BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Cybersecurity Advisors Network - ECPv6.16.4.1//NONSGML v1.0//EN
CALSCALE:GREGORIAN
METHOD:PUBLISH
X-WR-CALNAME:Cybersecurity Advisors Network
X-ORIGINAL-URL:https://cybersecurityadvisors.network
X-WR-CALDESC:Events for Cybersecurity Advisors Network
REFRESH-INTERVAL;VALUE=DURATION:PT1H
X-Robots-Tag:noindex
X-PUBLISHED-TTL:PT1H
BEGIN:VTIMEZONE
TZID:Europe/Helsinki
BEGIN:DAYLIGHT
TZOFFSETFROM:+0200
TZOFFSETTO:+0300
TZNAME:EEST
DTSTART:20250330T010000
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0300
TZOFFSETTO:+0200
TZNAME:EET
DTSTART:20251026T010000
END:STANDARD
BEGIN:DAYLIGHT
TZOFFSETFROM:+0200
TZOFFSETTO:+0300
TZNAME:EEST
DTSTART:20260329T010000
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0300
TZOFFSETTO:+0200
TZNAME:EET
DTSTART:20261025T010000
END:STANDARD
BEGIN:DAYLIGHT
TZOFFSETFROM:+0200
TZOFFSETTO:+0300
TZNAME:EEST
DTSTART:20270328T010000
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0300
TZOFFSETTO:+0200
TZNAME:EET
DTSTART:20271031T010000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=Europe/Helsinki:20260624T160000
DTEND;TZID=Europe/Helsinki:20260624T170000
DTSTAMP:20260623T141228Z
CREATED:20260621T112600Z
LAST-MODIFIED:20260623T141228Z
UID:102398-1782316800-1782320400@cybersecurityadvisors.network
SUMMARY:Virtual round table — The Cyber Resilience Act: Practical Implications for Supply Chains
DESCRIPTION:CyAN is co-hosting a virtual round table on the EU Cyber Resilience Act — The Cyber Resilience Act: Practical Implications for Supply Chains — on Wednesday 24 June 2026\, in collaboration with the SCCS Summit Network and 1CxO CSA. The session continues a discussion our panelists began at the SCCS Summit in Munich (22–24 April 2026). \n\n\n\nRegistration:  https://sccybersecurity.com/sccs-summit-network/ \n\n\n\nThe CRA is no longer theoretical — it’s operational. From September 2026\, companies placing digital products on the EU market must report actively exploited vulnerabilities and serious incidents within 24 hours\, with full conformity and CE marking following in December 2027. And it doesn’t stop at the manufacturer’s door — importers\, distributors\, and even open-source stewards are pulled into the compliance chain. Cyber risk now travels with the product\, and with everyone who touches it. \n\n\n\nEvent details\n\n\n\n\nWhat: Virtual round table – The Cyber Resilience Act: Practical Implications for Supply Chains\n\n\n\nWhen: Wednesday 24 June 2026\, 16:00–17:00 CEST\n\n\n\nWhere: Online\n\n\n\nFormat: Fireside chat between experts\, followed by Q&A and open discussion\n\n\n\nRegister: Reserve your spot via the SCCS Summit Network (or on LinkedIn at https://www.linkedin.com/events/virtualrt-cyberresilienceact-pr7467889827372351488/)\n\n\n\n\nPanel\n\n\n\n\nTereza Jášková – Managing Director & Senior Legal Counsel\, Alpiq\n\n\n\nRolf A. Becker – Co-Chair\, Cloud Security Alliance (Swiss Chapter)\n\n\n\nJohn Salomon (moderator) – Board member\, Cybersecurity Advisors Network (CyAN)\n\n\n\n\nA legal and enterprise perspective from a major energy group\, and a cloud and ecosystem perspective drawn from years of multi-tier supplier governance — with room throughout for audience questions and discussion. \n\n\n\nA big thanks to Bharat Raigangar of 1CxOCSA for helping to organise and facilitate this conversation! \n\n\n\nThe CRA in brief\n\n\n\nThe Cyber Resilience Act — Regulation (EU) 2024/2847 — is the first EU-wide law to set baseline cybersecurity requirements for “products with digital elements\,” covering nearly all hardware and software placed on the EU market. Unlike NIS2\, it regulates the products themselves\, across their whole lifecycle. As a regulation rather than a directive\, it is directly applicable in all member states\, with no national transposition. \n\n\n\nIn practice\, the CRA requires manufacturers to: \n\n\n\n\ndesign and build products that are secure by default\, with no *known exploitable* vulnerabilities at the time of release\, meeting the Act’s risk-based essential requirements;\n\n\n\nhandle vulnerabilities across the product’s lifecycle and provide free security updates for a defined support period (a minimum of five years\, unless the product’s expected use is shorter);\n\n\n\nmaintain a software bill of materials (SBOM) and apply the CE marking as proof of conformity;\n\n\n\nreport actively exploited vulnerabilities and severe incidents to ENISA’s Single Reporting Platform.