On October 10, 2024, the Council of the European Union passed the Cyber Resilience Act (CRA) and it includes #sbom. It's a significant move to enhance cybersecurity for connected products in the EU market.
The CRA sets EU-wide cybersecurity standards for digital products, including smart home appliances and IoT devices.
🔑 Key aspects of the CRA include:
✔️ Mandatory cybersecurity requirements for products based on risk classification.
✔️ CE marking to indicate compliance with CRA standards.
✔️ Vulnerability handling and reporting obligations.
Regarding Software Bill of Materials (SBOM) and vulnerability assessment:
✔️ Manufacturers must document components contained in their products, this is done using software bill of materials .
✔️ The CRA mandates vulnerability reporting and handling processes, including establishing a single point of contact for vulnerability reporting.
✔️ Actively exploited vulnerabilities and severe incidents must be reported to designated Computer Security Incident Response Teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA).
If you're looking for ways to comply, we should talk.
Finite State's offerings align well with the CRA's requirements. The platform provides comprehensive software supply chain security solutions, including SBOM generation and management, vulnerability assessment, and continuous monitoring. These capabilities can help manufacturers comply with the CRA's documentation and vulnerability handling requirements, ensuring their products meet the necessary cybersecurity standards for the EU market.
The CRA will enter into force 20 days after its publication in the EU's official journal and will apply 36 months later, with some provisions taking effect earlier