The EU CRA is nearing completion. Here are a few excerpts that may be of interest to the SPDX community:
Product security requirements Cybersecurity Risk Assessments: Manufacturers must undertake a cybersecurity risk assessment associated with the PDE. The risk assessment must be updated during the support period and taken into account throughout the product life cycle [Art. 10.2]. Vulnerability Management: PDEs must be made available on the market without known exploitable vulnerabilities, provide security updates for vulnerabilities without delay, and publicly disclose remediated vulnerabilities [Art. 10.6; Annex I Part I (3)(a), Part II (4)]. Security updates must remain available for a minimum of 10 years or the remainder of the support period, whichever is longer [Art. 10.6a]. Manufacturers must document relevant product vulnerabilities it becomes aware of [Art. 10.5]. Support Period: The support period for PDEs shall correspond to the expected use time, but must otherwise be at least five years [Art. 10.6]. The end of the support period, including the month and year, must be accessible to users at the time of purchase [Art. 10.10a]. Software Bill of Materials (SBOM): Manufacturers must identify and document product components and vulnerabilities, including by drawing up a software bill of materials (SBOM) of at least the top-level dependencies of the product [Annex I, Part II(1)]. The SBOM does not have to be made publicly available [Recital 37]. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Venable LLP <[email protected]> Sent: Tuesday, January 23, 2024 11:19 AM To: [email protected] Subject: Preparing for the EU Cyber Resilience Act <https://www.connect.venable.com/e/p6emrseotxlvmaq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> View as a Webpage <https://www.connect.venable.com/e/w9uctmmdo1ipykq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Cybersecurity Update Preparing for the EU Cyber Resilience Act The European Union (EU) is poised to enact the <https://www.connect.venable.com/e/xn0q9ojrsl2zww/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Cyber Resilience Act (CRA), a comprehensive cybersecurity regulation with major implications for software and connected device manufacturers in the United States and globally. The CRA is intended to establish baseline product security regulations across the supply chain, covering product life cycles from development to retirement. The regulation will apply to a wide range of software and connected devices sold within the EU, irrespective of where they are manufactured. Organizations should prepare now by reviewing their upcoming CRA compliance obligations and begin incorporating their extensive legal, technical, and administrative processes before the enforcement deadline. This post provides an overview of the CRA and its key requirements for manufacturers, importers, and distributors. Citations in brackets to the regulation text are provided for ease of reference. <https://www.connect.venable.com/e/eky5r7oquprbg/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Read More <https://www.connect.venable.com/e/bhu2m6c8tsgvpig/171c52bd-d842-40e2-9b17-4eda5a31f3a4> <https://www.connect.venable.com/e/rk29b82zzt95aa/171c52bd-d842-40e2-9b17-4eda5a31f3a4> <https://www.connect.venable.com/e/gieivatjcb0yzuq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> <https://www.connect.venable.com/email_handler.aspx?sid=171c52bd-d842-40e2-9b17-4eda5a31f3a4&redirect=%2f5%2f1469%2flanding-pages%2fforward-to-a-friend---message.asp&checksum=20019C88> Authors <https://www.connect.venable.com/e/iwui3yud07gtmeg/171c52bd-d842-40e2-9b17-4eda5a31f3a4> <https://www.connect.venable.com/e/iwui3yud07gtmeg/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Harley Geiger Counsel +1 202.344.4595 <mailto:[email protected]> Email <https://www.connect.venable.com/e/og0e8qqo2es8moq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> <https://www.connect.venable.com/e/og0e8qqo2es8moq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Alex Botting Senior Director, Global Security and Technology Strategy +1 202.344.4440 <mailto:[email protected]> Email About Us <https://www.connect.venable.com/e/r1ectr6afzg4dyw/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Cybersecurity Services Subscription Center <https://www.connect.venable.com/e/yjkca1ebir3ntka/171c52bd-d842-40e2-9b17-4eda5a31f3a4> Subscribe <mailto:[email protected]> Contact CALIFORNIA | DELAWARE | FLORIDA | ILLINOIS | MARYLAND | NEW YORK | VIRGINIA | WASHINGTON, DC © 2024 Venable LLP. This email is published by the law firm Venable LLP. It is not intended to provide legal advice or opinion. Such advice may be given only when it is related to specific fact situations that Venable has accepted an engagement as counsel to address. ATTORNEY ADVERTISING. Venable.com <https://www.connect.venable.com/e/w9uctmmdo1ipykq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> | Manage Preferences <https://www.connect.venable.com/e/qtug7jxbpusw19g/171c52bd-d842-40e2-9b17-4eda5a31f3a4> | Unsubscribe <https://www.connect.venable.com/e/yyugiujeqnaqoha/171c52bd-d842-40e2-9b17-4eda5a31f3a4> | If you are having trouble viewing this email, click here to view it in the browser <https://www.connect.venable.com/e/p6emrseotxlvmaq/171c52bd-d842-40e2-9b17-4eda5a31f3a4> or contact us by mail at Venable LLP, 600 Massachusetts Avenue, NW, Washington, DC 20001. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5499): https://lists.spdx.org/g/Spdx-tech/message/5499 Mute This Topic: https://lists.spdx.org/mt/103913005/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
