The CRA as the Cornerstone of the EU Cybersecurity Ecosystem
Understanding the Cyber Resilience Act (CRA)
The CRA applies to an extremely broad category of products, essentially any product that includes or interacts with digital components. This includes devices and software that:
contain electronic or digital components,
process, transmit, or store data,
rely on network connectivity to operate effectively,
incorporate embedded or standalone software.
This scope spans everything from smart appliances, routers, wearables, industrial PLCs, medical software, and connected vehicles to enterprise security platforms, firmware, and cloud-managed systems. The CRA covers both hardware and software, including products distributed via digital channels.
The Four Objectives of the CRA
The regulation aims to create a deeply coordinated and transparent security ecosystem. Its four overarching goals are:
Reducing cybersecurity risks across the entire lifecycle – Manufacturers must address cybersecurity from the earliest design decisions through real-world deployment and long-term maintenance.
Harmonizing cybersecurity requirements across the EU internal market – The CRA replaces fragmented national initiatives with a common set of security requirements.
Increasing consumer and business trust – A higher and consistent baseline of security enables users to confidently choose compliant products.
Enhancing transparency and accountability – Manufacturers, importers, and distributors receive clearly defined legal obligations, minimizing ambiguity.
The CRA does not operate in isolation: it complements the NIS2 Directive, the EUCC (Common Criteria–based cybersecurity certification), the Radio Equipment Directive (RED), and sector-specific frameworks such as the Medical Device Regulation (MDR). Together, these policies form the backbone of the EU’s integrated approach to cybersecurity.
Core Elements of Compliance: Module A and the Presumption of Conformity
Conformity assessment under the CRA ensures that products meet the essential cybersecurity requirements listed in Annex I. These include secure development practices, vulnerability handling, secure default settings, protection against unauthorized access, and robustness against known attack methods.
Module A – Internal Production Control
Module A is one of the most commonly applicable conformity assessment routes. It requires manufacturers to:
conduct internal validation of cybersecurity requirements,
document development processes, design controls, and testing results,
maintain evidence of continuous compliance throughout the lifecycle,
demonstrate that post-market activities (e.g., patching, vulnerability response) meet regulatory expectations.
Module A places full responsibility on the manufacturer to implement a rigorous internal control system supported by accurate technical documentation.
Presumption of Conformity (PoC)
A product gains Presumption of Conformity when it complies with harmonized European standards (hENs) listed in the Official Journal of the European Union (OJEU). These standards are currently under development by CEN, CENELEC, and ETSI through the joint mandate M/606.
Once these standards are finalized and adopted:
manufacturers who apply them correctly gain PoC,
market surveillance authorities must assume the product meets essential requirements unless evidence suggests otherwise,
conformity assessment becomes more predictable and aligned across the EU.
However, because the hENs are still in development, their final structure, level of detail, and coverage remain subject to change. In areas where they do not fully cover Annex I requirements, manufacturers must conduct additional risk analysis, testing, or third-party evaluation.
Module A enables internal compliance validation, while adherence to upcoming harmonized standards grants a presumption of conformity. Source: Freepik
Manufacturer Obligations Under the CRA
The CRA introduces some of the most detailed and continuous cybersecurity obligations ever required by EU law. Manufacturers must:
Perform risk assessments for each product type and version, including threat modelling and attack-surface analysis.
Implement secure development processes, including secure coding, testing, code review, and configuration hardening.
Ensure vulnerability management, including coordinated vulnerability disclosure (CVD) processes, monitoring, and continuous security patching.
Provide regular security updates and maintain support throughout the product lifetime.
Create comprehensive technical documentation according to Annex II.
Issue an EU Declaration of Conformity and affix CE marking before market placement.
Notify authorities of actively exploited vulnerabilities and security incidents without delay.
Manufacturers must also ensure that their partners (importers, developers, integrators, distributors) meet their own CRA obligations. This creates an ecosystem-wide chain of accountability.
Independent security laboratories and conformity assessment bodies play an essential role in verifying the maturity of manufacturers’ cybersecurity processes, offering structured testing and expert guidance.
Conclusion
The Cyber Resilience Act sets a new cybersecurity baseline for all digital products placed on the EU market. It reshapes how manufacturers design, develop, and support their products, making cybersecurity a legal prerequisite rather than an optional enhancement.
Key upcoming milestones include:
the finalization and publication of harmonized standards,
the establishment of notified bodies for CRA assessments,
alignment of lifecycle processes and vulnerability management workflows,
preparation for the CRA’s full applicability starting 11 December 2027.
Organizations that begin adapting now by improving secure development, documentation quality, and lifecycle security processes will not only achieve compliance but also position themselves as trusted leaders in the evolving European digital landscape.
How QIMA CCLab Supports CRA Compliance
As an accredited cybersecurity laboratory with extensive experience in the evaluation of digital products and security standards, QIMA CCLab provides comprehensive support to manufacturers preparing for CRA compliance.
Our services include:
CRA Gap Analysis – assessing the current state of product cybersecurity compared to CRA standards.
Conformity Assessment Support – guiding manufacturers through Module A documentation, internal controls, and lifecycle processes.
Testing and Consulting Based on hEN Development – aligning security practices with emerging standards from CEN/CENELEC/ETSI.
Lifecycle and Vulnerability Management Assessment – evaluating patching processes, incident response workflows, and secure update mechanisms.
Training and Capacity Building – helping teams understand CRA requirements and integrate them into secure design and development workflows.
QIMA CCLab acts not only as a testing laboratory but also as a strategic partner, supporting companies from early design stages through final evaluation, enabling them to create secure, compliant, and resilient products.
FAQ
When does the Cyber Resilience Act (CRA) become fully applicable?
While the CRA formally entered into force on 10 December 2024, it will only become fully applicable on 11 December 2027. This three-year transition period allows manufacturers to adjust their development and support processes. After this date, any product with digital elements that is not compliant with CRA requirements cannot be legally placed on the EU market.
How are the Radio Equipment Directive Delegated Act (RED-DA) and the CRA related?
Both the RED-DA and the CRA impose mandatory cybersecurity requirements enforceable via CE marking. The RED-DA applies to internet-connected radio equipment, while the CRA applies to all digital products, including software. The RED-DA will be repealed on 11 December 2027, the same day the CRA becomes fully applicable, allowing the CRA to take precedence and create a single streamlined cybersecurity framework.
How do harmonised standards (hEN) support CRA compliance?
Harmonised standards form the technical backbone for demonstrating CRA compliance. The EN 18031 series—originally used for RED-DA—is expected to form the basis for future CRA harmonised standards. By following these standards once they are published in the Official Journal of the European Union, manufacturers can gain a "Presumption of Conformity." (Important note: Currently, no harmonised standards exist under the CRA, so manufacturers must rely on alternative assessment methods until they are finalised).
Related Articles
