Cyber Resilience Act – Basics and Implementation
This training is primarily aimed at manufacturers of products with digital elements that fall within the scope of the EU Cyber Resilience Act (CRA).
After positioning the CRA within the legal framework of other EU regulations and directives, as well as national laws, the training covers the requirements for products with digital elements mandated by the CRA, as well as the requirements for manufacturers’ processes for handling vulnerabilities. Furthermore, the obligations imposed on manufacturers by the regulation are addressed. These include, in particular, reporting obligations, as well as requirements regarding technical documentation and conformity assessment.
Once the legal requirements have been clarified, the training focuses on practical implementation, showing how to comply with the CRA and meet the state-of-the-art requirements. This is achieved primarily through the use of processes and measures from international standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27034, and ISO/IEC 27035, as well as guidance from the German Federal Office for Information Security (BSI) and the National Institute of Standards and Technology (NIST).
Is your company already familiar with the CRA and the associated deadlines?
10.12.2024 – Entry into force of the regulation
11.06.2026 – Start of requirements for conformity assessment bodies (Chapter IV)
11.09.2026 – Start of reporting obligations for manufacturers regarding vulnerabilities and security incidents (Article 14)
11.12.2027 – Full applicability of the CRA – all requirements must be met for new products
Training Content Overview
The course provides a comprehensive introduction to the Cyber Resilience Act, covering:
• Legal basis, legal context & scope of the CRA
– Relevant deadlines & transitional periods
– Economic operators affected by the regulation
– Products and product classes in scope and those explicitly excluded
• Cybersecurity requirements for products with digital elements
– Basic and essential cybersecurity requirements
– Secure configuration requirements
– Essential requirements for handling vulnerabilities
– Obligations for manufacturers, including:
- Design, development & manufacturing in line with cybersecurity requirements
- Technical documentation & user instructions
- Conformity assessment
• Information and transparency obligations
– Managing third-party components & software bills of materials (SBOM)
– Handling vulnerabilities & security updates
– Reporting obligations
– Relevant authorities & interactions with them
• Obligations for other actors in the supply chain
– When manufacturer obligations apply to distributors, importers, or other economic operators
– EU Commission guidance and general obligations (e.g., confidentiality)
– Potential sanctions
• Practical implementation guidance based on international and national standards
– Secure development processes
– Risk assessment & threat modeling
– Secure design & secure configuration
– Incident management, logging & monitoring
– Vulnerability management & disclosure practices
- Overview of the contents andobjectives of the Cyber Resilience Act
- Practical implementation aidsfor CE marking
- Concrete recommendations foraction for manufacturers, importers and distributors
- Current information ondeadlines and transitional regulations
- Exchange with experts andindustry colleagues
Specialists and executives from the fieldsof product development, quality management, regulatory affairs, IT security aswell as manufacturers, importers and distributors of digital products sold inthe EU.
Certificate of attendance from TÜV SÜD Academy
This training is being operated by TÜV SÜD Akademie GmbH in Germany. The General Terms and Conditions as well as the Privacy Notice of TÜV SÜD Akademie GmbH apply. In case of any questions, do not hesitate to contact us.