Contact person
Ted Strandberg
Projektledare
Contact Ted
Cyber Resilience Act – how the new regulation affects your business
Do you manufacture or sell products that include digital elements? If so, you are affected by the Cyber Resilience Act (CRA) – the EU's new regulation that tightens requirements throughout the entire product life cycle. Ted Strandberg, an expert in cyber security and functional safety, explains what is expected of your business.
A baby monitor that can be controlled with an app, an industrial machine that communicates with other equipment in the production line, and speakers that can tell you what the weather will be like next week. There are few electronic products today that do not contain digital elements. This means that the Cyber Resilience Act (CRA) has a very broad scope – all companies that develop, manufacture, import or sell products with digital technology or pure software on the EU market are covered.
The CRA is a regulation that aims to increase cybersecurity in products with digital elements, i.e. hardware and software that can be connected to a network or other digital device, across the entire European market.
"This regulation is necessary to increase resilience and protect European citizens and systems. We don't want hackers to be able to take control of products, whether it's a baby monitor, an industrial machine or a speaker," says Ted Strandberg, project manager for cyber security and functional safety at RISE.
CRA becomes part of CE marking
The CRA was adopted in December 2024 and will be phased in from September 2026. By the end of 2027, the CRA is expected to be fully rolled out. Unlike many other regulations and directives passed by the EU, CRA has no direct predecessor. The regulation has been developed to complement other cybersecurity regulations, such as NIS2, which places requirements on organisations rather than products.
The requirements will be incorporated into the CE marking, which in practice means that cybersecurity will go from being a "nice to have" to mandatory if you want to continue selling your connected product on the EU market.
How can we help?
Do you need guidance on how the EU Cyber Resilience Act affects your business and how you can adapt to the new requirements? Contact us by filling out the form:
CRA becomes part of CE marking
The CRA was adopted in December 2024 and will be phased in from September 2026. By the end of 2027, the CRA is expected to be fully rolled out. Unlike many other regulations and directives passed by the EU, CRA has no direct predecessor. The regulation has been developed to complement other cybersecurity regulations, such as NIS2, which places requirements on organisations rather than products.
The requirements will be incorporated into the CE marking, which in practice means that cybersecurity will go from being a "nice to have" to mandatory if you want to continue selling your connected product on the EU market.
Built-in security central to CRA
Security by Design, or built-in security, is a central part of the regulation. It is no longer acceptable to add security after the fact; instead, requirements are now imposed throughout the entire development phase and until the end of the life cycle.
"Most people probably associate the term 'life cycle perspective' with the environment and climate, but here we are talking about the life cycle of software. It extends from the initial idea and risk analysis to requirements specification, design, architecture, development and testing. Once the software has been released on the market, it is a question of maintenance and updates. We talk about End of Support, when the manufacturer stops sending out updates and no longer takes responsibility for security", explains Ted Strandberg.
Standards as tools for regulatory compliance
Ted Strandberg heads the national working group in Sweden that develops standards related to cybersecurity in products. By testing products against established standards, such as IT security in industrial automation systems (EN IEC 62443), it is possible to assess whether a product with digital elements meets basic cybersecurity requirements. Standards can be used as support to demonstrate compliance with CRA. For certain products classified as high risk – such as operating systems or central system components – CRA also introduces a certification requirement.
CRA compliance extra important for subcontractors
Proof of CRA compliance in the form of an accredited report is particularly important for subcontractors who want to maintain and strengthen their competitiveness. A subcontractor who cannot guarantee the safety of their components will be ruled out as an option for customers who market the finished product. Quite simply, there is too much at stake.
"Violating the rules can result in very high fines. Seeking assistance from RISE means sharing that risk. If your product has not been reviewed by a third party, you bear the risk of being penalised. If we make a mistake in the review, we also bear responsibility", explains Ted Strandberg.
CRA training provides a solid knowledge base
Before product testing, certification processes or other technical measures, knowledge building comes first. With the right knowledge, it becomes much easier to tackle CRA.
"One way to build that knowledge is to take a course with us. We offer company-specific courses that provide a solid foundation. For many players, the transition to CRA compliance will take time, so it's important not to wait too long to get started," says Ted Strandberg.
Three tips on how to deal with CRA:
- Raise your level of knowledge. We suggest doing this through a course that clarifies the steps you need to take to ensure CRA compliance.
- Try it! Conduct accredited product testing and take advantage of the opportunity to receive advice during the product development phase.
- Get started! There is no time to wait.
This is CRA
The Cyber Resilience Act (CRA) sets common cybersecurity requirements for products with digital elements. The regulation covers both hardware and software sold on the EU market – from connected consumer products to industrial systems and software.
The CRA was adopted in December 2024 and will be implemented in stages starting in September 2026. Full implementation is expected in December 2027.
The aim is to raise the basic level of security, reduce vulnerabilities in connected products and create a more resilient digital single market within the EU.
