The EU is responding to this with the Cyber Resilience Act (CRA), which already entered into force on 11 December 2024. Its aim is to establish uniform security requirements for products with digital elements and thus increase resilience against cyberattacks. The CRA is a regulation, not a directive. This means it applies directly in all EU Member States without the need for national implementation.

CRA: Manufacturers of digital products must take action

For manufacturers of digital products, this means: as of 11 September 2026, the first mandatory requirements, such as the reporting of vulnerabilities, will apply. From 11 December 2027, 36 months after the CRA entered into force, all requirements must be met in order for products to continue to be marketed within the EU. Depending on the product,  adjustments will be necessary on both a technical and organisational level. The good news is that companies can rely on existing best practices and do not have to reinvent the wheel.

The Scope of the CRA and its product categories

The CRA regulation applies to products with digital elements, i.e. hardware or software that process digital data and can be connected: from smartphones and browsers to control systems in the industrial sector and critical components such as smart cards and hardware security modules.

Depending on the risk class, the depth of proof required for conformity varies: the CRA distinguishes between general products, products with a direct cybersecurity function, and highly sensitive applications in critical infrastructures. For critical products, external third-party testing is required, while general products only require a self-declaration.

The new obligations for manufacturers under the CRA

The obligations of the CRA can be divided into two areas:

• the requirements for product security and
• the requirements for manufacturer processes.

1. The requirements for product security relate to the characteristics of the product, its technical security and its communication channels. The CRA sets out a whole range of demands: for example, the confidentiality and integrity of processed data must be ensured, protection against unauthorised access must be in place, and essential functions must remain available even in the event of an attack. Attack surfaces must be reduced, logging and monitoring capabilities must be available, and security updates must be carried out.
2. The requirements for manufacturer processes concern internal company procedures. Manufacturers must, among other things, introduce processes for the coordinated handling of vulnerabilities, establish vulnerability management, and comply with reporting obligations to authorities such as ENISA. The processes used to meet these requirements must also be documented in order to fulfil the obligation to provide evidence. This means that the CRA demands not only formal conformity but also functioning security processes.

The challenges of implementing the CRA

The main challenge for companies lies in the implementation of the regulatory requirements as some of these are open to interpretation.  For example, the CRA does not specify exactly how data integrity should be protected or how access to sensitive data should be controlled. The specific requirements are only briefly described and do not provide full clarity. Harmonised standards and guidance documents from the European Commission have not yet been published, and some are not expected until shortly before the CRA obligations finally take effect in December 2027.

The harmonised standards are divided into three categories:

• Type A Standards (horizontal frameworks) define overarching principles and terminology but are not product specific.
• Type B Standards (horizontal standards) set out product-independent requirements and focus on processes.
• Type C Standards (vertical standards) concentrate on specific product families such as firewalls or control units and are intended to ensure full coverage of the requirements.

The publication of a planned Type A Standard is expected in August 2026, fourteen Type B Standards are to be published between September 2026 and October 2027, and one Type C Standard in October 2026.

The guidance documents have also not yet been published: so far, only a publication date has been announced for one guidance document on product classification – 11 December 2025.

Questions to be clarified by these documents include, among others, what obligations arise from the use of open-source components, when a product is considered to have undergone a substantial modification, and how a risk assessment can be carried out.

CRA: Initiating implementation with Best Practices

Waiting until all relevant documents are available is not an option. Those who start implementation early can avoid the high time pressure that will inevitably arise towards the end and prevent additional costs that come with delayed implementation. This can be achieved by companies aligning themselves with already established best practices and security standards such as the IEC 62443 series or industry-specific IoT guidelines. Many of the technical and organisational requirements of the CRA can already be met in this way. Many obligations, such as those concerning vulnerability management, can be fulfilled through existing processes.

Conducting a risk analysis at an early stage is crucial. It provides the foundation for identifying key assets to protect, existing threats, and critical vulnerabilities. Taking this proactive approach saves valuable resources and significantly reduces risk.

Find out more about CRA compliance and how achelos can support you in meeting the new requirements here: https://www.achelos.de/en/services-solutions/services/cyber-resilience-act/

Authors: Philip Asmuth, Team Lead Security Architecture & Evaluation, achelos GmbH

               Denis Bock, Sales Manager Cybersecurity, achelos GmbH