Converging Vulnerability Management and Risk Governance Under the EU CRA (R22c)
The introduction of the EU Cyber Resilience Act (CRA) marks a regulatory inflection point in how vulnerability management is defined, implemented, and maintained across digital product lifecycles. Rather than a voluntary good practice, vulnerability management is now positioned as a regulatory obligation that demands structured processes and distributed responsibilities among manufacturers, evaluators, and market-surveillance authorities. This talk draws parallels between the EU CRA, UNECE R.155, and ISO/SAE 21434, highlighting how the automotive sector has already operationalized mature risk-based frameworks that could serve as blueprints for other domains. By synthesizing these requirements into a regulatory baseline, the discussion outlines how vulnerability monitoring, coordinated disclosure, patch management, and certification maintenance can be unified under a coherent risk-management activity. Using RACI/RASIC-based responsibility models, the talk demonstrates how roles can be systematically allocated across the ecosystem: developers, ITSEFs, and regulatory bodies, enhancing transparency, accountability, and post-market traceability. Attendees will gain a comparative understanding of how ISO/SAE 21434 practices, UNECE R.155, and the EU CRA can converge toward a harmonized vulnerability management framework, reinforcing risk-driven governance and certification continuity across the European cybersecurity landscape.