The Cyber Resilience Act (CRA) changes how digital products are developed and approved within the EU. The regulation introduces new requirements for security, documentation, and traceability. Anyone who manufactures or sells connected products needs to start preparing now.
CRA will strengthen protection for both users and companies by introducing cybersecurity requirements already in the design and development phase. The regulation covers all connected products, from consumer electronics to industrial systems, and is expected to be fully applicable in 2027.
As it is an EU regulation rather than a directive, it applies directly in all member states without the need for national implementation. This means the requirements are binding for manufacturers and suppliers within the EU—and compliance cannot be postponed or vary between countries.
Requirements for traceability and reporting
One of the most central requirements in the Cyber Resilience Act is traceability. Companies must be able to demonstrate which components, libraries, and third-party solutions are used, and that they meet equivalent security levels.
The regulation also requires clear procedures for how vulnerabilities are to be discovered and reported.
“Developers have a major responsibility here. They must identify and report vulnerabilities and always maintain a public website where customers and users can report security issues,” says Isaac Caceres, electronics engineer, security consultant, and embedded specialist at Assured.
Cybersecurity becomes part of CE marking
CE marking means that a product meets the EU’s requirements for safety, health, and environmental protection and can be freely sold on the internal market. With CRA, cybersecurity becomes part of that process.
“In the electronics industry, security has sometimes been given the lowest priority. CRA changes that. It now becomes a mandatory step,” says Isaac.
CRA is also part of the EU’s broader efforts to strengthen digital resilience. The regulation not only complements the NIS2 Directive but is also closely linked to the AI Act and the Data Act. Together, they form a common framework for secure and sustainable digitalization across the EU.
Four security classes – different testing requirements
CRA divides products into four security classes: Default, Important Class I, Important Class II, and Critical. The requirements for testing and external review increase step by step between the classes.
-
Default: products in this category do not require third-party assessment but must meet the basic security requirements and be tested by the developer.
-
Important Class I: requires third-party assessment only if the product does not follow harmonized standards or common specifications.
-
Important Class II: always requires testing by an independent third party, even when harmonized standards are followed.
-
Critical: requires compliance with harmonized standards, third-party testing, and certification by an authorized Conformity Body (EUCC).
The regulation covers everything from simple connected devices to systems that are critical for network and information security. Examples of products in the higher classes include firewalls, network routers, and other solutions that handle sensitive data. For these, manufacturers must submit complete documentation to the responsible authority before the product can be placed on the EU market.
More than just tech companies are affected
CRA does not only impact pure technology companies. Businesses that manufacture products with connected components—such as machinery, vehicles, or household appliances—must also implement structured cybersecurity processes.
For many, this means a new way of working. Security testing, documentation, and risk management need to be integrated into product development from the very beginning. It is not only about compliance, but about creating trustworthy and long-term sustainable products.
“There is help available to build the routines and processes that must be in place. It is about secure by design—security must be present throughout the entire process. IT security, approved design stages, testing, and troubleshooting must all be in place. A product must not contain known vulnerabilities when it is launched,” Isaac concludes.
Cyber Resilience Act at a glance:
- Applies to all connected products—both hardware and software
- Introduces cybersecurity requirements throughout the product lifecycle
- Requires supply chain traceability and open vulnerability reporting processes
- Becomes part of the CE marking process
- Four security classes with different levels of testing and third-party assessment
- Complements the NIS2 Directive but targets manufacturers rather than organizations
- Full application of CRA is expected in 2027
How Assured can help you comply with the Cyber Resilience Act
Assured supports your organization throughout the entire journey toward compliance with the Cyber Resilience Act — from early analysis and design to testing, validation, and market launch. Our work is based on secure by design and tailored to both technical conditions and regulatory requirements.
We offer strategic advisory services related to CRA, helping you interpret the regulation, identify which requirements apply to your specific products, and translate them into practical, actionable measures. This includes support with product classification, supply chain traceability, and the establishment of processes for vulnerability management and reporting.
Within secure architecture and design, we help build robust solutions from the very beginning. Our consultants have deep technical expertise in embedded and IoT security, including secure update mechanisms, identity management, and protection of communication between components and cloud services. For software-intensive products, we also offer expertise in secure development and application security, covering embedded systems, backend services, and associated mobile apps and web interfaces.
To verify that the requirements are truly met, we perform penetration testing and security assessments of both hardware and software. This ranges from embedded and firmware testing to assessments of APIs, cloud services, and mobile or web applications. We also conduct validation and verification testing to support CE marking and external reviews, with clear documentation adapted for authorities and conformity bodies.
With Assured, you gain a partner that combines regulatory understanding with hands-on, technical security expertise — from chip to cloud. The goal is not only to comply with the Cyber Resilience Act, but to create secure, trustworthy, and long-term sustainable products for the EU market.
Contact us or fill out the form below to discuss how we can help you meet cybersecurity requirements and secure your products.