The Cyber Resilience Act (CRA) requires security to be built into every connected product. For many companies, this means new processes, roles, and routines. Here is how to move from regulatory requirements to concrete action.
“The Cyber Resilience Act is closely linked to CE marking, and therefore to the very ability to launch products within the EU,” says Isaac Caceres, security consultant, developer and embedded specialist at Assured. He works with penetration testing of IoT and hardware, as well as embedded development.
To comply with the regulation, companies need to establish a clear structure for cybersecurity in product development. This involves analyzing how work is done today and identifying which areas need to be strengthened.
“From there, you develop your processes — from design meetings and implementation to how security testing should be performed and documented. Everything must be written down, and it can take up to a year to get everything in place, so it’s important to start early,” says Isaac.
Once the current state has been mapped, the next step is to translate the analysis into practice. A good way to begin is with a feasibility study or gap analysis that clarifies which actions are required to meet CRA. This lays the foundation for a systematic security effort throughout the product’s entire lifecycle.
Navigating the grey areas
Once the foundation is in place, the next step is understanding how the rules should be applied in practice. However, the boundary of what qualifies as a digital product can be difficult to define, creating room for interpretation for both companies and supervisory authorities.
“The regulation operates in shades of grey, and there are many pitfalls. It talks about digital elements rather than products. That actually covers anything that can connect to the internet — software, hardware without software, or even a video game,” says Isaac.
Testing as evidence — not just a check
To comply with CRA, companies must be able to demonstrate how security is integrated into development, not only at launch. This is where testing and verification play a crucial role.
Assured helps companies build security structures that work in practice — across all parts of their projects. By combining deep cybersecurity expertise with an understanding of regulatory requirements, we support customers in everything from IoT and embedded electronics to complex industrial systems. In other words, areas where precision, traceability, and clearly defined processes are essential to pass reviews and meet CRA requirements.
“We work with advisory services on how processes should be documented and applied, but above all with testing to optimize security,” says Isaac, adding:
“We want to be part of the development and help our customers meet the security challenges ahead. The requirements are high, and the sanctions can be significant if the rules are not followed.”
Moving toward a more secure industry
Isaac sees the regulation as a milestone that will raise the bar for the entire industry. It is not just about meeting legal requirements, but about building trust in products, digital infrastructure, and brands.
“CRA is not a simple process, but it will contribute to a more secure market. Many products have worked well but lacked basic protection. CRA makes security an integral part of product development. Today, for example, it may be possible to access a Wi-Fi network through an IoT product because security was not prioritized in electronics,” says Isaac.
Finally, new threats, new systems, and new technologies require continuous learning, Isaac emphasizes and concludes:
“We have broad expertise and unique research collaborations. We constantly strive to learn more and stay up to date. Almost every day I learn something new. That is essential in IT security.”
Get in touch and inquire about our services
Contact us or fill out the form below to find out how we can help you meet Cyber Resilience Act and secure your products.