zlacker

[parent] [thread] 3 comments
1. chacha+(OP)[view] [source] 2023-12-30 22:11:32
There is a lot of talk about who this regulation is supposed to cover, but not a lot about what it actually requires if it covers you. The best I could find after a couple quick searches was that you're supposed to provide information about the security mechanisms used and regular security updates over the lifetime of the product. Is there anything else? This doesnt sound terribly hard to comply with at first glance.
replies(3): >>transp+H1 >>Murome+56 >>Larisc+u6
2. transp+H1[view] [source] 2023-12-30 22:23:11
>>chacha+(OP)
One example from the BSA (Business Software Alliance) statement on an earlier draft of CRA, https://www.bsa.org/files/policy-filings/11012022eucra.pdf

   The CRA requires manufacturers to ensure vulnerabilities are handled effectively for the expected product lifetime or 5 years, whichever is shorter.
3. Murome+56[view] [source] 2023-12-30 23:00:56
>>chacha+(OP)
I guess you can read the text. EU legalize is quite approachable most of the time and as a practitioner of the domain the regulation applies to, it should not be that hard to get the gist.
4. Larisc+u6[view] [source] 2023-12-30 23:02:53
>>chacha+(OP)
This is described in Annex IV, V and VI [1]. You must do a conformity assessment and provide a declaration of conformity. For non-critical software you can do the assessment yourself see the first five points in Annex VI. The only thing that maybe requires a bit of effort is that you must write some technical documentation including a cybersecurity risk assessment during the assessment if you have not already done so. For critical software the process is of course a bit more involved because it requires certification by a "notified body".

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...

[go to top]