CRA_ Secure Your Future before CRA Hits.pdf
MarioFahlandt
10 views
39 slides
Sep 15, 2025
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
The clock is ticking. With the vulnerability reporting deadline in Q3 2026, and the full weight of the Cyber Resilience Act hitting in December 2027. That's less time than you think to prepare for a seismic shift in digital product security.
Are you ready for the CRA? Spoiler: Most aren't.
A...
Slide Content
Stop Playing Catch-Up
Secure Your Future
Before the CRA Hits!
Public C1
Secure Your Future
Before the CRA Hits!
Public C1
WHOAMI?
Mario
Fahlandt
Customer Delivery Architect
Kubermatic
TAG Operational Resilience Co Chair
Kubernetes Co Chair SIG ContribEx
@mfahlandt
Mario
Fahlandt
Customer Delivery Architect
Kubermatic
TAG Operational Resilience Co Chair
Kubernetes Co Chair SIG ContribEx
@mfahlandt
How it started
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
How it was going
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
●Plain Text
Sample Title
Subtitle
Plain text
(CRA)
What is the Cyber Resilience Act ?
The CRA is a landmark EU law
representing a regulatory earthquake
for digital products.
It establishes the first-ever horizontal
cybersecurity rules for any "product
with digital elements" sold in the EU
market.
“First of its
Kind” Law
Broad Scope
Fundamental
Responsibility
Shift
Subtitle
Plain text
(CRA)
What is the Cyber Resilience Act ?
The CRA is a landmark EU law
representing a regulatory earthquake
for digital products.
It establishes the first-ever horizontal
cybersecurity rules for any "product
with digital elements" sold in the EU
market.
“First of its
Kind” Law
Broad Scope
Fundamental
Responsibility
Shift
The CRA Implementation Timeline
The CRA is being rolled out in phases. Understanding these dates is critical for planning.
10.12.2024 11.06.2026 11.09.2026 11.12.2027 11.06.2028
Act Enters into
Force
The regulation is officially
on the books, starting the
transition period.
Enforcement
Infrastructure Ready
Rules on notifying and
appointing conformity
assessment bodies
applicable to Member
States
Reporting Obligation
Begins
The obligation for
manufacturers to report
actively exploited
vulnerabilities and severe
incidents to authorities
within 24 hours comes
into force.
Full Enforcement
All provisions of the CRA
become fully applicable.
All new products placed
on the EU market must be
compliant and bear the
CE marking.
End of Transition
for Existing
Certificates
A transitional provision
ends for existing EU
type-examination
certificates issued under
other regulations.
The CRA is being rolled out in phases. Understanding these dates is critical for planning.
10.12.2024 11.06.2026 11.09.2026 11.12.2027 11.06.2028
Act Enters into
Force
The regulation is officially
on the books, starting the
transition period.
Enforcement
Infrastructure Ready
Rules on notifying and
appointing conformity
assessment bodies
applicable to Member
States
Reporting Obligation
Begins
The obligation for
manufacturers to report
actively exploited
vulnerabilities and severe
incidents to authorities
within 24 hours comes
into force.
Full Enforcement
All provisions of the CRA
become fully applicable.
All new products placed
on the EU market must be
compliant and bear the
CE marking.
End of Transition
for Existing
Certificates
A transitional provision
ends for existing EU
type-examination
certificates issued under
other regulations.
You have 0 years 11 months and 30 days
Talk Title
Subtitle
The Market Failure
Driving the CRA
The CRA is a direct response to a systemic
market failure with staggering costs.
The market is flooded with products prioritizing speed over
security, shipped with known flaws and no update
mechanisms.
Events like the Log4Shell crisis demonstrated how a single
flaw in an open-source component could create a global
emergency.
The global annual cost of cybercrime was estimated at
€5.5 trillion by 2021 and projected to hit $10.5 trillion by
2025.
Subtitle
The Market Failure
Driving the CRA
The CRA is a direct response to a systemic
market failure with staggering costs.
The market is flooded with products prioritizing speed over
security, shipped with known flaws and no update
mechanisms.
Events like the Log4Shell crisis demonstrated how a single
flaw in an open-source component could create a global
emergency.
The global annual cost of cybercrime was estimated at
€5.5 trillion by 2021 and projected to hit $10.5 trillion by
2025.
Security by Design & Default
Two foundational principles that must be integrated into your development lifecycle
Cybersecurity is no longer an afterthought. It must be
integrated from the earliest planning and development
stages.
