Klaus Mochalski and Sarah Fluchs (admeritia) shed light on the Cyber Resilience Act. Learn why the CRA resolves a long-standing imbalance, why manufacturers will have new obligations in the future, and how operators can use the new law as a powerful tool to achieve NIS 2 compliance.
Sound Bites
Sarah Fluchs: “In principle, the CRA is the world’s first regulation that ensures manufacturers can no longer sell their products without a CBI. [...] That’s quite a bombshell, to start with.”
Klaus Mochalski: “[...] Until now, the [...] operators of systems were essentially responsible or were seen as responsible, and now that responsibility is shifting a bit toward the manufacturers. Is that an accurate way to put it? Is this really such a paradigm shift?”
Sarah Fluchs: “I would perhaps say it’s less of a shift and more of a correction of an imbalance. [...] The CRA is now straightening out this imbalance a bit and saying, okay, the manufacturers themselves also have an obligation, and that obligation lies primarily in the fact that they must share information on cybersecurity [...].”
Klaus Mochalski: “[...] What does that mean for plant operators? Do they now have to take new factors into account during procurement, project planning, and design [...] or does the responsibility now actually lie entirely with the manufacturers [...]?”
Sarah Fluchs: “Operators don’t have any obligations under the CRA for now—they already have enough obligations under NIS 2 and KRITIS [...]. I’d say they actually have an opportunity, because they suddenly have rights. So they can suddenly demand things from their manufacturers that the manufacturers are required to provide under the CRA anyway [...]”.
Sarah Fluchs: “[...] It’s certainly not a bad idea to ask your suppliers where they actually stand with CRA compliance and how they actually plan to implement it, because there may well be changes to the product portfolio.”
Chapters
00:00 Introduction
06:01 The Cyber Resilience Act: Fundamentals and Significance
11:30 Debate on the CRA in the U.S. and Europe
15:05 Roles and Responsibilities
18:10 Opportunities for Operators
19:41 Relationship between the CRA and IEC 62443
22:38 Current Timeline and Challenges
26:39 Recommendations for Operators and Conclusion
Keywords
OT Security, Cyber Resilience Act, CRA, Data Models, AI, Regulation, Supply Chain, Industry 4.0, Security Standards, EU, USA
