The EU’s CRA requires compliance: are you ready?

The European Union (EU) brought a new law into effect at the end of 2024. Called the Cyber Resilience Act (CRA), it “aims to safeguard consumers and businesses buying software or hardware products with digital elements.”¹

Among other things, the CRA is designed to tackle what it sees as inadequate levels of cybersecurity in certain products. Another issue it seeks to address is a lack of timely security updates. Crucially, it admits that consumers and indeed certain businesses have challenges in ascertaining which products are cybersecure enough for their needs. By doing all of this, it is hoped that end users will find it easier to locate and utilize hardware and software that is equipped with the necessary cybersecurity; in other words, to identify those products that are “cyber resilient.” The plan is to provide a greater measure of cybersecurity – including cloud security – across the EU and the digital single market.

While this sounds wonderful for end users, it is also a fact that organizations that produce, import, or distribute products covered by the CRA could have a problem on their hands. The CRA stipulates that entities with affected products must start reporting by September 11, 2026, and must be compliant by a hard deadline of December 11, 2027.

Non-compliance could be met with a slap on the wrist, a financial penalty, or – worst of all – the denial of a CE mark, without which products in certain categories cannot be sold in the EU market. The lack of a CE certification can really affect the functioning of an organization. While end-2027 may seem quite far away, that period of time can pass quickly if you’re not prepared.

Who is affected?

Keep in mind that these stipulations are not just for manufacturers: if you’re importing or distributing affected products into the EU, then you’re subject to the CRA. Further, this doesn’t just apply to hardware and software. Data processing solutions – which are essential for their functionality – are also impacted. Cloud-connectivity products are part of CRA’s purview as well.

There are exceptions. Products that are already subject to regulation in areas that have highly developed cybersecurity parameters are exempt. These fields include national security and defense, aviation, and the automobile sector. The reasoning is that the compliance they already do is more than enough to meet CRA’s standards.

However, for everyone else, the CRA applies. And if it applies to your organization and its products, you have a duty of compliance.

Knowledge is key to compliance

For those companies and organizations that operate in areas regulated by CRA, education is key. “Identify where your organization is on its journey,” affirmed Rodrigo do Carmo, Principal Consultant at secunet. “You must know your own products, and where the regulation applies to them. Only then can you start preparing to be compliant.”

Keep in mind that the regulation applies to each product, and not its parent line. Each discreet product you manufacture, import, distribute, move, or sell has to be compliant with CRA. In this context, it may be helpful to set out the categories of products the CRA has identified, and what level of certification and compliance is required within them.

Know where you stand

As mentioned earlier, the CRA’s standards apply to hardware, software, and cloud-connectivity components and products. Within those, there are three categories, differentiated by the level of reporting and certification they require. The EU has specified who the certifying bodies will be, and in which country, according to the current status.

1. The default category is just that: all products with “digital” components
2. Important products are divided into Class 1, which is security-related products such password managers, browsers, and security information and event management (SIEM) systems; and Class 2, which includes security components such as firewalls, intrusion detection and prevention systems, and hypervisors
3. Critical products, which include those products where security is held to be central or integral; these could include smart meter gateways and smart cards

The level of conformity assessment depends upon which product category you’re subject to. In the default category, a self-assessment may suffice to satisfy the CRA’s requirements – though do Carmo pointed out that the prescribed regulatory agency can always ask for more information, or indeed check if your organization is really doing what it says it is. For the important and critical categories, a process of certification is indicated.

“The CRA does not prescribe a certain methodology for cybersecurity risk assessment,” noted do Carmo. “You may be able to work it out for yourselves. But you need to navigate the CRA very carefully to work this out, and at every stage of your process, whether in manufacturing, import, logistics, et al.” The penalty for failure could be punitive.

Preparing for CRA

“Cybersecurity needs to be a strategic aim across your organization,” emphasized do Carmo. A technical fix for a particular product may work in certain categories and for smaller companies, but a larger company with a longer product list is going to need to address what CRA requires at a deeper level.

It isn’t just the products. “Information security includes risk and vulnerability management,” stated do Carmo. “These are crucial for a holistic cybersecurity strategy.” Having strategies in place to deal with attacks, breaches, and breakdowns won’t be exceptions: they’ll be base expectations. Indeed, vulnerability management is written into CRA’s requirements. Many organizations aren’t set up to do that at the current moment. This needs to change.

Again, knowing where you stand is crucial. “A gap analysis is a first step to seeing where you actually are in relation to the requirements of the CRA. Once vulnerabilities are identified, risks can be assessed and concrete measures agreed upon,” said do Carmo.

Guidance key to navigating CRA

Working out what the standards are is part of the issue. The sheer number of regulations can be daunting, and they apply across the board, from IT to OT systems and beyond. Among other regulatory standards, NIS2 (the EU’s Network and Information Security Directive), RED (Radio Equipment Directive), GDPR (General Data Protection Regulation), and the new Machinery Regulation (EU) 2023/1230 all need to be complied with.

Existing and well-accepted standards and guidelines can help, including IEC 62443 and ISO/IEC 27001. However, there is every likelihood that navigating these regulatory waters isn’t part of your organization’s skill set. A partner with a strong background and expertise across these fields can be a valuable asset.

 Among others, secunet is more than qualified to be that consulting partner. With 28 years of experience and over 1,000 employees across 12 sites, it counts over 500 clients from both the public and private sectors, including federal ministries of EU member states. It has delivered its expertise across fields as diverse as defense, space, healthcare, and areas identified by the authorities as being “critical infrastructure.” It is uniquely suited to be your consultant as you move forward on your journey to compliance with the CRA.

Published: 19/03/2026