Cyber Resilience Act Foundation Course introduces the Cyber Resilience Act Regulation and the compliance requirements applicable to products with digital elements throughout their lifecycle. The training establishes a clear basis for understanding obligations, responsibilities and evidence, including security by design, vulnerability management and reporting.
Quick Access: Introduction· Why this course exists· What this course enables· Frameworks and standards· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration
Upcoming dates
Confirmed dates.
Synchronous, live training. Interaction with the trainer and the group.
Live Online • next edition
Live Online • base price
Language: available in Portuguese or English
Training: practical and application-oriented
Exam: 1h
ESSENTIAL LEVEL — structured and solid knowledge that supports any career.
Why this course exists
To create a practical foundation and common language in CRA, cybersecurity requirements for products and compliance in the European market.
Many organisations develop, integrate or operate products with digital elements without a consistent understanding of the legal obligations, security requirements and compliance applicable to the European Union market.
This course establishes a fundamental and applicable level of knowledge to understand the CRA, interpret its scope and structure, and support compliance with the requirements, including security by design practices, vulnerability management, technical documentation, conformity assessment, CE marking, market surveillance and penalties.
What this course enables you to do
Understand
Understand the object, scope, structure and requirements of the Cyber Resilience Act for products with digital elements, and its role within the EU legislative framework.
Apply
Apply a compliance-oriented reading: identify security-by-design requirements, SSDLC, vulnerability management and obligations throughout the product lifecycle.
Correlate
Relate the CRA to other relevant instruments, such as NIS2, DORA, the AI Act, the new legislative framework for products and European certification schemes.
Compliance
Understand conformity assessment requirements and mechanisms, harmonised standards, documentation, authorities and market surveillance, to support internal decisions and actions.
Frameworks, standards and best practices addressed throughout the course
Security-by-design & SSDLC
Vulnerability management & transparency
Obligations of economic operators
Free and open-source software
Harmonised standards
Conformity assessment
Technical documentation
EU Declaration of Conformity
CE marking
Notifying authorities & assessment bodies
Market surveillance, confidentiality and penalties
EU cybersecurity strategy
Relationship with NIS2, DORA and AI Act
Value for the organisation
- Creates a common basis for technical, product, security, risk, compliance and management teams regarding CRA requirements.
- Reduces uncertainty and internal noise in the interpretation of the regulation’s obligations, scope and impacts.
- Supports compliance planning: security throughout the lifecycle, vulnerability management, documentation and conformity assessment.
- Improves preparation for internal/external audits and interaction with authorities and market requirements, including CE marking.
Introduction
The Cyber Resilience Act Foundation course addresses the fundamental cybersecurity concepts and principles and the requirements associated with products with digital elements in the context of the European Union Cyber Resilience Act (CRA).
Throughout the course, participants learn about the problems, objectives and challenges that led to the development of the regulation and learn to interpret its object, scope of applicability, structure and supporting resources. The course also analyses the stakeholders and obligations of economic operators, including requirements for security by design, security throughout the lifecycle (SSDLC), vulnerability management, compliance requirements and specific aspects applicable to free and open-source software.
The course also frames the CRA within the EU cybersecurity strategy and its relationship with the new legislative framework for products, including CE marking, the NIS2 Directive, the DORA Regulation, the Artificial Intelligence Act and other related legislation. It includes the analysis of conformity assessment mechanisms, notifying authorities, assessment bodies, market surveillance and penalties.
This course prepares participants for the Certified Cyber Resilience Act Foundation (CCRAF) personal certification.
This Training Plan and all associated documents are protected by Copyright and registered as a literary work with IGAC.
General Objectives
At the end of this course, participants will be able to:
- Introduce and apply the main concepts of the Cyber Resilience Act (CRA), including security-by-design, SSDLC and cybersecurity requirements applicable to software and hardware products.
- Know the cybersecurity problems, objectives and challenges that gave rise to the CRA proposal.
- Understand the structure, scope and overview of the regulation, including exclusions and supporting resources.
- Identify the most relevant stakeholders and their role in the context of the CRA.
- Understand the relationship between the CRA and the EU cybersecurity strategy, the new legislative framework for products, including CE marking, and other Union legislative acts and policies, such as NIS2 and the AI Act.
- Know the conditions, security requirements and types of products with digital elements, including products based on open-source software.
- Understand the obligations of economic operators, documentation and specific provisions on free and open-source software.
- Understand compliance and assessment requirements: harmonised standards, EU Declaration of Conformity, CE marking, technical documentation and assessment procedures.
- Understand the role of notifying authorities and conformity assessment bodies, as well as market surveillance mechanisms, confidentiality and penalties.
- Possess the knowledge required to successfully take the Certified Cyber Resilience Act Foundation certification exam.
Target Audience
- Technical and cybersecurity professionals, including IT, security and engineering, who will implement CRA requirements.
- Management and leadership, including managers and directors, who need to understand impacts on risk, compliance and operations.
- Product and development teams, including software, hardware, components and integrations, including AI, responsible for products with digital elements.
- Project management, QA and security testing teams that support delivery and compliance validation.
- Compliance, audit and risk management teams responsible for ensuring compliance with the regulation.
- Regulated sectors or sectors with reinforced requirements, such as NIS2, DORA, CRE and related legislation.
- Incident management and response professionals who need to align processes and tools with the new requirements.
- Professionals and stakeholders who wish to acquire a solid foundation on the CRA and cybersecurity requirements for products.
Prerequisites
There are no mandatory formal prerequisites. However, other specific requirements may apply, where relevant, depending on the quotation or proposal presented. Please consult the applicable proposal.
Programme
Framework and fundamentals of the Cyber Resilience Act (CRA)
- Context, objectives and challenges that led to the CRA
- Fundamental cybersecurity principles applicable to products with digital elements
- Security by design and security throughout the lifecycle (SSDLC)
Scope of application, structure and CRA ecosystem
- Object and scope of the regulation, exclusions, macro-structure and supporting resources
- Identification of the main stakeholders, including economic operators, consumers, competent authorities and other relevant entities
Products with digital elements and cybersecurity requirements
- Types of products covered by the CRA
- Essential security requirements for software and hardware, AI systems and high-risk products
- Specific aspects applicable to free and open-source software
Obligations of economic operators and compliance management
- Obligations of manufacturers, importers and distributors
- Technical documentation, communication, vulnerability management and incident requirements
- Specific provisions for open-source software
Conformity assessment, CE marking and competent authorities
- Harmonised standards, conformity assessment procedures, EU Declaration of Conformity, CE marking, role of notifying authorities and conformity assessment bodies
Market surveillance, penalties and European cybersecurity certification
- Market surveillance and enforcement mechanisms, penalty regime, confidentiality, and framework of the European cybersecurity certification system as support for CRA compliance and related legislation
Exam(s) and Certification
Exam “Certified Cyber Resilience Act Foundation”
The exam covers the following competence domains:
- Domain 1: CRA fundamentals, structure and overview in the EU legislative context
- Domain 2: Obligations of economic operators and provisions on free and open-source software
- Domain 3: Conformity assessment and certification
- Domain 4: Notifying authorities and conformity assessment bodies
- Domain 5: Market surveillance and penalties
Language(s): English and Portuguese.
Duration: 1 hour.
Format: Multiple choice.
Number of questions: 40 questions.
Pass mark: 260/400 points.
Results: Pass or Fail.
Issuing entity: Behaviour (legal entity), through its certification service Behaviour Certification Services.
Retake: 1 free retake within a maximum period of 2 months after the result of the initial exam.
Certification
After successfully completing the exam and accepting or signing the applicable agreement and Code of Ethics, the candidate achieves the credential Certified Cyber Resilience Act Foundation (CCRAF), issued by Behaviour (legal entity), through its certification service Behaviour Certification Services.
A Certificate and a Digital Certification Badge will be issued to participants who successfully complete the certification exam and satisfy all requirements of the certification for which they are applying.
The personal certification programme Certified Cyber Resilience Act Foundation (CCRAF) is developed and maintained in accordance with the international standard ISO/IEC 17024.
Certification programmes are valid only for individuals, not companies, and the award and maintenance of certification depend on the exam result, professional experience and compliance with the applicable agreement and Code of Ethics.
If the professional does not comply with the agreement or the Code of Ethics, the certification is not granted or is revoked.
Other Information
General Information
- Training available in Portuguese or English.
- Online training materials, with online access, in accordance with the awarded conditions.
- Behaviour digital Training Attendance Certificate with 16 CPD/CPE credits.
- Online Certification Exam, in Portuguese or English. The exam may be taken up to 2 months from the course start date.
- If the candidate does not pass the exam, they are entitled to one free retake within a maximum period of 2 months from the release date of the initial exam result.
- Digital Certification Diploma and Digital Certification Badge after passing the exam and completing the application process. This process has no associated cost.
Trainer(s)
The trainers are consultants and specialists with experience in cybersecurity, compliance and the European regulatory framework, including requirements applicable to products with digital elements, vulnerability management, SSDLC and compliance governance.
Benefits
View benefits
- The Cyber Resilience Act establishes horizontal requirements to improve the security of software and hardware products placed on the EU market.
- Enables understanding of obligations and impacts for economic operators and stakeholders, reducing non-compliance risk.
- Strengthens internal capabilities in security-by-design, SSDLC and vulnerability management throughout the product lifecycle.
- The course is based on the BEHAVIOUR pedagogical model, with a personal certification programme in accordance with ISO/IEC 17024.
- Objective preparation for the Certified Cyber Resilience Act Foundation exam, in multiple-choice format.
- In case of failure, there is 1 free retake within a maximum period of 2 months after the initial exam result.
Logistics
Useful information
- Live Online (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- Classroom (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- Duration: 14h of synchronous sessions + 2h of guided autonomous work, exercises and content consolidation
- Requirements: computer with stable internet, updated browser, PDF reader and audio/video
Hotels in Lisbon
Find out where you can stay in Lisbon, near Behaviour, for classroom training.
Frequently Asked Questions
Objective answers to the most common questions about the Cyber Resilience Act Foundation course.
How is the Cyber Resilience Act framed throughout the course?
Throughout the Cyber Resilience Act Foundation course, the regulation is framed from a technical-organisational perspective, prioritising its practical application to the organisational context.
For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.
Registration
Complete the form to request your registration for the preferred edition. Check the upcoming dates.
Request more information
If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.
Companies: request a proposal
For team registrations, we provide volume conditions and a proposal tailored to the organisational need.
This course may be attended by individual professionals. It may also be integrated into capacity-building pathways for product, compliance, security and technology teams that need to understand Cyber Resilience Act requirements and their practical application.