\n\n\n\n\nCrucially\, the obligations don’t stop at the manufacturer. Importers\, distributors\, and even certain open-source software stewards are pulled into the framework. Most products can be self-assessed; “important” and “critical” categories face stricter conformity assessment. Penalties run up to €15 million or 2.5% of global annual turnover\, the Act applies extraterritorially\, and there is targeted relief for open-source stewards and SMEs. \n\n\n\nWhy it matters for the supply chain\n\n\n\nAccountability sits with the manufacturer\, but the evidence — SBOMs\, vulnerability data\, control assurance — is scattered across every supplier and sub-processor.  \n\n\n\nMeeting the CRA’s tight reporting timelines (a 24-hour early warning from the moment you become aware of an actively exploited vulnerability or severe incident) depends on visibility that reaches well below your Tier-1 suppliers\, into cloud services and nth-tier subcontractors. SBOMs are now a legal requirement — yet many remain static documents that fall apart the moment they are needed during a live incident.  \n\n\n\nFor third-party risk teams\, the CRA reshapes due diligence\, contracts\, and continuous monitoring\, and it lands hardest on the long tail of smaller suppliers. It is\, at once\, a supply-chain problem\, a product-design problem\, and a governance problem. \n\n\n\nImplementation timeline\n\n\n\nDateMilestone10 December 2024CRA enters into force11 June 2026Provisions on conformity assessment bodies (notified bodies) apply11 September 2026Reporting obligations apply — manufacturers must report actively exploited vulnerabilities and severe incidents11 December 2027Main obligations\, conformity assessment\, and CE marking apply in full\n\n\n\n*Watch item:* the proposed Digital Omnibus (19 November 2025) would introduce a single EU entry point for incident reporting and adjust early-reporting timing. It is not yet law. \n\n\n\nEU information resources\n\n\n\n\nCRA text — Regulation (EU) 2024/2847 (EUR-Lex): https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng\n\n\n\nEuropean Commission — Cyber Resilience Act policy page: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act\n\n\n\nEuropean Commission — Summary of the legislative text: https://digital-strategy.ec.europa.eu/en/policies/cra-summary\n\n\n\nEuropean Commission — Reporting obligations: https://digital-strategy.ec.europa.eu/en/policies/cra-reporting\n\n\n\nENISA — Single Reporting Platform (SRP): https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp\n\n\n\n\nAbout the collaboration\n\n\n\nCyAN (Cybersecurity Advisors Network) is a global\, not-for-profit association of cybersecurity professionals working across policy\, governance\, and international cooperation. More at https://cybersecurityadvisors.network/ \n\n\n\nThe SCCS Summit Network is the year-round community of the Third Party & Supply Chain Cyber Security (SCCS) Summit — a long-running EMEA forum for information security\, cyber TPRM\, and GRC professionals. More at https://sccybersecurity.com/sccs-summit-network/ \n\n\n\nThis round table is intended as orientation and practitioner perspective on the CRA. It is not legal advice; organisations should seek qualified counsel on their specific obligations.
URL:https://cybersecurityadvisors.network/event/virtual-round-table-the-cyber-resilience-act-practical-implications-for-supply-chains/
ATTACH;FMTTYPE=image/png:https://cybersecurityadvisors.network/wp-content/uploads/2026/06/CRA.png
END:VEVENT
END:VCALENDAR