Cyber Resilience Act: A Strategic Opportunity Rather Than a Regulatory Burden

Connected products are standard today—from machines and systems to embedded devices, cloud platforms, and IoT platforms. At the same time, the pressure is mounting: customers expect secure products, cyberattacks are on the rise, and the EU is significantly tightening regulatory requirements.

With the Cyber Resilience Act (CRA), product cybersecurity is being given a binding, Europe-wide framework for the first time. The CRA is already in force, and the first measures must be implemented within a few months!

In our view, the CRA is not unnecessary micromanagement, but rather offers manufacturers opportunities to differentiate themselves in the market through high-quality products with strong security. This is precisely where it is decided whether a company treats the CRA as a mere formality or as a lever for better, more robust products.

Below, we explain the CRA, show who is affected, and why software and hardware manufacturers should act now—and how adesso supports them in doing so.

What is the Cyber Resilience Act?

The Cyber Resilience Act is an EU regulation that governs the cybersecurity of “products with digital elements.” This refers to products that send, receive, or process data—in other words, practically all connected hardware and software products.

The CRA’s objectives are:

• fewer vulnerabilities in products placed on the market in the EU
• greater cybersecurity for consumers and businesses
• a uniform legal framework for the entire EU single market instead of a patchwork of national regulations

Manufacturers must, among other things, ensure that:

• their products meet basic cybersecurity requirements
• risks are considered throughout the entire product lifecycle
• security updates are provided
• actively exploited security vulnerabilities are reported and remedied

Important: The CRA does not regulate the operation of IT and OT infrastructures—other regulations, such as the NIS2 Directive, apply to that. The CRA’s focus is clearly on the products themselves.

Who is affected by the Cyber Resilience Act?

The CRA specifies the requirements for manufacturers of products with digital elements that are placed on the EU internal market. Conversely, this means that manufacturers outside the EU who wish to place their products on the EU internal market are also affected. These include, for example:

• Machines, systems, and embedded systems with connectivity
• Control systems, gateways, sensors, and networked components
• Software products, firmware, apps, and cloud services (necessary for the product’s functionality) that are part of a product
• IoT platforms and digital services required for a product to function

In addition to manufacturers, the CRA also applies to:

• Importers: They must ensure that only compliant products enter the EU market.
• Distributors: They bear responsibility in the supply chain and must not distribute products that are clearly non-CRA-compliant.

The CRA will also become part of the CE marking. As with other product regulations (Machinery, Radio Equipment Directive / RED), the declaration of conformity takes the form of an EU declaration of conformity for each CE-marked product placed on the market individually. This means that violations of the CRA can be punished with fines or even bans.

When do I need to take action?

The CRA entered into force on December 11, 2024. Two dates are crucial for manufacturers:

September 11, 2026

As of this date, the reporting obligations under Article 14 already apply. This concerns actively exploited vulnerabilities in products with digital elements that fall within the scope of the CRA—including products already on the market.

December 11, 2027

As of this date, the CRA is fully applicable. All new products with digital elements placed on the market from this point forward must comply with the CRA’s requirements.

This means that the reporting obligation takes effect in just 6 months. There is therefore an urgent need for action, particularly in the context of complex networked systems and IoT solutions. We are already hearing from our customers that the first audits or customer inquiries are on the table.

The CRA affects many areas within a company

The CRA affects not just a single project or department, but the entire company. The most important areas and topics that must be addressed are:

• Organization & Processes

  • defined roles and responsibilities (Product Security Officer)
  • established reporting channels for security incidents and vulnerabilities
  • Documentation that supports both development and compliance
• Product Development & Architecture

  • Threat analyses and risk assessments for products
  • “Security by Design” and “Security by Default” in development and architecture
  • Handling of open-source components and third-party software
• Secure Development Lifecycle (DevSecOps)

  • Integration of security tests (SAST/DAST, dependency scans, SBOM) into the CI/CD pipeline
  • Clear processes for vulnerability management and patch development
• Operation and Support

  • Definition of support and update periods
  • Structured handling of legacy products still in the field

Overcoming the challenges of the CRA together with adesso

Drawing on our expertise gained from countless projects, the development and operation of modern IoT platforms, and our own product development of the Smart Product Platform, we have developed the adesso Secure Software Development Life Cycle process for smart products. Through this, adesso supports manufacturers every step of the way towards CRA compliance – from the initial assessment to ongoing, secure operation.

GAP Analysis

• Analysis of your products with digital components and their architecture
• Assessment of existing processes in development, operations, and support
• Comparison with CRA requirements and relevant standards (e.g., IEC 62443, ISO 27001)
• Clear overview: Where do you stand today? Where are the gaps? What is already in place?

Planning measures

• Prioritising areas of action, taking into account product strategy and the roadmap
• Defining a pragmatic implementation plan – from MVP to a scalable solution
• Coordinating with stakeholders from development, IT, OT, legal and management

Implementing measures

• Establishing a secure development lifecycle for your hardware and software products
• Adapting architecture, toolchains and processes (e.g. SBOM, vulnerability management, reporting)
• Implementation of security mechanisms in embedded systems, cloud backends and IoT platforms
• In doing so, we draw on our experience from software engineering, IoT and platform projects – from the edge to the cloud.

Continuous implementation & CRA-compliant operations

• Establishment of a structured vulnerability and patch management system
• Support with audit preparation and CE conformity assessment
• Ongoing refinement of processes and solutions as the threat landscape or regulatory requirements change

If you would like to find out more, please do not hesitate to contact us.