If your company builds or sells software and connected devices in the EU, the new Cyber Resilience Act is something you need to pay close attention to. CRA introduces enforceable secure-by-design requirements across the entire product lifecycle. Here’s what product leaders and engineering teams should know to get ahead of compliance.
Remember the Raptor Train?
A botnet of more than 200,000 compromised connected devices hijacked through unpatched vulnerabilities and insecure defaults, not because those companies lacked internal security policies, but because the products themselves were never designed or maintained with long-term security in mind.
This kind of large-scale product risk is exactly what the EU’s Cyber Resilience Act (CRA) is meant to address, especially given the fact some estimates claim there are nearly 21 billion connected devices in the world today.
So, let’s dig into how the CRA addresses the security of the connected devices.
What is Cyber Resilience Act?
CRA is one of the most significant shifts in digital product regulation in years that sets mandatory cybersecurity requirements for digital products sold in the European market.
While NIS2 and DORA regulate how organizations operate, CRA regulates what certain organizations build.
It applies to nearly any “product with digital elements” (PDE) – a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
For product leaders, engineering teams, and security owners shipping digital products to the EU market, CRA will change how products are planned, developed, released, and maintained.
CRA is part of a broader EU push to raise digital resilience, reaching deep into how products are built. It requires teams to think long-term, architect for security, and maintain products responsibly.
In other words, cybersecurity is no longer a “launch and forget” problem. It’s a product discipline.
What CRA actually requires
At its core, CRA turns cybersecurity into a product safety requirement. To sell in the EU, a product must meet baseline security expectations throughout its lifecycle.
That includes:
- Secure-by-design and secure-by-default
You must perform risk assessments early, design with security controls, strong configuration, authentication and encryption in mind, test for vulnerabilities, and avoid shipping known exploitable vulnerabilities.
- Transparent components
The supply chain is widely acknowledged as one of the great cybersecurity risks today. Any included libraries, open-source packages, third-party modules, or firmware components must be documented and traceable through a Software Bill of Materials (SBOM).
- Vulnerability management and long-term updatessecure-by-default
Manufacturers must document and patch newly discovered vulnerabilities and maintain security updates – typically for five years or for the expected lifespan of the product, all the while keeping up transparent communication towards their customers.
- Clear reporting obligations
Actively exploited vulnerabilities and severe incidents must be reported quickly (24h early warning, 72h detailed report).
- Conformity assessment and CE marking
Before you place a product on the EU market, you’ll need an internal or third-party assessment and to affix CE marking demonstrating compliance. Non-compliance can lead to fines up to €15M or 2.5% of global turnover and prohibiting the sales of products that do not meet mandatory requirements.
Who is impacted?
CRA applies to the entire digital-product ecosystem:
- IoT and hardware device makers
- Software vendors
- Distributors and importers
- Any company bundling or integrating products with digital elements into larger systems
This makes CRA relevant for startups, scale-ups, enterprise vendors, and sometimes even agencies that build software on behalf of clients. However, not all products face the same burden.
CRA classifies products by risk level, so higher-risk products (e.g., identity systems, password managers, browsers, network equipment, industrial devices) require independent conformity assessments, while lower-risk products can rely on self-assessment.
Additionally, not every digital product falls under the scope of the CRA, it mostly focuses on consumer products.
Standalone websites and cloud services are exempt when they are not used to enable or operate a product with digital elements, as is non-commercial open-source software. Products that are already regulated under dedicated EU sector frameworks are also excluded.
For more details on the above, the recently released CRA implementing act contains technical descriptions related to important and critical products.
Key dates
- June 2026: Member states designate Conformity Assessment Bodies.
- September 2026: Vulnerability reporting obligations become mandatory.
- December 2027: Full CRA compliance required for all products.
The biggest CRA challenges ahead
Based on the current cybersecurity trends and how most companies ship software today, CRA will expose several weaknesses:
Lack of structured security in the software development lifecycle (SDLC
Many organizations don’t perform threat modeling or security architecture reviews, and now they must.
Poor dependency visibility
Most teams don’t track all libraries, components, and vulnerabilities. Without an SBOM, CRA compliance becomes nearly impossible.
Unclear maintenance and update plans
If you ship a connected device without a realistic long-term patching strategy and SLA, CRA will flag it as unsafe.
Missing incident-response playbooks
The tight 24/72-hour reporting timelines require formal workflows, roles, documentation, and monitoring.
How we help companies become CRA-ready
At Infinum, we work with organizations to build digital products that are secure by design – and now, compliant by design. Our cybersecurity offering supports CRA readiness across the product lifecycle, from threat modeling and secure architecture all the way to continuous monitoring and long-term maintenance planning.
CRA compliance isn’t just about meeting legal obligations; it’s about earning and maintaining customer trust in an increasingly competitive market by building safer, more reliable products.
Most teams don’t know where they stand today, so reach out for a CRA gap analysis or product security review to close the gaps before regulation becomes a blocker.