Security by Design
Products must be shipped with the most secure
configuration out-of-the-box. This includes banning weak
default passwords (e.g., "admin") and enabling automatic
security updates.
Security by Default
Two foundational principles that must be integrated into your development lifecycle
Cybersecurity is no longer an afterthought. It must be
integrated from the earliest planning and development
stages.
Security by Design
Products must be shipped with the most secure
configuration out-of-the-box. This includes banning weak
default passwords (e.g., "admin") and enabling automatic
security updates.
Security by Default
Sample Title
Subtitle
Plain text
Product Security
No Known Exploitable Vulnerabilities
Confidentiality & Integrity
Access Control
Resilience
Attack Surface Minimization
Subtitle
Plain text
Product Security
No Known Exploitable Vulnerabilities
Confidentiality & Integrity
Access Control
Resilience
Attack Surface Minimization
CRA's requirements extend long after the sale
Systematic Management
Remediate "Without Delay"
Free Security Updates for Life
Public Disclosure
Vulnerability Handling
Systematic Management
Remediate "Without Delay"
Free Security Updates for Life
Public Disclosure
Vulnerability Handling
Talk Title
Subtitle
We are not affected!
Or maybe?
I mean technically…
Are we sure?
F***!!11
Subtitle
We are not affected!
Or maybe?
I mean technically…
Are we sure?
F***!!11
While the CRA sets clear
rules, the industry is facing a
dangerous readiness gap.
Many organizations are
operating with a false sense
of security, dangerously
underestimating the Act's
complexity and urgency.
Most are not
Ready
rules, the industry is facing a
dangerous readiness gap.
Many organizations are
operating with a false sense
of security, dangerously
underestimating the Act's
complexity and urgency.
Most are not
Ready
62%*
are either “not familiar at all” or only “slightly familiar” with the regulation
* Based on the CRA Survey by the Linux Foundation 2025 - https://www.linuxfoundation.org/research/cra-readiness
are either “not familiar at all” or only “slightly familiar” with the regulation
* Based on the CRA Survey by the Linux Foundation 2025 - https://www.linuxfoundation.org/research/cra-readiness
A Look at the Numbers
of companies report low familiarity with the
CRA.
are uncertain about the compliance
deadlines
are unaware of the severe penalties for
non-compliance
haven't even determined if the CRA applies
to their products
A Linux Foundation
survey paints a sobering
picture of industry
readiness
62%
51%
59%
42%
https://www.linuxfoundation.org/research/cra-readiness
of companies report low familiarity with the
CRA.
are uncertain about the compliance
deadlines
are unaware of the severe penalties for
non-compliance
haven't even determined if the CRA applies
to their products
A Linux Foundation
survey paints a sobering
picture of industry
readiness
62%
51%
59%
42%
https://www.linuxfoundation.org/research/cra-readiness
You Sell products with digital
elements" (PDEs) in the EU
No matter if you are manufacturer,
importer, or distributor
Global Impact
If your products are available in the
EU market (even through online
sales), you must comply.
What is a PDE?
Almost any hardware or software that
can connect directly or indirectly to a
network
Key Exclusions
does not apply to products already
covered by specific, equivalent
regulations, such as medical devices,
aviation, and cars
The CRA's Reach
into Europe
Am I Affected?
elements" (PDEs) in the EU
No matter if you are manufacturer,
importer, or distributor
Global Impact
If your products are available in the
EU market (even through online
sales), you must comply.
What is a PDE?
Almost any hardware or software that
can connect directly or indirectly to a
network
Key Exclusions
does not apply to products already
covered by specific, equivalent
regulations, such as medical devices,
aviation, and cars
The CRA's Reach
into Europe
Am I Affected?
Sample Title
Subtitle
Plain text
Loss of Market Access
Market surveillance authorities can
Restrict or prohibit your product from
being sold.
Order an outright withdrawal or recall
from all 27 EU member states.
TL;DR; No more sales in Europe
Financial Penalties
The High Cost of Inaction
Fines for the most serious violations
can reach up to
€15 million
OR 2.5% of your company's total
worldwide annual turnover
whichever is higher
Subtitle
Plain text
Loss of Market Access
Market surveillance authorities can
Restrict or prohibit your product from
being sold.
Order an outright withdrawal or recall
from all 27 EU member states.
