DeepSec 2024 Talk: “EU Cyber Resilience Act” – Maintain control and not just liability for your products – Michael Walser
The new EU Directive EU 2019/1020, also known as the “Cyber Resilience Act” or “CRA” for short, defines new rules for manufacturers of hardware and software with “digital elements”. For device manufacturers in the medical, industrial and entertainment sectors, the time to act is now. Security updates, vulnerabilities and an extended duty of care for the life cycle are now enforced by law. However, hardware production, such as IoT devices, poses new challenges. What many do not know: Many vulnerabilities are because of physics and are not “bugs” in the conventional sense. As part of the “DeepSec Secure Coding” series, we put the spotlight on the challenges of developing secure hardware and show the vulnerabilities using the example implementation of a bootloader for embedded systems. How to keep control over updates? What is “Secure