18 Mar 2025
On February 26, 2025, Maria Raphael, Managing Director of Raphael Legal and Privacy Minders, participated as a speaker in the "Standardisation for the Cyber Resilience Act" webinar, co-organized by Cyberstand.eu, HSbooster.eu, and Stan4CR. The event provided crucial insights into the latest developments surrounding the Cyber Resilience Act (CRA) and the ongoing efforts in standardization.
With an audience of EU cybersecurity professionals, policymakers, and industry experts, the webinar aimed to clarify the progress of European Standardisation Organisations in addressing the CRA’s standardisation request. High-profile speakers, including Filipe Jones-Mourão from DG CONNECT and Lucia Lanfri from CEN-CENELEC, discussed the current status of CRA implementation, key working groups, and the expected timelines for developing both horizontal and vertical standards.
The CRA is a European regulation that establishes cybersecurity requirements for products with digital elements to ensure a high level of cybersecurity across the EU. The CRA introduces:
- Rules for market access – Digital products must meet cybersecurity requirements before being placed on the market.
- Security-by-design principles – Manufacturers must integrate cybersecurity measures into the design, development, and production of their products.
- Vulnerability handling obligations – Companies must implement and maintain processes to manage vulnerabilities throughout a product's lifecycle.
- Enforcement mechanisms – Market surveillance authorities will oversee compliance and impose penalties for non-conformity.
Maria Raphael informed the audience about the CRA's scope and rules, the different product categories provisioned in the CRA and the appropriate conformity assessment processes corresponding to each product category, including Critical and Important Products, Class I and II.
Additionally, she discussed the work carried out by PT1 of CEN/CLC/JTC13/WG9 for the development of standards under the first standardization requested deliverable, for which she acts as one of the editors.
The scope of this first requested item is to serve as a framework covering all elements defined in Section 1 of Annex II of the standardization request. It sets out specifications for the design, development, and production of products with digital elements to ensure an appropriate level of cybersecurity based on the risks. Currently, the state of the art in cybersecurity for products with digital elements lacks a unified, comprehensive framework across the EU. Existing standards and regulations are often fragmented, with some covering specific sectors or aspects of cybersecurity but failing to address the entire lifecycle of these products. As a result, manufacturers face inconsistent requirements, and users experience varying levels of cybersecurity assurance, leading to vulnerabilities and a lack of transparency. The first requested item aims to facilitate consistency, implementability, and a harmonized approach among the requested deliverables.
A significant challenge lies in the requirement from the standardization request that vertical standards must ensure coherence with the requested horizontal deliverable. Our goal is to develop comprehensive cybersecurity principles that can be adopted by all verticals, without compromising the adaptability and flexibility specific to each standard. At the same time, we aim to ensure that all standards adhere to a foundational cybersecurity framework, maintaining consistency while respecting the unique needs of individual verticals. This approach strives to balance harmonization with flexibility, ensuring that each sector can tailor the framework to its own context while aligning with broader cybersecurity objectives.
Maria Raphael’s participation reaffirmed her expertise and commitment to the standardization of cybersecurity frameworks within the EU regulatory environment. As the Cyber Resilience Act progresses, her contributions to the dialogue on framework standard development will be instrumental in guiding compliance efforts and enhancing cybersecurity resilience across digital products and services in Europe.
For professionals and organizations looking to stay informed and engaged in CRA-related standardization, this webinar provided a valuable platform to understand the latest updates and avenues for contribution.
Watch the full webinar here:
www.youtube.com/watch?v=XS02fQNh4b8&t=5s