TL;DR; No more sales in Europe
Financial Penalties
The High Cost of Inaction
Fines for the most serious violations
can reach up to
€15 million
OR 2.5% of your company's total
worldwide annual turnover
whichever is higher
Who is Liable? The Stewardship Dilemma
Manufacturers
Bear primary responsibility for
product compliance
Required to perform due diligence
on OSS components
Subject to conformity assessments
Liable for security over product life
cycle
Open Source Software Stewards
Lighter regulatory regime
Focus on documented
cybersecurity policies
Voluntary vulnerability
Reporting
Cooperation with market
surveillance authorities
Individual developers, hobbyists, and researchers not monetizing
their code. They have NO direct obligations under the CRA
Manufacturers
Bear primary responsibility for
product compliance
Required to perform due diligence
on OSS components
Subject to conformity assessments
Liable for security over product life
cycle
Open Source Software Stewards
Lighter regulatory regime
Focus on documented
cybersecurity policies
Voluntary vulnerability
Reporting
Cooperation with market
surveillance authorities
Individual developers, hobbyists, and researchers not monetizing
their code. They have NO direct obligations under the CRA
Modern Apps have 90-96% open-source
software
46% of manufacturers passively rely on
upstream OSS projects for security fixes
The Peril of Passive
Consumption
software
46% of manufacturers passively rely on
upstream OSS projects for security fixes
The Peril of Passive
Consumption
Remember:
Open Source Maintainers Owe You
Nothing!
https://mikemcquaid.com/open-source-maintainers-owe-you-nothing/
Open Source Maintainers Owe You
Nothing!
https://mikemcquaid.com/open-source-maintainers-owe-you-nothing/
Talk Title
Subtitle
The Open Source Arsenal for
Compliance
The same open-source ecosystem
that creates supply chain risk also
provides a powerful arsenal of tools
and methodologies for proactive
compliance.
OSS still got you covered
Subtitle
The Open Source Arsenal for
Compliance
The same open-source ecosystem
that creates supply chain risk also
provides a powerful arsenal of tools
and methodologies for proactive
compliance.
OSS still got you covered
The Great Inversion
The CRA legally inverts the traditional relationship between companies and OSS projects.
Companies pressure volunteer maintainers to
fix bugs
Old Way
Manufacturers are legally obligated to fix
vulnerabilities in the OSS they use and report
them back to the upstream project
New Way (CRA Mandate)
A New OSS Dynamic
This creates a powerful incentive to contribute fixes back, effectively creating an "army of
paid engineers" to strengthen the entire open-source ecosystem.
The CRA legally inverts the traditional relationship between companies and OSS projects.
Companies pressure volunteer maintainers to
fix bugs
Old Way
Manufacturers are legally obligated to fix
vulnerabilities in the OSS they use and report
them back to the upstream project
New Way (CRA Mandate)
A New OSS Dynamic
This creates a powerful incentive to contribute fixes back, effectively creating an "army of
paid engineers" to strengthen the entire open-source ecosystem.
Talk Title
Subtitle
The SBOM Foundational Transparency
The Software Bill of Materials (SBOM) is the
heart of the CRA's transparency mandate. It's
the "list of ingredients for your software".
You create and maintain a detailed SBOM for
their products in a machine-readable format
like SPDX or CycloneDX.
Subtitle
The SBOM Foundational Transparency
The Software Bill of Materials (SBOM) is the
heart of the CRA's transparency mandate. It's
the "list of ingredients for your software".
You create and maintain a detailed SBOM for
their products in a machine-readable format
like SPDX or CycloneDX.
SBOM Generation Tools
Easy to use, flexible, and fast. Great for container images
and source directories. Can output in SPDX and CycloneDX
github.com/anchore/syft
Specialized for deep analysis of container images, providing
a granular, layer-by-layer view
github.com/tern-tools/tern
Official OWASP tool suite. Offers language-specific
generators for high accuracy in ecosystems like Java,
Node.js, and Python
github.com/CycloneDX/cdxgen
Enterprise-ready and scalable. Integrates with ClearlyDefined
to automatically add license information.
github.com/microsoft/sbom-tool
Syft
TERN
CycloneDX Generator
SBOM Tool
Easy to use, flexible, and fast. Great for container images
and source directories. Can output in SPDX and CycloneDX
github.com/anchore/syft
Specialized for deep analysis of container images, providing
a granular, layer-by-layer view
github.com/tern-tools/tern
Official OWASP tool suite. Offers language-specific
generators for high accuracy in ecosystems like Java,
Node.js, and Python
github.com/CycloneDX/cdxgen
Enterprise-ready and scalable. Integrates with ClearlyDefined
to automatically add license information.
github.com/microsoft/sbom-tool
Syft
TERN
CycloneDX Generator
SBOM Tool
Talk Title
Subtitle
Vulnerability
Scanning
From Inventory to Insight
An SBOM tells you what you have.
