The Cyber Resilience Act is intended to protect against products with inadequate IT security functions. The requirements affect the entire life cycle. But what does this mean in concrete terms and which companies are affected?
Companies should act now and make cyber security an integral part of their strategy.
(Image: Johannes - stock.adobe.com / AI-generated)
Dr.-Ing. Rodrigo do Carmo is Head of Manufacturing & Information Security at secunet.
The Cyber Resilience Act (CRA) complements the EU cybersecurity strategy by creating the technical basis for secure products and thus making a significant contribution to the security of the internal market. It is primarily aimed at manufacturers, but also contains obligations for importers and distributors with regard to the further marketing of products in the supply chain. The CRA aims to increase the cybersecurity level of hardware and software and protect users from harm.
Whether Small And Medium-Sized Enterprises or Large Corporations: the CRA Applies To All
Whether laptops, smartwatches or networked machines: with a few exceptions, the CRA regulates all products with digital components. In addition to software and hardware products, their solutions for the remote processing of data required for functionality are also affected. This includes all products that process or exchange data. The CRA will therefore also be part of the CE marking that every product must have when it is launched on the market.
This poses technical challenges, particularly in terms of production and maintenance, which can be financially and operationally demanding, especially for small and medium-sized enterprises. CRA-compliant products must contain technical components such as embedded hardware security modules that ensure secure encryption and data integrity protection. The same applies to the exchange of certificates to verify the authenticity of users or entities for which a public key infrastructure is required. Depending on the maturity of the implementation and the risk assessment of the product, companies must provide different budgets for the improvement or implementation of cyber security requirements.
Security Categories And Control: Action Protects Against Penalties
The CRA guarantees compliance with the new requirements through various control mechanisms and sanctions. Manufacturers must prove the conformity of their products through specific procedures, which are divided into different safety categories depending on the type of product and the respective process requirements:
"Basic category" applies to all products with digital components.
"Important products" can be Class I security-related products such as password managers, browsers or systems for the management of security information and events (SIEM) or Class II products with security components such as firewalls, intrusion detection systems and intrusion prevention systems and hypervisors (basic operating systems of virtualized cloud platforms).
"Critical products" are smart meter gateways in smart metering systems, hardware devices with security boxes and smart cards, where security is considered a central feature of the entire product.
Whether companies have to carry out the conformity assessment procedure themselves or involve an external body depends on the respective product category. However, if the implementation of the requirements is not or only insufficiently fulfilled, high fines may be imposed. These can amount to several million euros or up to 2.5 percent of the global turnover of the previous financial year.
Cybersecurity for Greater Resilience: What Companies Should Do Now
To protect their business, companies should act now and make cyber security an integral part of their strategy. To begin with, a GAP analysis is recommended to understand the gaps between the status quo and the requirements of the CRA. Once the weak points have been identified, risks can be assessed and specific measures derived
Established standards and guidelines can provide guidance. Technical standards such as the IEC 62443 family or ISO/IEC 27001 support the introduction of systematic approaches to securing IT and OT systems. EU regulatory frameworks, including the NIS 2 Directive, the RED Directive (Radio Equipment Directive), the General Data Protection Regulation (GDPR) and the new EU Machinery Regulation (MVO), which will come into force in January 2027, provide additional specifications and requirements. Core elements of information security such as risk and vulnerability management are also crucial for a holistic cyber security strategy.
Even if it initially requires capacity and effort, the CRA is an opportunity for companies to become more resilient. And since the CRA was adopted in October 2024, the clock has been ticking: all requirements must be implemented in various stages by December 2027. If companies consider cyber security in all processes from the outset, this can give them a competitive advantage.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
:quality(80)/p7i.vogel.de/wcms/4b/0f/4b0faa6f14d841b9c739c2e3359eb032/0129335117v1.jpeg "Riccardo Rosa, president of Ucimu, the Italian mechanical engineering association, is not pleased with the overall situation in his country. Here is a status report from the \"boot\" of Europe ... (Image:Ucimu)")
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/d2/40/d240b49c8edba464bf610f0e0b3628f0/p90629460-lowres-2250x1265v1.jpeg "(Source: BMW Group)")
:quality(80)/p7i.vogel.de/wcms/e9/60/e960f8c34a847b11fc576c54d9d46ea6/0129325747v1.jpeg "Robobuses, like WeRide here, are well on the way to becoming an integral part of local public transport. (Image:WeRide)")
:quality(80)/p7i.vogel.de/wcms/e3/8d/e38d7a9b1bcb87f6ef6546654a2ee40f/bild1v1.jpeg "(Source: InfiMotion)")
:quality(80)/p7i.vogel.de/wcms/a6/cc/a6cc273294dbe8ab9534fb4316fc8d2b/0129255976v1.jpeg "Porsche sees battery expertise as a key strategic competence and has developed the battery modules for the new Cayenne Electric itself. (Image:Porsche)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/69/88/69882c428938e/tmts2026-ticec-banner-en-2000px.png "tmts2026-ticec-banner-en-2000px (https://www.tmts.tw/en)")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ad/67adf92d254d2/elatec-wp-smart-factory.png "Elatec WP Smart Factory")
:quality(80)/p7i.vogel.de/wcms/56/a0/56a0b540c47f6131d98539ff0648dcee/0128235887v1.jpeg "New EU laws such as the Cyber Resilience Act and NIS-2 require companies to systematically protect their digital infrastructure. (Picture: ©AD - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/e6/cd/e6cde06a5f5cf17a9a258ccf0a6fec96/0124652198v1.jpeg "The requirements of the Machinery Regulation and the Cyber Resilience Act will significantly change the product development process. (Image:© Sikov – stock.adobe.com)")