OpenSSF's CRob: 'The Runway Is Rapidly Running Out' on EU CRA Readiness - DevOps.com

OpenSSF's CRob: 'The Runway Is Rapidly Running Out' on EU CRA Readiness - DevOps.com

Briefly

"The CRA sets mandatory cybersecurity rules for nearly all “products with digital elements,” which means hardware and software, sold on the EU market, with most obligations falling on manufacturers but some also on importers and distributors. That means if you sell pretty much anything in the EU, you must include a security risk assessment; design them with secure default configurations and the ability to restore to a secure state; eliminate known exploitable vulnerabilities; and provide and deploy security updates."

"If you don't, the EU will sock you with fines of up to €15 million or 2.5% of worldwide annual turnover, whichever is higher. Scary stuff, right? You'd think companies would be working their fingers to the bone getting their goods ready for the post-CRA market. You'd be wrong."

"“It's wild,” CRob said. “ We did a report last year ... and we're doing the sequel. And people still are not aware of what they need to do and are not prepared, but the runway is rapidly running out.”"

"CRob said, “62% of people in Europe were unaware of what they needed to do last year. This year it's 66%, which is statistically the same.” It's even worse outside Europe. In a blog post, CRob pointed out that “The geographic disparity is even more alarming. In the United States and Canada, nearly 72% of respondents are unfamiliar with the regulation .”"