Awareness on IoT cybersecurity and CRA compliance

Day 1

• Introduction to the CRA and the European Regulatory Context
  • General Introduction
    • Cybersecurity: threat, risk, vulnerability, safety vs. security, 10 common vulnerabilities
  • Origin of the Cyber Resilience Act: from the “Cybersecurity Strategy 2020” plan to Regulation 2024/2847
  • EU Declaration of Conformity and CE marking
  • Associated regulatory ecosystem
    • RED Directive (Art. 3.3 d/e/f)

• • • NIS2 Directive
    • Machinery Regulation
  • Key objectives of the CRA:
    • Security by design
    • Continuous updates
    • Accountability of manufacturers
  • Horizontal and vertical standards
    • Role of standards in demonstrating conformity

• Scope, Definitions, and Special Cases
  • Definition: “Product Containing Digital Elements”
    • Hardware, firmware, standalone software, SaaS
  • Types of Connections
    • Direct / indirect / logical / physical connections
  • Special Interpretation Cases
    • Embedded firmware without IP interface
    • Cloud platforms or SaaS
    • Pure software products and open source
  • Market Placement and Availability
  • Responsibility: Manufacturer, integrator, subcontractor, OEM/ODM

• CRA Compliance Cycle and Obligation Management
  • imeline:
    • Design → Risk Analysis → Market Placement → Support → End of Life
  • Obligations by Actor:
    • Manufacturer / Importer / Distributor
  • Support management (≥ 5 years or product lifetime)
  • Notification to ENISA/CSIRT (Art. 14) and reporting conditions
  • Compliance monitoring and market surveillance (MSA)

Day 2

• Product Classification and Assessment Modules
  • Distinction Between the Three Categories Defined by the CRA:
    • Standard Products
    • Important Products
    • Critical Products
  • “Core Functionality” Logic:
    • Multifunction product vs. single-primary-function product
    • Impact on the choice of assessment module
  • Link between product classification, risk analysis, and supporting documentation

• Essential Requirements of the CRA – Annex I
  • Part I – Product Security: Requirements + Standard References
    • Authentication, integrity, data protection, logging, confidentiality
  • Part II – Vulnerability Management: Requirements + Standard References
    • Patch and notification processes

• CRA Risk Analysis Methodology
  • Alignment with IEC 62443-4-1 (Secure SDLC Cycle)
  • Alignment with PR40000‑1‑2
  • Product-specific Threat Analysis
    • STRIDE, EBIOS, TARA
  • Link Between Risks and Annex I Requirements

No experience in in-car safety is required. However, some knowledge of automotive infrastructure is desirable. If remote :

• Stable internet access via Ethernet or Wi-Fi with a good data rate (1.2 Mb/s minimum downstream is recommended).

• A PC / MAC with the Teams tool installed and unrestricted access to the internet.

This training is intended for professionals working in the field of connected products, particularly those involved in projects that must comply with new European cybersecurity regulations such as the Cyber Resilience Act. It can also be delivered to participants with no prior knowledge of cybersecurity, including management teams or quality departments.

Expert in IoT and embedded cybersecurity.

• PowerPoint presentation
• Interactive web platform (Klaxoon)

Assessments at the beginning and end of the course, quizzes, etc.

5 working days before the course start date (if financed by OPCO).

A training certificate complying with the provisions of Article L. 6353-1 paragraph 2 is issued to the trainee.