Where Are We With the CRA Cryptography Requirements? (A20a)
The Cyber Resilience Act (CRA) requires most digital devices and products to use cryptography to protect stored, transmitted, or otherwise processed data. But what kind of cryptography? The EU Coordinated Roadmap for transition to Post-Quantum Cryptography (PQC) presents CRA as one of the driving mechanisms for the transition, supporting cryptographic agility and a quantum-safe upgrade path. Will CRA require vendors to implement PQC? The technical interpretation and codification of CRA into harmonized standards is being carried out by the three European standardization organizations, ETSI, CEN, and CENELEC—unfortunately, largely behind closed doors. In this talk, the speaker will offer a CRA update from the perspective of a national expert and one of the few professional cryptographers tracking the CRA standardization work.