EU CRA Consulting

Products with digital elements entering the European Union (EU) market will soon need to comply with the Cybersecurity Resilience Act (CRA). The Act's goal is to place on the market products that are secure by design, and to enable consumers to take cybersecurity into account during product selection.

Our services

intWave performs the necessary cybersecurity risk assessments, gap analysis and security testing to cover CRA cybersecurity requirements, based on the information that is available today. Through our expert guidance, product teams remain up-to-date on CRA developments, and build resilient controls faster, based on state-of-the-art solutions. Moreover, once the relevant Harmonized Standards become available, intWave can prepare the required Technical Documentation to support a self-assessment (or other type of assessment) of the product for CE marking purposes.

Deliverables

  • Briefing on CRA requirements and developments
  • SDLC Gap Analysis based on CRA requirements
  • Product Gap Analysis based on CRA requirements
  • Product Threat Model and Risk Assessment
  • Establishment of a process for the tracking of Components (SBOM, CBOM and HBOM) and Vulnerabilities
  • Device Security Testing report
  • Product Security Documentation (Due Diligence for Third Party Components, Vulnerability Reporting Template, Security Architecture Document, Incident and Vulnerability Handling Policy, Security Update Management Policy)
  • Technical Documentation based on Harmonized Standards

Other related services

  • Consulting for the setup of SCA, SAST, DAST and Fuzz Testing tools.
  • Secure Development Training on programming languages / technologies used by the development team.
  • Training on Threat Modeling to incorporate Threat Modeling into the requirements analysis phase of projects.
  • Technology Fitness Reviews to help replace non-conformant components.
  • Secure Product Design to help implement new secure-by-design mechanisms.
  • Security R&D to obtain prototypes of non-trivial security features in hardware or software.
  • Source Code Auditing to review the source code of product feature sets.
  • Web, Mobile and Desktop Application Security Testing to examine the security of applications from the product ecosystem.
  • Assumed Breach exercise to examine the effectiveness of the product defense-in-depth strategy when certain product elements have been compromised.

Benefits

  • Preparation for Product CE Certification per CRA requirements.
  • Development of products that are secure by design.
  • Establishment of a process to document product components (software, hardware, cryptography) and to trace related vulnerabilities.
  • Documentation of cybersecurity threats affecting the product design.
  • Risk Assessment and Gap Analysis against CRA requirements.
  • In-depth examination of product implementation for vulnerabilities (in hardware, software and communications).
  • Expert guidance on issue remediation and component replacement.
  • Validation of implemented controls per appropriateness, functional completeness and functional sufficiency through security testing.
  • Drafting of required Technical Documentation by cybersecurity experts.
  • Expert guidance on complex implementations such as secure storage, secure firmware update and secure boot mechanisms.
  • Efficient project management with bi-weekly updates and integration with client task management tools.
Schedule a meeting