The European Cyber Resilience Act (CRA), promulgated in December 2024, is an important law that sets security requirements for connected digital products.
With vulnerability reporting requirements coming into effect in September 2026 and all provisions coming into effect in December 2027, with hefty penalties for violating companies, this presentation will provide a clear explanation of the key requirements of the CRA and what digital product manufacturers need to address now.

This presentation will explain the main requirements of the CRA and provide an overview of the specific measures that digital product manufacturers should take.
It explains how to design, develop, and produce products with cyber security in mind, eliminate known vulnerabilities prior to market launch, and report vulnerabilities and incidents and provide patches once the product is on the market. In addition, risk analysis methods and an efficient vulnerability monitoring system will be introduced.

It is generally believed that the “quality control department” is in charge of internal audits based on ISO/SAE 21434, but in reality, the “audited organization” itself must play a certain role to ensure the effectiveness of the CSMS (Cyber Security Management System) and to realize smooth audits.
This session will explain how to proceed with internal audits and the basic knowledge required for effective operation of CSMS. Take the first step toward establishing cyber security as a whole by learning practical know-how.

(1) Necessity of internal audits based on ISO/SAE 21434 and how to deal with them throughout the organization
Internal audits based on the ISO/SAE 21434 standard are essential for maintaining and improving the management system (CSMS) to ensure cyber security of embedded products including automobiles. In response to the importance of software in the automotive industry and the increasing sophistication of cyber attacks, vulnerabilities must be managed throughout the lifecycle from development to disposal.
Early detection of risks and security can be achieved through continuous auditing and improvement across the entire enterprise, with the cooperation of multiple departments, including not only the quality department but also “non-audit organizations”.

(ii) Basic knowledge of management system activities as an auditor
For organizations that have established a cyber security management system (CSMS) in the automotive industry, internal audits are essential as part of evaluation activities (C: Check in the PDCA cycle). In order to conduct these audits effectively, it is essential to have a basic knowledge of the management system activities operated by the organization to be audited (audited organization).
This presentation will introduce basic knowledge of the management system activities of the audited organization, which is indispensable for smooth implementation of internal audits.