Cyber Resilience Act (CRA): What Companies Need to Know Now

Greater Security for Digital Products in Europe

With the Cyber Resilience Act (CRA), the European Union is establishing, for the first time, a uniform security standard for products with digital components. The goal is to hold manufacturers more accountable and to minimize cyber risks as early as the development stage.

The Cyber Resilience Act does not only affect large technology companies. Many medium-sized manufacturers, software developers, importers, and retailers will also have to meet new requirements in the future.

Anyone who develops or distributes digital products within the EU should familiarize themselves with the requirements early on.


What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for products with digital elements.

These include, among others:

  • Software
  • Hardware
  • IoT Devices (Internet of Things)
  • Network Components
  • Industrial Control Systems
  • Smart Home Products
  • Cloud-connected devices
  • Operating Systems
  • Applications and Apps

The goal is to ensure a high level of security right from the development stage (“Security by Design”) and to address known vulnerabilities throughout the entire product lifecycle.


Why was the Cyber Resilience Act enacted?

Many cyberattacks exploit known security vulnerabilities for which updates are already available or that could have been avoided during development.

Until now, there have been varying safety standards across Europe.

The CRA should therefore:

  • Improve the cybersecurity of digital products
  • Better Protect Consumers and Businesses
  • establish uniform requirements within the EU
  • Make security updates mandatory
  • Hold manufacturers more accountable

This is intended to raise the overall level of security for digital products in the long term.


Which companies are affected?

The Cyber Resilience Act essentially applies to all companies that make products with digital elements available on the European market.

These include, in particular:

  • Software Developer
  • Hardware Manufacturers
  • IoT manufacturers
  • Machine Builders with Networked Technology
  • Medical device manufacturer
  • Suppliers of industrial control systems
  • Cloud-adjacent software providers
  • Importers
  • Retailer
  • Distributors

Small and medium-sized enterprises (SMEs) may also be affected.


What are the CRA’s requirements?

Among other things, the Cyber Resilience Act requires:

Security by Design

Safety requirements must be taken into account as early as the product development stage.

Security by Default

Products should be configured as securely as possible right out of the box.

Vulnerability Management

Manufacturers must systematically identify, assess, and address security vulnerabilities.

Security Updates

Necessary updates must be provided throughout the product’s intended life cycle.

Documentation

Compliance with safety requirements must be documented in a verifiable manner.

Risk Assessment

A cyber risk analysis must be conducted for each product.

Reporting Requirements

Actively exploited vulnerabilities and serious security incidents must be reported to the relevant authorities within the prescribed timeframes.


Which products are considered particularly critical?

Stricter requirements apply to certain product groups.

These include, for example:

  • Firewalls
  • Network Devices
  • Operating Systems
  • Identity Management Systems
  • VPN Solutions
  • Industrial Control Systems
  • Security software

Additional conformity assessments may be required for these products.


What are the benefits of the Cyber Resilience Act?

The CRA doesn’t just create new obligations.

Companies also benefit from:

  • greater product safety
  • greater customer trust
  • lower cyber risks
  • uniform EU rules
  • greater competitiveness
  • greater transparency regarding security processes

This makes cybersecurity a true mark of quality.


Relationship to NIS2 and ISO 27001

The Cyber Resilience Act supplements existing regulations.

While

  • NIS2 requires companies to protect their IT infrastructure,
  • ISO 27001 defines requirements for information security management systems,

The CRA focuses on the safety of the products themselves.

Together, these sets of regulations form an important part of the European cybersecurity strategy.


What should companies do now?

Even though many requirements will take effect gradually, it’s worth preparing early.

Some of the recommended options include:

  • Development of Secure Software Processes
  • Implementation of a Vulnerability Management System
  • Implementing a Patch Management System
  • Documentation of Development Processes
  • Conducting Risk Analyses
  • Testing Existing Products for CRA Compliance
  • Training for Development and Security Teams

Early implementation significantly reduces the need for adjustments later on.


Conclusion

The Cyber Resilience Act fundamentally changes the requirements for digital products in Europe. In the future, manufacturers and suppliers must demonstrate and continuously ensure safety throughout the entire product life cycle.

Companies that address the new guidelines early on not only meet legal requirements but also strengthen their customers’ trust and improve the quality of their products. Cybersecurity thus becomes an integral part of modern product development and a key competitive advantage.

Sources

For the article, you can cite the following reputable sources:

  • European Union: Regulation (EU) 2024/2847 – Cyber Resilience Act (CRA) (Official Journal of the European Union)
  • European Commission: Cyber Resilience Act – https://digital-strategy.ec.europa.eu/
  • Federal Office for Information Security (BSI): https://www.bsi.bund.de
  • ENISA – European Union Agency for Cybersecurity: https://www.enisa.europa.eu
  • EUR-Lex – EU Law Database: https://eur-lex.europa.eu