Episode Details

⬥GUEST⬥

Sarah Fluchs, CTO at admeritia | CRA Expert Group at EU Commission | On LinkedIn: https://www.linkedin.com/in/sarah-fluchs/

⬥HOST⬥

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin

⬥EPISODE NOTES⬥

The European Commission’s Cyber Resilience Act (CRA) introduces a regulatory framework designed to improve the security of digital products sold within the European Union. In a recent episode of Redefining CyberSecurity, host Sean Martin spoke with Sarah Fluchs, Chief Technology Officer at admeritia and a member of the CRA expert group at the EU Commission. Fluchs, who has spent her career in industrial control system cybersecurity, offers critical insights into what the CRA means for manufacturers, retailers, and consumers.

A Broad Scope: More Than Just Industrial Automation

Unlike previous security regulations that focused on specific sectors, the CRA applies to virtually all digital products. Fluchs emphasizes that if a device is digital and sold in the EU, it likely falls under the CRA’s requirements. From smartwatches and baby monitors to firewalls and industrial control systems, the regulation covers a wide array of consumer and business-facing products.

The CRA also extends beyond just hardware—software and services required for product functionality (such as cloud-based components) are also in scope. This broad application is part of what makes the regulation so impactful. Manufacturers now face mandatory cybersecurity requirements that will shape product design, development, and post-sale support.

What the CRA Requires

The CRA introduces mandatory cybersecurity standards across the product lifecycle. Manufacturers will need to:

• Ensure products are free from known, exploitable vulnerabilities at the time of release.
• Implement security by design, considering cybersecurity from the earliest stages of product development.
• Provide security patches for the product’s defined lifecycle, with a minimum of five years unless justified otherwise.
• Maintain a vulnerability disclosure process, ensuring consumers and authorities are informed of security risks.
• Include cybersecurity documentation, requiring manufacturers to provide detailed security instructions to users.

Fluchs notes that these requirements align with established security best practices. For businesses already committed to cybersecurity, the CRA should feel like a structured extension of what they are already doing, rather than a disruptive change.

Compliance Challenges: No Detailed Checklist Yet

One of the biggest concerns among manufacturers is the lack of detailed compliance guidance. While other EU regulations provide extensive technical specifications, the CRA’s security requirements span just one and a half pages. This ambiguity is intentional—it allows flexibility across different industries—but it also creates uncertainty.

To address this, the EU will introduce harmonized standards to help manufacturers interpret the CRA. However, with tight deadlines, many of these standards may not be ready before enforcement begins. As a result, companies will need to conduct their own cybersecurity risk assessments and demonstrate due diligence in securing their products.

The Impact on Critical Infrastructure and Industrial Systems

While the CRA is not specifically a critical infrastructure regulation, it has major implications for industrial environments. Operators