Site Search
Semiconductor business menu
Semiconductor business
HOME
Macnica 's
Products & Services
Technical Information
Case Study
event·
seminar
Handling Manufacturer
Support

Narrow down by specifying conditions

現在2153件がヒットしています。check

New article
foundation
design
product pick up
Where should I start with CRA countermeasures? - A one-stop consultation service for design, vulnerability response, and handling of old equipment -
Design terminal security

*If you would like to consult immediately, please contact us here.

Compliance with the EU Cyber Resilience Act (CRA) involves internal and external processes and stakeholders, including design, software, hardware, vulnerability management, regulations, and quality. However, there are many cases where collaboration with multiple companies and experts is required when carrying out threat analysis, security design, checking the security readiness of procured parts, and certification-related tasks.

the result,

"The number of people to consult increases, and the discussion becomes more dispersed."
"You'll have to explain the same thing over and over again."
"I can't decide where to start."

Many companies probably feel this way. Macnica is not in a position to handle all CRA compliance issues on its own. However, because we work across multiple fields, including semiconductors, industrial equipment, security, and vulnerability management, and interact with many companies on a daily basis, we believe we can be of service as a "contact point where you can first organize your situation and ask for advice." We will organize your issues, research the necessary information, and introduce you to the most appropriate companies and experts as needed, and we hope to function as your "first point of contact" for CRA compliance. It doesn't have to be a complex topic. Please feel free to bring us any questions or concerns you may have about CRA, so that you can feel confident that something will move forward if you consult us.

Why does CRA correspondence tend to involve more people involved?

When it comes to dealing with the CRA, some companies feel they "need someone to talk to first," perhaps because the scope of work, required knowledge, and tasks are so diverse.

CRA is a set of rules that involve various internal processes, including design, software, hardware, vulnerability management, regulations, quality, and manufacturing. However, the specialized tasks required to advance these processes, such as threat analysis, security design, SBOM and vulnerability management, obtaining hardware information, and third-party verification, cannot necessarily be completed by a single company. In many cases,
・Threat analysis and testing are conducted through external partners
・Software vulnerabilities are handled by another company
・Check with manufacturers for information on procured parts such as semiconductors
・Interpretation of EU regulations is handled by a different expert
As mentioned above, the reality is that there are a wide range of parties involved. Therefore, when you start dealing with CRA in earnest, you will inevitably end up with a structure where you are dealing with multiple companies in parallel. As a result,
・The number of people to consult increases, and the conversation becomes more dispersed
You will need to give the same explanation multiple times
・Answers to one topic affect another topic, but the information is not connected horizontally.
Given this situation, it seems that many companies feel that it is difficult to grasp the overall picture of how to respond to the CRA.

Although these issues may seem small on their own, the difficulty increases when multiple areas of expertise are involved, which can easily lead to a cycle where the number of people to consult increases → information becomes more dispersed → it becomes difficult to organize. Given this background, I believe that the first thing we need is a place where people can gather together and consult about their situations.

Points that often need to be considered when dealing with the CRA

As you proceed with responding to the CRA, the themes you face will change little by little depending on the characteristics of the product and the development process to date. There is no "standard correct answer" that applies to all companies, but as you proceed while reading and interpreting the contents of the CRA, you may naturally come across more and more situations where you come across the following points to consider.

Points that need to be sorted out at the design stage (related to Article 13)

■ How to set the scope and depth of threat analysis
The scope and granularity of threat analysis will vary from product to product, such as whether it will be conducted for the entire product line, or on a model or configuration basis. There may be times when you need to consider at an early stage how to align your existing risk assessment methods with the CRA's requirements.

■ Handling old devices and existing products
In some cases, immediate changes are not possible for products that have been on the market for a long time or for equipment where updating the hardware is difficult. In such cases, an opportunity arises to consider the extent to which measures are necessary, such as reviewing settings, configurations, and the surrounding environment.

■ Support for old and unsupported OS
If you have an old OS or an OS that is nearing the end of its support lifespan, you will need to consider whether an update is necessary or whether you can compensate for it by other means, taking into account the product's lifespan and future plans.

How do we prioritize our products overall?

Since the impact of CRA requests varies depending on the product's use, risk, and market, it may be necessary to go through a stage of prioritizing responses.
for example,
How to narrow down the target products
Which requirement should be addressed first?
- How to proceed with both new and existing products
Aside from individual technical issues, situations like this where you have to think about the "overall arrangement" naturally arise.

How consulting with Macnica can help

When considering how to respond to the CRA, the first thing you need to do is determine where within your company you should start. However, even at this stage, multiple areas are already involved, so even if you think you're considering one topic, the discussion may spread to various fields, including software, hardware, regulations, and vulnerability management. In such cases, if you try to summarize the situation within your company, you may need to check with different companies in each field, which could result in your inquiries being split into multiple parties.

Macnica is not in a position to complete the entire CRA process on its own. However, because we are in daily contact with multiple technology areas, such as semiconductors, industrial equipment, and security, we are in a position where it is easy to gather information that may be necessary for CRA considerations. Therefore, if you could first share your situation with us, we believe we can work together to clarify which themes are currently related to which areas, and where to start organizing to make the most progress.

Regarding inquiries regarding CRA

If you have any concerns about the CRA, even if you haven't made much progress in sorting it out yet, please feel free to contact us. We will first ask about your situation and then provide you with information to the extent that Macnica can confirm.

Contact Us

Related Information

Accelerate your response to the European Cyber Resilience Act (CRA) with our semiconductor security solutions