Internet of Things (IoT)

ENISA Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis

  • 1.  ENISA Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis

    Posted Apr 05, 2024 07:51:00 AM
      |   view attached

    Hi All,

    ENISA just published Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis

    To facilitate adoption of the CRA provisions, these requirements need to be translated into the form of harmonised standards, with which manufacturers can comply. In support of the standardisation effort, this study attempt to identify the most relevant existing cybersecurity standards for each CRA requirement, analyses the coverage already offered on the intended scope of the requirement and highlights possible gaps to be addressed.

    On 15 September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA) [1], a proposal for a first ever EU-wide legislation of its kind, aimed at introducing mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.
    The CRA proposal covers all products with digital elements put on the market which can be connected to a device or a network, including their building blocks (i.e., hardware and software) and encompassing also solutions provided in a Software as a Service (SaaS) fashion if they qualify as remote data processing solutions, as defined by Article 3(2) of the CRA proposal.
    The CRA proposal provides two sets of essential requirements:
    - Product cybersecurity requirements in Annex I, Section 1 of the CRA proposal
    - Vulnerability handling process requirements in Annex I, Section 2 of the CRA proposal
    These requirements should be the subject of a standardisation process by the European Standardisation Organizations (ESOs) to express them in the form of specifications in harmonised standards.
    The general principle is that for the products on the market, a self-assessment of compliance with the requirements specified in Annex I will be sufficient. For certain categories of more critical products, the application of harmonised standards will be required. For even more critical products, a third-party assessment will be mandatory.
    This report details the available standardisation outputs on the cybersecurity of products (hardware and software products, including hardware and software components of more complex products) carried out mainly by ESOs and international Standards Development Organizations (SDOs). Specifically, the study aim at presenting a mapping of the existing cybersecurity standards against the essential requirements listed in Annex I of the CRA proposal, along with a gap analysis between the mapped standards and the requirements. In view of the development of harmonised standards, this analysis offers a possible overview about the current coverage of the requirements by existing specifications, highlighting possible lacks that may be compensated by further standardisation work.

    Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe