Skip to content

Our experts

Michelle Michael

The strategic standard setter: For product safety that thinks ahead

International committee work, new testing requirements and security by design - Michelle is shaping the rules according to which digital products will be assessed in future.

Michelle Michael

Expert for Secure Digital Solutions

"CRA defines the regulatory objective, IEC 62443 provides the technical framework. Our task at TÜVIT is to systematically bring the two together."


Contact:
+49 201 8999 629
Write an e-mail

LinkedIn

Michelle, if someone asks you, “What do you actually do at TÜVIT?” – what do you say?

It's not easy to summarise, because my job is very complex. First and foremost, I work as a Project Lead in Industrial Security. At the same time, I have leading roles in various committees. I drive the topics forward, define procedures and bring the results to TÜVIT.

So you could say that as an expert, I am responsible for test procedures and standards.

The Cyber Resilience Act is currently on everyone's lips. What is its core purpose, and why should manufacturers take action now?

According to the Cyber Resilience Act (CRA), all products with digital elements that are directly or indirectly connected to another device or network fall within its scope. Manufacturers must prove that their products are developed on a risk-based basis according to "security by design" and "security by default", are placed on the market without known exploitable vulnerabilities and are secured throughout the entire support/life cycle with security updates, vulnerability handling and transparent documentation.

From 11 December 2027, products with digital elements may only be placed on the EU market for the first time if they meet the CRA requirements and are properly CE marked.

How do you help companies integrate security by design and security by default into their development process from the outset?

We support manufacturers end-to-end on the path to CRA conformity: from scope/product classification, threat & risk analyses (TARA), gap analyses and SDLC maturity level development to auditable technical documentation and preparation of the conformity assessment. As TÜVIT, we bring the typical combination of independence, testing methodology and industry expertise (including OT/ICS) to the table and can systematically dovetail the requirements with established standards and best practices.

What appeals to you about this work - and why is it important for TÜVIT to be involved in setting new standards from the outset?

It is important to me to establish TÜVIT as a frontrunner - in other words, that we lead the way with our expertise. I enjoy this because I have different perspectives: on the manufacturers, on the operators, on other certification bodies and on testing laboratories.

Your field of work is constantly changing. What topics do you see coming up in the future?

Quite clearly: the Cyber Resilience Act. This is a very important topic that will occupy me and many others in the future. And that's a good thing because the CRA is relevant for manufacturers. Overall, cyber security is more in focus than ever when you look at the current security situation. It affects us all.

Whitepaper

Your guide to CRA compliance for products with digital elements

Download the Whitepaper "Guidance: A Product Manufacturer's Path to Comply with the Cyber Resilience Act" free of charge.

 

Your Path to CRA Compliance PDF - 623 KB