The Cyber Resilience Act (CRA) is the EU’s new regulation aiming to make digital products — both hardware and software — more secure by design and throughout their lifecycle. It applies to nearly every connected product on the EU market, from smart fridges to SaaS platforms.
But what exactly counts as a “product with digital elements”? What are “essential cybersecurity requirements”? And how does this affect manufacturers, importers, or devs working with open-source?
This thread is for sharing what we understand (or don’t!) about the scope, goals, and implications of the CRA. Feel free to drop your own definition, key takeaways, or burning questions.
Hello,
although we haven’t yet assessed the impact of the SRA on our product and processes, we’re a company making medical equipment and need to comply to UL2900-2-1 and pass a design review by the FDA.
They have following guidelines: “Cybersecurity in Medical Devices:
Quality System Considerations and Content of Premarket Submissions”
(https://www.fda.gov/media/119933/download).
For these it would be nice if Balena would have a report of some kind that addresses these for everything which is Balena specific: the BalenaOS, the Supervisor and the communication between device and cloud.
One important deliverable is SBOM, which I believe is also mentioned in the Cybersecurity Resilience Act. A useful article can be found here: Medical Device SBOMs: Best Practices, FAQs, and Examples
This may be different for OEM manufactures providing components that are not classified as medial device but as product with digital elements.
Our current efforts are not focussing on medical devices and the assessment of balenaOS, the balena supervisor and rest of the included systems and communication paths has to be done by the user of our offering for the usage in medical devices.
Thanks for opening the discussion, and sorry for not being able to proceed with details about this application type.
you’re right, sorry for neglecting the SBOM part of your question.
We are currently researching automatic generation of SBOMs for or products. We’re going to follow existing (open source) standard processes and formats to provide SBOMs. But we are not able to assess if the delivered SBOMs will be sufficient for medial device cybersecurity requirements.
Do you have already a particular format and process for SBOM generation, what would you expect?
I’m happy to announce that we now have a public beta of producing SBOM and VEX files for balenaos. Note that it’s not yet rolled out to every device types (but most are in), and it will only be available for new releases (so check the latest version for your balenaos).
It’s available as a release asset, so you need to navigate to the balenaos release page on the dashboard (from any device that is running that version, click on the balenaos version).
You’ll see a section with assets, and in it a cyclonedx folder.