What is the Cyber Resilience Act and why should we care?

The Cyber Resilience Act (CRA) is the EU’s new regulation aiming to make digital products — both hardware and software — more secure by design and throughout their lifecycle. It applies to nearly every connected product on the EU market, from smart fridges to SaaS platforms.

But what exactly counts as a “product with digital elements”? What are “essential cybersecurity requirements”? And how does this affect manufacturers, importers, or devs working with open-source?

This thread is for sharing what we understand (or don’t!) about the scope, goals, and implications of the CRA. Feel free to drop your own definition, key takeaways, or burning questions.

Hello,
although we haven’t yet assessed the impact of the SRA on our product and processes, we’re a company making medical equipment and need to comply to UL2900-2-1 and pass a design review by the FDA.
They have following guidelines: “Cybersecurity in Medical Devices:
Quality System Considerations and Content of Premarket Submissions”
(https://www.fda.gov/media/119933/download).
For these it would be nice if Balena would have a report of some kind that addresses these for everything which is Balena specific: the BalenaOS, the Supervisor and the communication between device and cloud.
One important deliverable is SBOM, which I believe is also mentioned in the Cybersecurity Resilience Act. A useful article can be found here: Medical Device SBOMs: Best Practices, FAQs, and Examples

Happy to discuss further,
Bart

1 Like

Hi Bart,

Interesting application. We’re currently focussed on the CRA as it’s regulating new markets and industries. Medical Devices have been regulated by the MDR ( Regulation - 2017/745 - EN - Medical Device Regulation - EUR-Lex ) since 2017 and since 2019 with special cybersecurity requirements and are not in scope of the CRA: https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng#rct_25

This may be different for OEM manufactures providing components that are not classified as medial device but as product with digital elements.

Our current efforts are not focussing on medical devices and the assessment of balenaOS, the balena supervisor and rest of the included systems and communication paths has to be done by the user of our offering for the usage in medical devices.

Thanks for opening the discussion, and sorry for not being able to proceed with details about this application type.

Harald

1 Like

Hi Harald,

One overlapping part is the SBOM which is a deliverable for both regulations.
So this is certainly something that we would expect from Balena,

regards,
Bart

Hi Bart,

you’re right, sorry for neglecting the SBOM part of your question.

We are currently researching automatic generation of SBOMs for or products. We’re going to follow existing (open source) standard processes and formats to provide SBOMs. But we are not able to assess if the delivered SBOMs will be sufficient for medial device cybersecurity requirements.

Do you have already a particular format and process for SBOM generation, what would you expect?

Thanks
Harald

1 Like

Hi Harald,

We would prefer a SBOM in CycloneDX format.

regards,
Bart