Vulnerability scanning tells you if any of it is
insecure.
The CRA requires you to ship products
without "known exploitable vulnerabilities"
Automated vulnerability scanning throughout
your development lifecycle is now essential
Subtitle
Vulnerability
Scanning
From Inventory to Insight
An SBOM tells you what you have.
Vulnerability scanning tells you if any of it is
insecure.
The CRA requires you to ship products
without "known exploitable vulnerabilities"
Automated vulnerability scanning throughout
your development lifecycle is now essential
OSS Vulnerability Scanning Toolkit
grype
The perfect partner to Syft. Scans SBOMs to
find known CVEs.
github.com/anchore/grype
Software Composition Analysis (SCA) Static Application Security Testing (SAST)
OWASP Dependency-Check
A long-standing tool, great for Java and.NET
projects
github.com/dependency-check/DependencyCh
eck
Semgrep
fast, static analysis tool that searches code,
finds bugs, and enforces secure guardrails and
coding standards for 30+ languages
github.com/semgrep/semgrep
OWASP ZAP
find security vulnerabilities in your web
applications while you are developing and
testing your applications
github.com/zaproxy/zaproxy
Dynamic Application Security Testing (DAST)
grype
The perfect partner to Syft. Scans SBOMs to
find known CVEs.
github.com/anchore/grype
Software Composition Analysis (SCA) Static Application Security Testing (SAST)
OWASP Dependency-Check
A long-standing tool, great for Java and.NET
projects
github.com/dependency-check/DependencyCh
eck
Semgrep
fast, static analysis tool that searches code,
finds bugs, and enforces secure guardrails and
coding standards for 30+ languages
github.com/semgrep/semgrep
OWASP ZAP
find security vulnerabilities in your web
applications while you are developing and
testing your applications
github.com/zaproxy/zaproxy
Dynamic Application Security Testing (DAST)
I don’t want to tell you - i told you - but heck:
1 year ago - same stage
1 year ago - same stage
DevSecOps
The next Cultural Shift
The next Cultural Shift
Source: https://9b74456f2e4bcbc20970-51751c7e8fb38e7c8b474cab6c7dc602.ssl.cf5.rackcdn.com/2021-11/devsec.png
I TOLD YOU SO!
youtube.com/watch?v=vP2TOfOtXBY
youtube.com/watch?v=vP2TOfOtXBY
DevSecOps is Now Law
Generate your inventory Analyze for known
vulnerabilities
Vulnerability Exploitability
eXchange
Attest to the status of vulnerabilities
(e.g., "not exploitable in our
configuration")
SBOM
(Syft)
SCAN
(Grype)
OpenVEX
The path to scalable CRA compliance is powered through
automation
Generate your inventory Analyze for known
vulnerabilities
Vulnerability Exploitability
eXchange
Attest to the status of vulnerabilities
(e.g., "not exploitable in our
configuration")
SBOM
(Syft)
SCAN
(Grype)
OpenVEX
The path to scalable CRA compliance is powered through
automation
Sample Title
Subtitle
Plain text
Understand your SupplyChain
Bonus Round
A Graph for Understanding Artifact Composition. An
OpenSSF project that aggregates security metadata
(SBOMs, vulnerability reports, attestations) into a
queryable graph database.
Reactive: "Am I affected by the new Log4j vulnerability,
and where?"
Proactive: "Which of my most-used components have
a poor OpenSSF Scorecard?"
Compliance: "Show me all applications that are not
SLSA compliant."
Subtitle
Plain text
Understand your SupplyChain
Bonus Round
A Graph for Understanding Artifact Composition. An
OpenSSF project that aggregates security metadata
(SBOMs, vulnerability reports, attestations) into a
queryable graph database.
Reactive: "Am I affected by the new Log4j vulnerability,
and where?"
Proactive: "Which of my most-used components have
a poor OpenSSF Scorecard?"
Compliance: "Show me all applications that are not
SLSA compliant."
Talk Title
Subtitle
The Community Response
Key organizations like the Open
Source Security Foundation
(OpenSSF) and the Linux
Foundation are leading the charge.
You Are not Alone
The open-source community has
mobilized a massive,
collaborative response to the
CRA
Subtitle
The Community Response
Key organizations like the Open
Source Security Foundation
(OpenSSF) and the Linux
Foundation are leading the charge.
