Webinars

Getting Started with the EU Cyber Resilience Act (CRA) for Secure Product Development and Compliance

Getting Started with the EU Cyber Resilience Act (CRA) for Secure Product Development and Compliance
Show Description

The webinar, hosted by Mafalda, Product Manager at Keysight Device Security (formerly Riscure), provided a comprehensive overview of the Cyber Resilience Act (CRA), its impact on manufacturers and stakeholders, and practical steps to prepare for compliance. The session combined regulatory background, process explanations, case studies, and actionable guidance to help organizations navigate the CRA effectively.

 

CRA in Context

 

The Cyber Resilience Act is part of the European Commission’s cybersecurity strategy, designed to address rising cyber threats and safeguard both consumers and businesses. Unlike earlier directives, the CRA explicitly requires security throughout the entire product lifecycle—from design and development to deployment, maintenance, and eventual decommissioning.

 

CRA applies to all products with digital elements placed on the EU market, covering hardware, software, and even subcomponents sold independently. Security must be “by design and by default,” with manufacturers obliged to ensure that no exploitable vulnerabilities exist at market release and to maintain security through updates and vulnerability management during the product’s life.

 

Key Stakeholders

 

The CRA ecosystem involves several actors:

  • Manufacturers, importers, and distributors – Ultimately responsible for compliance, whether producing, importing, or selling the product.
  • Notified bodies – Independent assessors for higher-risk products requiring third-party evaluation.
  • Security labs – Provide vulnerability testing, assessments, and advisory services (Keysight offers this and aims to become a notified body).
  • ENISA – The EU cybersecurity agency responsible for maintaining a vulnerability database and receiving incident reports.
  • European Commission – Sets policies, issues harmonized standards, and oversees enforcement.
  • National authorities – Enforce CRA locally, conducting audits, imposing fines, and recalling non-compliant products.

 

Requirements Under CRA

 

CRA imposes obligations across multiple dimensions:

  • Security by design – Threat modeling, secure access control, encryption, tamper protections, and current software/firmware updates.
  • Lifecycle obligations – Continuous vulnerability monitoring, reporting, and patching, including updates to Software Bills of Materials (SBOMs).
  • Evidence and conformity – CE marking supported by technical documentation and risk analysis.
  • Reporting – Vulnerabilities must be disclosed to ENISA within strict timelines (e.g., 24 hours for critical issues; fixes required within one month).
  • Support duration – Manufacturers are obliged to provide long-term updates, typically at least five years.

 

Timelines

  • September 11, 2026 – Manufacturers must begin vulnerability reporting and set up incident disclosure processes.
  • December 11, 2027 – Full CRA obligations apply.
  • The message emphasized early preparation: waiting until 2027 will create bottlenecks due to limited notified body capacity and the scale of compliance required across the EU.

 

Categorization and Compliance Pathways

 

Products are categorized into Default, Important Class I, Important Class II, and Critical, depending on risk level. Categories determine the assessment pathway:

  • Default products may undergo self-assessment (Module A).
  • Higher categories require third-party evaluation via Module B+C (per product certification) or Module H (quality management system certification).
  • Harmonized standards (41 total, with horizontal and vertical applicability) are being developed to provide detailed technical requirements, with phased releases expected between 2025 and 2027. Until then, organizations can rely on guidance such as BSI 03183 covering SBOMs and vulnerability reporting.

 

CRA Process Overview

 

A typical CRA compliance process involves:

  • Product portfolio review – Identify which products qualify as digital products under CRA.
  • Scope determination – Confirm if products fall under CRA or are exempt (e.g., medical, automotive, aviation sectors already regulated separately).
  • Categorization – Assess the risk category to determine required conformity path.
  • Risk assessment (TARA) – Define attackers, threats, and security goals.
  • Development and SBOM creation – Document all software elements and manage vulnerabilities.
  • Testing and validation – Conduct functional and penetration testing.
  • Market release – Prepare CE marking, declarations, and evidence.
  • Maintenance – Continuously update SBOMs, monitor vulnerabilities, and patch products during their lifecycle.
  • Decommissioning – Support products beyond market withdrawal for at least five years.

 

Business and Strategic Impacts

 

CRA affects organizations beyond technical compliance:

  • Risk of non-compliance – Fines up to €15M or 2.5% of global turnover, plus reputational damage.
  • Competitive advantage – Early adopters can use CRA readiness to build customer trust, differentiate in procurement, and secure smoother EU market access.
  • Organizational reach – Product management, engineering/security, compliance teams, and supply chains are all impacted. Vendors must ensure third-party components meet CRA standards through updated contracts and oversight.

 

Case Studies

 

Four hypothetical scenarios highlighted common challenges.

 

Challenges and Unclear Areas

 

Several evolving aspects remain:

  • Harmonized standards – Still under development until 2027.
  • Notified bodies – None designated yet, though expected soon.
  • Open-source software – Presents major compliance challenges, as most products integrate open-source code with delayed patch cycles. CRA will enforce faster vulnerability reporting and fixes.
  • Interplay with other certifications – CRA may recognize schemes like EUCC or SESIP, but official designations are pending.
  • Market surveillance and enforcement practices – Yet to be fully defined.

 

Key Takeaways

  • CRA is mandatory for all digital products sold in Europe.
  • Preparation must start early—2026 obligations loom and 2027 full enforcement leaves little room for delays.
  • Compliance requires both technical measures (threat modeling, SBOMs, patching) and organizational processes (supply chain alignment, documentation, evidence).
  • Keysight offers services including CRA readiness assessments, SBOM tooling, and vulnerability operations support.
  • By addressing CRA proactively, organizations can not only avoid regulatory risks but also build trust, strengthen resilience, and gain competitive edge in the European market.