No market approval without cybersecurity: How companies can successfully implement the CRA

The new Cyber Resilience Act will be a prerequisite for the award of the “CE” mark, meaning that devices with cyber vulnerabilities will no longer be allowed to be sold in the EU.

The European Commission's Cyber Resilience Act (CRA), which was adopted on December 10, 2024, and will come into force with a transition period, represents the most comprehensive regulation on cybersecurity for connected products in Europe to date. Time is running out for manufacturers of embedded systems and devices for the Internet of Things (IoT) and Industrial IoT, as the new security requirements must be taken into account during development (security by design). The first regulations will apply from September 2026 and all remaining regulations from December 11, 2027. From this date onwards, all connected products must fully comply with the cybersecurity requirements of the Cyber Resilience Act. Manufacturers, importers, and distributors are required to comply: without CRA conformity, the affected products may no longer be sold in the EU. The obligation to report security vulnerabilities will even take effect on September 11, 2026. Given that product life cycles usually span many years, the CRA should be given the highest priority in order to continue selling on the EU market in the future.

Key elements for CRA compliance are the principle of “security by design” and continuous risk assessment and vulnerability remediation. In addition, a Software Bill of Materials (SBOM) is required to make software components traceable and identify risks in the supply chain at an early stage. The CRA categorizes products into three security classes and defines binding requirements for consumer IoT, industrial IoT applications, and embedded systems. Supply chain security is particularly relevant, as vulnerabilities in third-party and open-source components can compromise the integrity of the overall system. The implementation period of 24 or 36 months from the effective date of December 10, 2024, poses major challenges for manufacturers, as product development often takes years. To meet the requirements of the CRA, companies should implement cybersecurity best practices as soon as possible. In addition to the CRA, other regulatory frameworks such as RED and IEC 62443 must also be taken into account. Special compliance tools can help meet current and future requirements by enabling efficient cybersecurity assessment of products. One example of this is the Compliance Wizard from ONEKEY.

Companies that adapt their product strategy in good time not only secure their market approval in the EU, but also their competitiveness. Lifecycle security, proactive compliance, and supply chain security are becoming key success factors for manufacturers in the market.

The new CRA requirements and their implications

All types of connected products will have to meet a series of new safety requirements in order to obtain the CE mark (Conformité Européenne), which certifies that they comply with European Union regulations. This applies to all devices, machines, and components that use digital technologies or establish a direct or indirect connection to other devices or networks. Without the CE mark, these products may not be sold or distributed in the EU. And the CRA will play a key role in this in the future.

The CRA requires all manufacturers to regularly test, monitor, and document the cybersecurity of their products. To meet the new requirements, companies should be able to quickly identify security vulnerabilities and conduct continuous impact assessments. This means that every vulnerability must be continuously evaluated in order to thoroughly analyze products and protect against the potentially serious consequences of security breaches.

The CRA requires not only manufacturers, but also importers and distributors to ensure product safety. The aim of the legislator is to secure the entire digital supply chain within the EU internal market. Cybersecurity is thus becoming a decisive prerequisite for access to the European market.

Compared to standards such as RED and IEC 62443, the CRA goes one step further by setting specific and binding requirements for the cybersecurity of connected products. While RED and IEC 62443 already cover important security aspects in specific areas such as telecommunications and industrial automation, the CRA represents a much more comprehensive set of rules designed to strengthen the security of digital products at the European level.

Lifecycle security: Cybersecurity throughout the entire product lifecycle

The CRA requirements cover the entire life cycle of the products concerned – from planning and development to operation and subsequent decommissioning. Manufacturers are obliged to provide security updates for their products for a period of at least five years. If the product is used for a shorter period, this period may be shortened accordingly. However, in many industrial sectors, product lifespans of 10 or 20 years, or even longer, are not uncommon. This means that monitoring, maintenance, vulnerability management, and patching strategies must also be maintained over a correspondingly long period of time.

In the context of cybersecurity and the Cyber Resilience Act, different operating systems play a central role. Real-time operating systems (RTOS) are characterized by their ability to respond to time-critical requirements, making them particularly suitable for embedded systems, IoT, and IIoT. They offer precise control and fast response times, which is of great importance in safety-critical applications.

In contrast, Linux, as an open-source operating system, offers broad flexibility and is often used in the development of complex applications and IoT devices due to its stability and adaptability. While Linux offers an extensive developer community and regular security updates, RTOS can offer advantages in security-critical environments due to their limited functionality and small attack surface. Other systems, such as proprietary operating systems, often have specific advantages and disadvantages, particularly in terms of the support and security features they offer. With regard to the CRA, companies must ensure that all systems used, regardless of type, meet the new security requirements. The Software Bill of Materials (SBOM) plays a key role in this.

