In 2020, the European Union paved the way for the Cyber Resilience Act (CRA) with the publication of the EU cybersecurity strategy, responding to an increasing digitization of all areas of life and rising threats in the field of cybersecurity. Four years later, it’s here: In December 2024, the CRA will come into effect within the EU and will affect manufacturers, dealers, and importers of products with digital components. This means the CRA is relevant for almost all companies bringing hardware or software products to market in the EU – from IoT devices to industrial controls, from laptops to baby monitors – regardless of the size of the company: be it a startup, SME, or large corporation. Roughly estimated, there are several tens of thousands of companies in Germany alone (!).

Why the CRA Should Be Implemented

A rigorous implementation of the CRA is advisable not only because of potential penalties but also primarily because without compliance, there will be no CE label. This is a prerequisite for the marketing of digital products in the EU. The same requirements apply to the CRA, whether classified as general, important or critical product. However, higher requirements for the conformity assessment for the CE label apply to “important” products such as operating systems, password managers, network devices like firewalls or switches, and cloud services for SMEs. In contrast to general and important products, critical products must necessarily be tested by an independent notified body. To be classified as a critical product, it must have severe impacts on critical supply chains and safety incidents must lead to significant disruptions of critical supply chains.

National or international regulations on the cybersecurity of companies or products that have already come into force remain valid and are unaffected by the CRA. The goal of the CRA is not to make the regulatory jungle for companies even more impenetrable – on the contrary: The CRA serves as an overarching framework, regulating all products that were previously not affected by cybersecurity regulations. This means that suppliers, such as automotive components with digital interfaces, are now also covered by the CRA, which were not previously directly affected by the automotive industry's regulations (UN 155). This finally results in a comprehensive, holistic regulatory approach regarding cybersecurity that equally affects manufacturers, dealers, and importers. The import of unregulated, “unsafe” products from outside the EU is no longer possible. From the consumer perspective, this is good news. However, from the viewpoint of the affected companies, uncertainty is likely to initially prevail.

How Can the CRA Be Implemented?

In recent months, our LinkedIn timeline has indeed been full of posts, webinars & offers about the CRA. However, despite this flood of information, it seems that hardly anyone knows what companies specifically need to do now to comply with the regulation and to avoid penalties.

From our perspective, an approach to implementing the CRA can best be understood through the classic – greatly simplified – Security Engineering Process (SEP) (see diagram). It becomes clear that the CRA is comprehensive in two respects. Firstly, in terms of effectiveness across industries, company sizes, and national borders. Secondly, concerning the lifecycle of a product: from design including conception and risk analysis, through specification and implementation, to testing. Beyond the SEP, the CRA also addresses commissioning, updates, and the decommissioning of products. According to the credo “Security by Design,” the CRA necessitates the consideration of security in all phases henceforth, allowing for a holistic approach.

Diagram 1: Security Engineering Process (SEP)

The most important foundation is established in the first step of risk management: the goal here is to systematically identify, assess, and control risks throughout the entire product lifecycle; a Threat Analysis and Risk Assessment (TARA) (Annex I Part 1 (1)) is typically suitable for this purpose. Through structured risk analysis, a basis for decision-making is created, indicating what measures are necessary and how these should be prioritized. It is important that the risk analysis identifies concrete attack paths and makes the effects of countermeasures on risk visible.

In the second step, these can then be directly implemented in the implementation phase by adhering to the SEP (Annex I Part 1 (2) e & f). The CRA demands comprehensive vulnerability management (Vulnerability Management) (Annex I Part 1 (2) a). To meet this requirement, the creation and maintenance of a Software Bill of Materials (SBOM) is unavoidable; this lists all deployed components and dependencies and serves transparency – especially when many open-source components have been used. The SBOM significantly facilitates the identification and remediation of vulnerabilities, thereby enhancing security in the software supply chain. Comprehensive Testing – not only of functionality but also concerning security components – reveals vulnerabilities and is mandated by the CRA (Annex I Part 2 (3)).

Furthermore, the CRA addresses Updates, meaning that security updates must be provided promptly and free of charge (Annex I Part 2 (8)).

Finally, even the “End-of-Life Process” (Annex I Part 1 (2) m) of a product is discussed: Permanent and secure deletion of data and settings, as well as, where possible, their secure transfer will be mandatory (Annex I Part 1 (2) m).

Concrete additional regulations and guidelines from the EU Commission, as well as a harmonization of standards are planned, but will likely take some time to materialize. Those hoping for clearer rules should not wait, as those who hesitate too long risk sales bans in the EU – because the deadlines remain unaffected even without overly concrete specifications (and assistance):

• June 11, 2026: The conformity assessment bodies (CAB) (Article 35 – 51) are authorized to assess the conformity of products according to the requirements of the CRA (Article 72 (2)).

• September 11, 2026: Manufacturers of connected products are subject to the reporting obligation (Article 14) for vulnerabilities and incidents (Article 72 (2)). Therefore, a vulnerability management system must be established by this date; otherwise, the reporting deadlines cannot be met.

• December 11, 2027: All CRA requirements will be fully applicable (Article 72 (2)).

The First Step Towards CRA Compliance

The first step could be a gap analysis: here, the current and desired state is systematically assessed and compared. This forms the basis for the implementation plan and clearly highlights the largest discrepancies. Our tip: Approach the topic systematically and structured with an experienced partner and allow enough time for implementation.

If you have questions on the topic or need assistance in implementing the CRA, please contact us: Friederike Schneider, Cybersecurity Expert & Manager, friederike.schneider@carbyte.de

For more information, please visit: