Description
With the Cyber Resilience Act (CRA) having entered into force, Europe is entering a new phase of product cybersecurity. To support stakeholders during the transition period, the European Commission hosted the online event “CRAzy About Product Cybersecurity: From Compliance to Confidence”, on 3rd December 2025, bringing together policymakers, standardisation bodies and EU-funded projects.
A special focus was placed on how small and medium sized businesses with digital products can manage CRA compliance in a way that strengthens their resilience and competitiveness. For many SMEs, the CRA represents both a challenge and an opportunity — and this article brings you the key insights shared by the experts.
The CRA: A shift towards security by design
The CRA introduces, for the first time, EU-wide mandatory cybersecurity requirements for products with digital elements, covering hardware, software and their entire supply chains. The regulation establishes security by design and by default as the new baseline, moving beyond voluntary best practices.
This means:
- Security by design and default: products must be designed and developed with cybersecurity integrated from the start.
- Lifecycle obligations: manufacturers will need processes for vulnerability handling and regular updates.
- Documentation and conformity: basic technical documentation and evidence of compliance will be expected.
- Risk-based assessments: security risks must be understood and mitigated proactively.
Speakers from the European Commission underlined that the CRA should not be approached as a box-ticking exercise. Instead, it is intended to foster a culture of cybersecurity, where manufacturers understand their risks, know what is inside their products, and integrate security throughout the full product lifecycle
From regulation to implementation: the role of standards and support measures
A central theme of the event was how the CRA will be implemented in practice. European Standardisation Organisations (CEN, CENELEC and ETSI) presented the ongoing work on harmonised standards that will help manufacturers demonstrate compliance and benefit from a presumption of conformity.
At the same time, the Commission emphasised that standards remain voluntary and technology-neutral. They are meant to facilitate compliance – especially for important and critical products – not to stifle innovation.
The SECURE project has published a first batch of training materials, including the guideline “The CRA’s Essential Cybersecurity Requirements: Annex I, Part I. This document focuses on the essential cybersecurity requirements of the CRA and provides non-exhaustive and tentative technical suggestions to support compliance with the CRA, Annex I, Part I, points 1 and 2, based on recognised best practices, common approaches and existing standards in the cyber domain.
Example of existing standards include:
- Security by design and by default: standards such as IEC 62443-4-1 (secure product development lifecycle) and ISO/IEC 27034 (application security) are frequently used as reference points for implementing this principle.
- Lifecycle obligations: Standards such as ISO/IEC 30111 (vulnerability handling) and ISO/IEC 29147 (vulnerability disclosure) provide concrete guidance for these activities.
- Documentation and conformity: Using structured approaches inspired by ISO/IEC 27001 helps SMEs organise security responsibilities and documentation in a proportionate way.
- Risk-based assessments:. Risk management standards such as ISO/IEC 27005 or ETSI TS 103 701 (threat, vulnerability and risk analysis) are commonly used to structure these assessments.
Practical support on the ground: EU funded projects
Against this background, EU-funded projects play a crucial role in translating regulatory requirements into actionable guidance.
One of the key messages of the event was that SMEs will not be left alone with CRA implementation. Several EU-funded projects are already supporting companies in different, complementary ways — including SECURE and CYBERSTAND.
SECURE — Strengthening EU SMEs Cyber Resilience
Danilo d’Elia (PhD.) presented the SECURE project, which directly supports the practical application of CRA requirements in SME contexts, by offering a.o. monetary support, a central knowledge platform and trainings.
The SECURE project addresses one of the main challenges: Ho to move from abstract legal requirements to operational compliance and product security processes that work across organisations and supply chains.
SECURE supports SMEs in:
- supporting manufacturers in understanding CRA obligations in concrete terms,
- strengthening internal cybersecurity capabilities,
- and preparing for CRA compliance across the product lifecycle.
By bridging policy, standardisation and industrial practice, SECURE helps SMEs turning compliance into a strategic advantage, strengthening trust in digital products and European competitiveness
CYBERSTAND — Making CRA and standardisation accessible for SMEs
The event also featured the CYBERSTAND project, presented by Nicolas Ferguson. It provides complementary support by helping SMEs in understanding the Cyber Resilience Act and the role of standards.
CYBERSTAND supports SMEs by:
- explaining CRA requirements, timelines and obligations in accessible terms,
- clarifying the role of harmonised standards in supporting compliance,
- lowering barriers for SME participation in standardisation activities,
- and lowering entry barriers to technical and regulatory discussions.
The project is particularly relevant for SMEs at an early stage of CRA engagement, offering orientation within the regulatory and standardisation landscape.
Together, SECURE and CYBERSTAND illustrate how European initiatives are working collaboratively to help SMEs understand and apply the new cybersecurity obligations, rather than leaving them to navigate these changes on their own.
A recurring message throughout the event was that CRA implementation is a collective effort. Regulators, standardisation bodies, manufacturers, open-source communities and support projects must work together to ensure consistent and effective application across the EU.
With reporting obligations starting in 2026 and full CRA applicability in 2027, now is the time for SMES to:
- familiarise themselves with CRA requirements and timelines,
- start building or refining cybersecurity processes that can be documented and demonstrated,
- follow standardisation and guidance developments,
- and engage with support initiatives such as SECURE.
