• How are the mandatory requirements for manufacturers to be implemented?
  • The 8th CYBICS provides first-hand answers: A policy officer from the EU Commission in Brussels will explain the current status.
  • When and where: Frankfurt am Main, 28. November 2023 at the House of Logistics and Mobility (HOLM).

Duesseldorf / Frankfurt am Main, September 28th, 2023 – As the Cyber Resilience Act (CRA-E) comes into force, more questions are arising for manufacturers and distributors of smart devices. In the future, companies will be responsible for managing security risks – and the EU law provides drastic penalties, which can already imposed if deadlines are missed. The CYBICS conference (German language) will take place for the eighth time on November 28, 2023 – and for the second time this year it will be dedicated exclusively to the topic of cyber resilience and CRA-E. Under the title “Compliance, Security and Best Practices: the Cyber Resilience Act”, the conference will take plaece in Frankfurt am Main under the auspices of isits AG International School of IT Security together with partners such as the IoT/OT cybersecurity expert ONEKEY, representatives of the European Commission, experts from the certification body Bureau Veritas and from CERT@VDE. The CYBICS keynote will be given by a policy officer from the European Commission, who will provide an update on the CRA-E as a representative of the Brussels authorities. All representatives from business and industry are invited, as in the future all companies will also have to comply with the rules and requirements of the CRA-E when manufacturing and marketing electronic products.

High requirements, fast implementation

For the first time, the Cyber Resilience Act shifts responsibility for the secure operation of devices with digital elements – from mass-market items such as smart watches to routers, access control systems, printers and industrial control systems – from users to manufacturers. “Network operators will continue to be responsible for their security. But device manufacturers and vendors will have to meet much stricter requirements at the design and marketing stages. This applies not only to IT security itself, but also to processes and reporting requirements. At the moment, there is a lot of uncertainty in the business community because, in addition to EU legislation, coordination with local authorities is still outstanding. However, this should not lead to any delays, as the CRA-E will become effective in all EU countries immediately after its final adoption,” says Jan Wendenburg, CEO of CYBICS’s co-organiser ONEKEY. ONEKEY is Europe’s leading provider of automated product cybersecurity and compliance solutions, and operates a highly automated analysis and management platform (PCCP) that helps manufacturers of smart devices and equipment meet the upcoming requirements of the EU Commission’s Cyber Resilience Act, and is already capable of analysing the individual software components of a device in detail and assessing them for risk.

High level of interest in the industry

This huge paradigm shift in regulatory requirements is accompanied by growing uncertainty. CRA-E is a potential source of conflict in many areas, not least in relation to open source software used in devices and their firmware. “Few issues have generated as much resonance and discussion among manufacturers over the past decade as the new EU legislation surrounding the Cyber Resilience Act. As the organisers, we are responding to this need with a second CYBICS conference later this year to provide manufacturers with concrete guidelines and support that are already geared towards practical use in companies,” says Birgitte Baardseth of isits AG International School of IT Security, which is organising the event together with renowned partners such as CERT@VDE, experts from the EU Commission and the cyber resilience experts from ONEKEY.