Supply chain security: transparency and protection against manipulation

Manufacturers of “products with digital elements” will be required under the documentation requirements of the Cyber Resilience Act to maintain a Software Bill of Materials (SBOM) and review the entire supply chain for security risks. This regulation affects a wide range of devices – from laptops, smartwatches, and smart home systems such as smart thermostats or electricity meters to industrial control systems and connected vehicles. In short, all IT or internet-enabled products are covered.

The SBOM is a digital bill of materials that lists all software components used in a product, including those that are not immediately obvious. Manufacturers, importers, and distributors must ensure that this list is always up to date. Every software update or security patch therefore requires continuous maintenance of the SBOM, ideally through an automated process. Automatic compliance tools can be used to create, monitor, and continuously update the SBOM, ensuring that companies always have accurate and compliant documentation.

In addition, manufacturers must ensure that their supply chains are protected against manipulation. The increasing interconnectedness of products makes it easier for cybercriminals to carry out attacks via vulnerabilities in the supply chain. To prevent this, companies must focus on transparency and ensure that all components and software sources are checked and documented. This not only protects against potential security vulnerabilities, but also ensures that all product components comply with regulatory requirements, which is essential for market access in the EU.

The implementation of the Cyber Resilience Act poses significant practical challenges for manufacturers. One example of this is industrial manufacturing, where industrial control and production systems are used for decades and regular security updates are required to ensure compliance. In the IoT industry, for example in smart household appliances, constant maintenance of the software bill of materials is also necessary to quickly identify and remedy potential vulnerabilities. Companies must therefore work closely with their suppliers to ensure seamless security monitoring throughout the entire product lifecycle. Automated processes for vulnerability analysis and remediation are essential here in order to efficiently meet requirements while conserving resources.

Compliance & market requirements: CRA as a competitive advantage

Early implementation of the requirements of the Cyber Resilience Act offers companies a significant competitive advantage. By proactively integrating cybersecurity measures and ensuring compliance, companies can not only minimize legal and financial risks, but also position themselves as trustworthy partners in the market. At a time when consumers and business partners are placing increasing importance on data security, compliance with the CRA creates a strong sense of trust that strengthens brand reputation. In addition, companies that invest in security solutions early on gain a strategic advantage over competitors who only respond to the new requirements later. Proactive adaptation to legal requirements therefore not only promotes market access in the EU, but also improves long-term market position, as companies are seen as pioneers in security awareness.

Best practices: How manufacturers successfully implement CRA requirements

To successfully implement CRA requirements, manufacturers should rely on proven best practices. Security requirements should be integrated into the product development process at an early stage, and regular security assessments should be carried out. Companies are well advised to review their supply chains and ensure that suppliers and partners comply with the required security standards. Monitoring and patching security vulnerabilities throughout the product lifecycle is essential to ensure CRA compliance. Manufacturers should maintain transparent communication channels with regulatory authorities and customers to build trust.

Compliance tools support manufacturers, importers, and distributors of products with digital components in complying with security requirements. They enable comprehensive cybersecurity assessment by combining automatic vulnerability detection, CVE prioritization, and intelligent filtering with an interactive, holistic compliance review. This significantly reduces the complexity and costs of cybersecurity and compliance processes.

The Cyber Resilience Act poses considerable challenges for companies – but it will certainly not be the end of the story. Further and even stricter cybersecurity requirements are foreseeable and, given the escalating threat situation, undoubtedly justified. Companies offering connected products are therefore well advised to rely on automated compliance services as much as possible when it comes to product cybersecurity. Future developments could bring even more detailed requirements for transparency, responsiveness to security incidents, and supplier responsibility. Companies that adapt to these changes early on will not only meet regulatory requirements, but also gain a competitive advantage and strengthen their market position.

Conclusion

The requirements of the Cyber Resilience Act present manufacturers with new challenges, but at the same time offer opportunities to gain a competitive advantage through proactive cybersecurity. Stricter regulatory requirements and the increasing importance of cybersecurity mean that companies must act now to minimize compliance risks and secure market access in the EU. Manufacturers should immediately begin integrating security measures into their product development, review their supply chains, and ensure continuous security monitoring. By taking these steps, they can not only meet legal requirements but also strengthen their position as a trusted market player.