In discussions with manufacturers about the Cyber Resilience Act, one recurring theme is: “Compliance is expensive.” True, implementing CRA requirements does require significant investment. However, the costs of non-compliance and incidents can be far greater – and the financial risks are often underestimated. What I’ve observed in practice: Many manufacturers focus solely on the upfront…
Most CRA conversations I have right now orbit around December 2027. That’s the wrong date to focus on first. Article 14 of the CRA – the reporting obligation for actively exploited vulnerabilities and severe incidents – applies from 11.09.2026. That’s roughly 5 months from now. And 15 months before the rest of the regulation kicks…
Most manufacturers plan their CRA compliance around one date: 11 December 2027. That’s when the Cyber Resilience Act fully applies, and that’s the CRA compliance deadline their project plans are built around. From a regulatory perspective, this makes sense. From a business perspective, it’s already too late. The regulatory date is not the market date…
What are the most important dates related to the CRA that manufacturers, importers or distributors need to keep in mind? Are you prepared?
The European Commission has published the Cyber Resilience Act (CRA) FAQ as a Markdown file. This format is particularly valuable for: The Markdown version of the CRA FAQ is available for download here: Cyber Resilience Act implementation – Frequently asked questions
If you’re evaluating whether your product falls under the Cyber Resilience Act (CRA), you’ve likely encountered the term “Product with Digital Elements” (PDE). This term is central to the CRA, and understanding it is crucial. The Cyber Resilience Act (CRA) defines the scope of its regulations in Article 2, which explicitly references “products with digital…
Incidents such as the blackout in parts of Berlin lasting several days emphasize the importance of personal preparation for crisis and disaster. The German BBK has published checklists for this purpose. The BBK is the German Federal Office of Civil Protection and Disaster Assistance. Personally I don’t prefer to check off such a list on…
This month I’ve earned the Information Security Risk Manager. ISO/IEC 27005 certification of rigcert.education. Having multiple years of experience in managing security risks in OT environments according to IEC 62443-3-2, the ISO 27005 provides an extended perspective on risk management. Effective information security risk management is crucial for maintaining secure systems. Failing to properly assess…
The Cyber Resilience Act (CRA) is a critical piece of legislation designed to enhance product cybersecurity across the EU. If you’re finding it challenging to navigate, you’re not alone – many organizations are seeking clarity on its implications. Last week, the EU Commission hosted an insightful webinar on the CRA, attracting over 2,500 participants from…
The EU Commission services have just released a comprehensive FAQ to help to demystify the implementation of the Cyber Resilience Act. If the official text left you scratching your head, this 66-page document might be your go-to resource for first practical answers to your questions. Worth a bookmark. Read it here:EU Commission – CRA Implementation