You Are not Alone
The open-source community has
mobilized a massive,
collaborative response to the
CRA
OSS Project Blueprints for Resilience
OpenSSF Security
Baseline
A checklist of 14
essential security
measures inspired by
the CRA. A great
starting point for any
project
OpenSSF Scorecard
An automated tool that
assesses a project's
security maturity,
giving you a data-driven
snapshot of risk
Guides and Case Studies
Practical advice and
real-world examples from
projects like Zephyr and
Yocto on how they are
adapting to the CRA
https://openssf.org/projects/
OpenSSF Security
Baseline
A checklist of 14
essential security
measures inspired by
the CRA. A great
starting point for any
project
OpenSSF Scorecard
An automated tool that
assesses a project's
security maturity,
giving you a data-driven
snapshot of risk
Guides and Case Studies
Practical advice and
real-world examples from
projects like Zephyr and
Yocto on how they are
adapting to the CRA
https://openssf.org/projects/
Help OSS to help you!
Enroll your entire team in the free "Understanding the EU Cyber
Resilience Act (LFEL1001)" course from the Linux Foundation
Get Involved:
https://openssf.org/getinvolved/
https://clotributor.dev
TAG Operational Resilience
Hire OSS Maintainers:
https://gitjobs.dev/
Get Involved!
Enroll your entire team in the free "Understanding the EU Cyber
Resilience Act (LFEL1001)" course from the Linux Foundation
Get Involved:
https://openssf.org/getinvolved/
https://clotributor.dev
TAG Operational Resilience
Hire OSS Maintainers:
https://gitjobs.dev/
Get Involved!
Gauge
Exposure &
Classify
Products
Audit your portfolio.
Which products are in
scope? What is their risk
tier?
Conduct a
Formal Gap
Analysis
Use frameworks like
OWASP SAMM to
benchmark your current
state against CRA
requirements.
Develop a
Compliance
Roadmap
Create a time-bound
plan that prioritizes gaps
and assigns ownership.
Aggressively adopt
automation
Tl;Dr; or the “executive - level” slide
CONTRIBUTE TO OPEN SOURCE PROJECTS AND CREATE AN OSS STRATEGY!
Engage with
the Community
Join the working groups
and take the free
training. Figure out
critical OSS projects and
start contributing
Form a Cross
Functional
Task Force
this is a business
transformation, not just
an IT problem. Involve
Legal, Engineering,
Product, and
Procurement.
Exposure &
Classify
Products
Audit your portfolio.
Which products are in
scope? What is their risk
tier?
Conduct a
Formal Gap
Analysis
Use frameworks like
OWASP SAMM to
benchmark your current
state against CRA
requirements.
Develop a
Compliance
Roadmap
Create a time-bound
plan that prioritizes gaps
and assigns ownership.
Aggressively adopt
automation
Tl;Dr; or the “executive - level” slide
CONTRIBUTE TO OPEN SOURCE PROJECTS AND CREATE AN OSS STRATEGY!
Engage with
the Community
Join the working groups
and take the free
training. Figure out
critical OSS projects and
start contributing
Form a Cross
Functional
Task Force
this is a business
transformation, not just
an IT problem. Involve
Legal, Engineering,
Product, and
Procurement.
Seize the Resilience Imperative
The Cyber Resilience Act is an unavoidable
It's an opportunity to build a more resilient,
trustworthy, and profitable business
Leverage the open-source arsenal, engage
with the community and help to build a
more secure OSS powered Europe.
The Cyber Resilience Act is an unavoidable
It's an opportunity to build a more resilient,
trustworthy, and profitable business
Leverage the open-source arsenal, engage
with the community and help to build a
more secure OSS powered Europe.
Credits
Thank you!
Pictures used:
-Headshot by mydiscovery.biz
-Miłosz Klinowski on Unsplash
-Jayson Hinrichsen on Unsplash
-James Watson Unsplash
-Lance Asper Unsplash
-J W Unsplash
-Maybe Meme
-Flaticon
Relevant Links & Sources:
-LF CRA Readiness Report
-Open Source Security Foundation
-BSI CRA @mfahlandt
Thank you!
Pictures used:
-Headshot by mydiscovery.biz
-Miłosz Klinowski on Unsplash
-Jayson Hinrichsen on Unsplash
-James Watson Unsplash
-Lance Asper Unsplash
-J W Unsplash
-Maybe Meme
-Flaticon
Relevant Links & Sources:
-LF CRA Readiness Report
-Open Source Security Foundation
-BSI CRA @mfahlandt
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 39
- Age 77 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views