in there saying, okay, you can determine, you need to determine your life cycle, um, depending on, um, And the actual use of your product, you need to have good arguments for that.
And also the European commission is probably going to put out some guidance, uh, on typical, um, updating periods and lifespans for different kinds of products. Uh, and the minimum is five years, unless you can argue otherwise, for example, the COVID warning apps. [00:35:00] And you have to provide free updates over the course of this lifespan. I think it's really a game changer for customers because it's not guaranteed so far, and that really makes a difference.
Sean Martin: Yeah. It's interesting that scope as well. Obviously we're talking about the straightforward, ensure the product is secure and resilient. We talked about the process. As well, but the disclosure of vulnerabilities, patching of vulnerability, reporting on incidents, there's a lot in the Act that's covered.
Um, so you brought up,
Sarah Fluchs: think that's what always, that's what security people like about the CRA. It really reads like a wishlist of, um, security good practices. So it's really
Sean Martin: program.
Sarah Fluchs: that's right. I mean, it's not, it's not absurd requirements. It's not like an endless list of requirements, but it really is what most security.
experts agree on makes sense for product security. And that's also during [00:36:00] the creation of COA, there wasn't really any discussion on should we have these requirements or not? All the discussions were about, were about details. So, um, one member of the EU commission even told me, um, that they were surprised that there was CRA was not political at all.
So there weren't, wasn't any debate on do we actually need this? Um, or do we really have to put all these requirements in there or can we put this requirement in or out? But that really mainly it was a discussion on, on application, on scope, of course, uh, and on details. So like the lifespan open source was a big issue because how do you ensure cybersecurity for open source products?
It's such a. Big category of products where you don't really have someone that you can make responsible, for example. So that was a big issue, but the core of the essential requirements wasn't really an issue. And I think, um, and it still isn't because it really is. What we all know needs to be done at some point and [00:37:00] the supply chain attacks, uh, that we have seen in the past just shows that it's time and it's, it's about time that not just, uh, operators of products or critical infrastructures are responsible for security because they can only be responsible to a certain extent and then they, they don't go, don't come any further without their, um, manufacturers and that's why it's just the next logical step in the chain.
Sean Martin: Yep. I want to quickly, we're coming up to the end here, but I want to quickly touch on that point on critical infrastructure and the OT environments that support them. What, um, what impact will this have on them? I can see a positive impact if it actually all comes together because they're going to get more resilient products to run their, run their infrastructures.
Hopefully I didn't cut out there.
Sarah Fluchs: There was a small glitch in the audio. What impact does this have on critical infrastructures? Did you say that?
Sean Martin: Yes.
Sarah Fluchs: Okay. Um, well, I mean, [00:38:00] obviously they're not directly impacted. It's not their, uh, regulation. Um, and they're happy about that. It's for once. It's not their regulation, but someone else needs to do that something.
Um, what we see is that, I mean, the CRA, what's also something that's, that's important to have in mind. One, okay. Explicit goal of the CRA is also to make lives for critical infrastructure and, um, these two operators easier because they have acknowledged that, um, I think also based on industry feedback, it is really hard to be an operator if you have insecure components and to be responsible for cybersecurity.
So it's really also an intent to make cybersecurity easier for operators like this and for critical infrastructure operators. And I think the. Probably biggest visible thing that they. Visible change that they have is, I mean, one, the vulnerability process that are [00:39:00] really actually, that's, that's not normal nowadays that they actually get an information on that.
There's a vulnerability and what they need to do, uh, in the supply chain attacks and the things that we've seen before, there are huge differences between manufacturers and if they react at all, if you tell them that there's a vulnerability, if they have any advisor, if they don't, so that's a big. Big change.
And then the second big change that I think is underreported is that suddenly with the CRA, um, for every product, customers have to get a, it's called information and instructions to the user. So like a cybersecurity manual where all the relevant information for the user is put in. And that probably is for consumer products.
It's probably just going to be another stack of paper that everybody throws away and nobody reads, but for critical infrastructure, um, operators, that is really information that is valuable because I can't recount the hours that I've spent on the phone on behalf of. [00:40:00] Infrastructure operators trying to get all this information for manufacturers that they are now forced to put into this information instructions to the user.
It's just, just about the basic functionality about protocols are being used about how does updating work? How can I switch from default updating to other updating processes? Um, how can, which risks? Did I actually, uh, consider, and which risk didn't I consider? Because then the critical infrastructure operator, they do have to do their own risk assessments.
So all information that they can do, get about risk assessments, about their components, helps them in doing their own risk assessments. So that really, I think, is going to make a difference, at least if manufacturers take this seriously. And that's also where I'm hoping for a bit of a competition between manufacturers, um, doing that well or, or less well,
Sean Martin: Yes. Security is a competitive differentiator. Finally. Finally we'll probably see it. [00:41:00] Yeah, but I, I love this idea of don't just hard code the password. Right? The admin and password. Make it, make it, that's a security by design, secure by design thing. But then also document it and let people know they should change it in a manufacturing environment.
Sarah Fluchs: And of course it's documentation. It's boring. Nobody likes it, likes doing it, but there are efficient ways to do that. And it really makes such a big difference for users that for end users of the product, especially if there are under regulation as well. And if they need to prove that they have thought about cybersecurity as well, because they're getting asked the same questions in the end and, um, they, they getting asked about their risk assessment.
So they need this information. Silence.
Sean Martin: I still have a gazillion questions, Sarah, but, uh, I think sadly we've run out of time. I wanted to talk about connection in this too, and GDPR perhaps, and, um, yeah, the role the end user has to play in support of all this. [00:42:00] But, uh, I don't know, maybe we can have another chat at some point, and, and, uh, keep the conversation going.
You know so much about this, I'm thrilled to have had you on, and, uh, enlighten me. I know something now, which is way more than I knew earlier this morning when, uh, when we were preparing for this, so, Sarah, thank you so much for doing this work, thanks for joining me on the show. Any final thoughts that you want to, you want to share with the audience?
Sarah Fluchs: Oh, I think, I think the biggest, most important thing about CRA, um, that I tell everybody who's approaching me nowadays, when we're talking about a lot of manufacturers is, you don't have to be afraid of all this. I mean, it's, it's. It's really every time I get in touch with the EU commission and ask them questions and try to find out their intentions, they're trying to do the good, right things and the good things, and they're not going to chastise you for doing a small [00:43:00] detail wrong.
It's not about that. It's about doing the big picture, right? And, um, don't, it's, it's no need to panic about that. As long as you really care about cybersecurity.
Sean Martin: I think that's the key. Care about cyberspace. Do the right thing from a cyberspace perspective from the beginning. This becomes less of an issue.
Sarah Fluchs: That's awesome about CRA really. That's why I like CRA and what I always try to try to tell people. If you want to do things right for cybersecurity, you're also doing things right for the CRA. It's not, you don't have to do things just for compliance and checking boxes. And that's not, that's, that's not normal for regulation.
It could be worse, much worse.
Sean Martin: Well, Sarah, you're fantastic. Thanks again for joining me and uh, we'll include links to the uh, the CRE resource and anything else Sarah thinks would be good reading or watching or listening for folks. And of course do stay tuned for more Redefining Cybersecurity. Subscribe, [00:44:00] share with your friends and enemies, and uh, love you all.
We'll see you again on the next episode.
Sarah Fluchs: Thanks for having me.