CRA in practice
CRA-by-Design: Protocol-Embedded Compliance for EV Charging Infrastructure
<p>EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across this complex eco system? At the same time a typical Charging Station Operator (CPO) has to manage over 300 different manufactures, models, firmware images and cyber security might differ from monitored private charging stations up to high-power public charging stations.</p>
<p>Rather on relying on "out-of-band" CRA management, a better approach might be to integrate all CRA cyber security obligations and especially the vulnerability management deeply into the commonly used management protocols like the Open Charge Point Protocol (OCPP). This removes the disconnect between CRA compliance work and operational reality.</p>
<p>Work in the Open Charge Alliance (notably the Cyber Security Task Group), CyberStand.eu’s CRA alignment efforts, and the newly NLnet NGI Zero Commons–funded <strong>EVQI</strong> project is already pushing concrete interfaces in this direction: Device-model variables for CRA readiness, structured vulnerability and lifecycle metadata, cross-vendor health monitoring, and standardized audit-trail exports suitable for CRA Article 10-15 reporting.</p>
<p>This session outlines how CRA obligations can be realized in a heterogeneous, multi-vendor charging ecosystem with an emphasis on operators managing 50000+ of devices. It shows which processes must be automated, which artefacts need to be transported over OCPP, and how deep protocol-level integration enables consistent, scalable CRA compliance across an extremely diverse EV-charging landscape.</p>
Weitere Infos
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Format | devroom |
| Sprache | Englisch |
Weitere Sessions
| 31.01.26 |
<p>Opening remarks and housekeeping.</p>
|
| 31.01.26 |
<p>Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.</p> <p>We will outline ...
|
| 31.01.26 |
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical ...
|
| 31.01.26 |
<p>Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.</p> <p>This talk provides a practical overview of where CRA compliance currently ...
|
| 31.01.26 |
<p>The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by ...
|
| 31.01.26 |
<p>This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how ...
|
| 31.01.26 |
<p>Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.</p> <p>In this session, Georg and Rao present the findings from the VEX ...
|
