Sign in
Sign In

INDUSTRY INITIATIVE

ei3 and OMAC release guide on EU CRA Act compliance best practices

Cyber attacks pose a significant threat to businesses, with projected damages reaching $10.5 trillion USD annually by 2025. The European Commission has responded with the Cyber Resilience Act (CRA), requiring compliance for all digital products sold in EU markets. Non-compliance penalties are severe, with fines up to 15,000,000 EUR or 2.5% of total annual turnover. To assist business leaders in navigating CRA compliance and mitigating associated risks, Adam Griffen, ei3’s Product Manager, led OMAC’s EU-CRA task force in collaboration with 18 industry experts to deliver an insightful executive report 

Through conducting thorough discussions and surveys, they offer practical insights and up-to-date information on various aspects of the CRA. Their collective expertise delves into critical areas such as the legislative progress and potential enactment timeline of the CRA, industries and entities affected by the CRA, guidelines on designing products for cybersecurity, establishing best practices, etc – ensuring organizations safeguard their products and customers.

EU CRA Compliance Report
PURCHASE THE DOCUMENT
DOWNLOAD FOR FREE (OMAC MEMBERS ONLY)

MAY 8, 2024 AT 2:00 PM ET

Attend Our Presentation on the CRA Act at the 2024 NPE Plastics Show

Adam Griffen, leader of the CRA task force and ei3 Product Manager, will share crucial insights and best practice recommendations from the guide at the upcoming NPE 2024: The Plastics Show.

Join us to deepen your understanding of industrial cybersecurity threats and help strengthen your organization’s cybersecurity initiatives.

PURCHASE THE DOCUMENT FROM OMAC

About the CRA Act Guide Document & Task Force

TOPICS

Essential Message

Sheds light on the rising threat of cyber attacks globally, which has resulted in the EU establishing the CRA with significant penalties for non-compliance.

CRA Executive Summary 

Outlines the CRA Act, highlighting how it applies to all products with digital elements, with set minimum security requirements and vulnerability handling procedures.

Current Status of the Legislation

Provides the latest information on the progress and potential enactment timeline of the CRA, ensuring businesses stay informed and prepared for compliance.

Businesses Impacted by the CRA

Highlights how compliance responsibilities extend throughout the product lifecycle, involving various economic operators in the supply chain, including the Manufacturer, Importer, Authorized Representative, and Distributor.

Security Properties of Products with Digital Elements

Provides insights into the design requirements for products to achieve an appropriate level of cybersecurity and emphasizes the importance of manufacturers in consistently updating documentation and delivering security updates.

Security Vulnerability Handling Procedures

Breaks down how manufacturers must promptly report security vulnerabilities to ENISA and provide necessary documentation, including a Software Bill of Materials (SWBOM).

Compliance Evidence and Certification Procedures

Describes the process of proving EU-CRA compliance and outlines what it entails, including providing evidence of adherence to product lifecycle and vulnerability handling processes.

Good Practices and Practical Guidance

Offers information on practical best practices for businesses as a whole, as well as product-specific insights for effective compliance and cyber resilience.

PARTICIPATING ORGANIZATIONS

This task force draws upon a diverse range of industry expertise, offering insights from machine builders, technology providers, system integrators, and end users. Participating organizations include:

  • Global OEM’s such as ID Technology, ProMach, Markem-Imaje, Rychiger Group, Mettler-Toledo
  • Leading Manufacturing Companies such as Corning, P&G, and Arla Foods
  • System Integrators like MartinCSI
  • Technology Companies like ei3 Corporation, Mitsubishi Electric, Cisco, Domino Printing Sciences, Siemens, and Rockwell Automation, and
  • Industry Associations like PMMI

Member Experiences

“The biggest issue here is the right balance between innovation and security. Right now the slider is too far to the innovation side. We need to slide it a bit toward security, without stifling innovation. That will be a delicate balance to strike.”
“A manufacturer should not release a product if there is a known security issue… Risk assessments should look to reduce the functional safety risk levels to 'tolerable risk' and avoid 'foreseeable' causes. There will always be some vulnerability with any product (known or unknown). In my opinion the objective should be to use due diligence to identify any vulnerabilities and then reduce these to tolerable levels.”
“Specialized skills and knowledge should be required to properly conduct cybersecurity risk assessments, as the risk assessments for industrial applications (OT) may differ from typical IT applications.”
“It is the responsibility of the party placing the device on the market to be aware of all vulnerabilities. But this legislation should encourage better communication mechanisms from component manufacturers to integrators to end users.”
“A manufacturer can place items like a PLC on the market which can be very secure when used correctly, but it is then the responsibility of the manufacturer selling the system which contains that component to follow all the instructions and place on the market a secure system”
Previous
Next

ei3 actively works with industry groups to encourage the use of the Industrial Internet of Things (IIoT) and Artificial Intelligence (AI) to meet the growth and sustainability challenges of the 21st century.

DISCOVER OUR INITIATIVES >
About ei3
Technology
No-code apps
Resources
Support
Get in touch

Contact Us +1.201.802.9080 contact@ei3.com

2 Blue Hill Plaza (HQ), Pearl River, NY 10965

All rights reserved by ei3 Corp. © 2024

Linkedin-in Youtube Twitter