In 2020, the European Union paved the way for the Cyber Resilience Act (CRA) with the publication of the EU Cybersecurity Strategy, responding to the increasing digitalization of all areas of life and rising threats in the field of cybersecurity. Four years later, it’s finally here: In December 2024, the CRA will come into force within the EU and will affect both manufacturers and vendors as well as importers of products with digital components. This means that the CRA is relevant for almost all companies that bring hardware or software products to market in the EU – from IoT devices to industrial controls, from laptops to baby monitors – regardless of the size of the company: whether a start-up, SME, or large corporation. Roughly estimated, this is several tens of thousands (!) of companies just in Germany alone.

Why the CRA should be implemented

A rigorous implementation of the CRA is advisable not only due to potential penalties but also mainly because, without compliance, there will no longer be a CE mark. This is a prerequisite for the marketing of digital products in the EU. The same requirements apply for the CRA, regardless of whether a classification as general, important, or critical product occurs. However, stricter requirements for conformity assessment for the CE mark apply to “important” products such as operating systems, password managers, network devices like firewalls or switches, and cloud services for SMEs. In contrast, critical products must be independently tested by a notified body. To be classified as a critical product, it must have serious impacts on critical supply chains, and security incidents must lead to significant disruptions of critical supply chains.

National or international regulations concerning the cybersecurity of companies or products that have already come into force remain valid and are unaffected by the CRA. The goal of the CRA is not to make the regulatory jungle for companies even more impenetrable – quite the opposite: the CRA serves as an overarching framework by regulating all products that have previously not been affected by cybersecurity regulations. This also includes suppliers, such as automotive components with digital interfaces, which were previously not directly affected by the automotive industry regulation (UN 155). This finally achieves a comprehensive, holistic regulatory approach in terms of cybersecurity that equally affects manufacturers, vendors, and importers. The import of unregulated, “unsafe” products from outside the EU is no longer possible. From the consumer perspective, this is good news. However, affected companies are likely to initially experience uncertainty.

How can the CRA be implemented?

In recent months, our LinkedIn timeline has been full of posts, webinars, and offers regarding the CRA. Yet, despite this flood of information, it seems hardly anyone knows what companies specifically need to do now to comply with the regulation and prevent penalties.

From our perspective, an approach to implementing the CRA can best be traced through the classic – very simplified – Security Engineering Process (SEP) (see diagram). This makes it clear: The CRA is comprehensive in two respects. First, concerning its effectiveness over industries, company sizes, and national borders. Second, regarding the lifecycle of a product: from design including conception and risk analysis, through specification and implementation, to testing. Beyond the SEP, the CRA also addresses commissioning, updates, and phasing out of products. According to the credo “Security by Design,” the CRA mandates the consideration of security in all phases, thereby enabling a holistic approach.

Diagram 1: Security Engineering Process (SEP)

The most important foundation is risk management: The goal here is to systematically identify, evaluate, and control risks throughout the product lifecycle; traditionally, a Threat Analysis and Risk Assessment (TARA) (Annex I Part 1 (1)) is suitable for this. Through structured risk analysis, a decision basis is created, which measures are necessary and how they should be prioritized. It is important that the risk analysis identifies specific attack paths and makes the effects of countermeasures on the risk visible.

In the second step, these can then be directly implemented in the implementation phase by adhering to the SEP (Annex I Part 1 (2) e & f). The CRA demands comprehensive vulnerability management (Vulnerability Management) (Annex I Part 1 (2) a). To meet this requirement, the creation and maintenance of a Software Bill of Materials (SBOM) is unavoidable; this lists all used components and dependencies and serves transparency – especially when many open-source components have been used. The SBOM greatly facilitates the identification and remediation of vulnerabilities and strengthens the security of the software supply chain. Comprehensive testing – not only of functionality but also regarding security components – reveals vulnerabilities and is mandated in the CRA (Annex I Part 2 (3)).

Furthermore, the CRA addresses updates, which means that security updates must be provided promptly and free of charge (Annex I Part 2 (8)).

Finally, even the “End-of-Life Process” (Annex I Part 1 (2) m) of a product is discussed: This means that permanent and secure deletion of data and settings, as well as their secure transfer (if possible), is mandatory (Annex I Part 1 (2) m).

Concrete additional regulations and guidelines from the EU Commission, as well as a harmonization of standards, are planned but will likely take an indefinite amount of time to arrive. Those hoping for clearer rules should not wait, as those who hesitate too long risk sales bans in the EU – because the deadlines remain unaffected even without more concrete guidelines (and support):

• June 11, 2026: The conformity assessment bodies (CAB) (Articles 35 – 51) are authorized to assess the conformity of products according to CRA requirements (Article 72 (2)).

• September 11, 2026: Manufacturers of connected products are subject to the reporting obligation (Article 14) for vulnerabilities and incidents (Article 72 (2)). Therefore, a vulnerability management system must be established by this date; otherwise, reporting deadlines cannot be met.

• December 11, 2027: All CRA requirements are fully applicable (Article 72 (2)).

The first step towards CRA compliance

The first step could be a gap analysis: here, the current and target states are systematically identified and compared. This forms the basis for the implementation plan and clearly outlines the greatest deviations. Our tip: Approach the topic systematically and structurally with an experienced partner and plan sufficient time for implementation.

If you have questions about this topic or need assistance in implementing the CRA, please contact us: Friederike Schneider, Cybersecurity Expert & Manager, friederike.schneider@carbyte.de

For more information, visit here: