, , ,

Catching Up with the Cyber Resiliency Act

atsec information security

·

What has Happened Since the CRA was Adopted?

Now over a year since the Cyber Resilience Act (CRA) was officially adopted, a lot has happened and even more is expected to occur before the full application of the act. Before these additional changes take place, we felt it would be helpful to look at what has happened since December 2024, what can be expected during 2026, and what can be done right now.

After adopting the CRA on 10 December 2024, the Commission quickly sent out a standardization request to the three European Standardization Organizations (ESO)—CEN, CENELEC, and ETSI—for 41 standards, which was accepted by the ESOs. The ESOs divided the work between them and plan to create three horizontal standards covering all products and a number of vertical standards covering each of the product types classified as important or critical products. The three horizontal standards will cover:

  • A framework laying down principles for cyber resilience
  • Product-agnostic technical measures
  • Vulnerability handling

Today, the standards are in the drafting stage, but most of them, apart from the horizontal standard on product-agnostic technical measures, will likely be completed during the year. A fourth horizontal standard has also been created, covering vocabulary between all the horizontal standards. The horizontal standards that have progressed the most are:

  • prEN 40000-1-1 – Cybersecurity requirements for products with digital elements – Vocabulary
  • prEN 40000-1-2 – Cybersecurity requirements for products with digital elements – Part 1-2: Principles for Cyber Resilience
  • prEN 40000-1-3 – Cybersecurity requirements for products with digital elements – Part 1-3: Vulnerability Handling

Note that to read these you need a membership with your national standardization body.

A lot of the standards on the vertical side are already available for public review and can be found on ETSI[1] or their dedicated GitLab[2]. Some of the standards that can be found there:

  • EN 304 617 – Browser
  • EN 304 618 – Password Manager
  • EN 304 626 – Operating Systems

The Commission also established an Expert Group for the CRA, consisting of EU Member States, organizations, and ENISA. During 2025, the Commission, with the help of the Expert Group and ENISA, created an Implementing Act on technical descriptions for important and critical products[3], a Delegated Act on CSIRTs withholding notifications to be disseminated through the Single Reporting Platform[4], and are currently working on a number of guidance documents. A website with information regarding the CRA, such as a summary of the legal text as well as a FAQ on CRA implementation, also launched during 2025[5].

What to Expect in 2026

We can expect quite a lot to happen during 2026: First, the first set of guidance documents from the Commission and the Expert Group is expected to be published in the beginning of the year; second, the provisions regarding the notification of Conformity Assessment Bodies will be applied from the 11th of June onward. This means that manufacturers who want to start their third-party conformity assessments can, at the earliest, start these processes in June; however, the standards won’t be finished by then, so it might still be hard to do so. And third, the reporting obligations, such as notifying actively exploited vulnerabilities and severe incidents, will be applied from the 11th of September onward.

We also expect that most of the standards will be finished this year. The horizontal standards setting the principles for cyber resilience and the standard regarding vulnerability handling are the two standards we expect first, since they both have August 30th as a deadline—the vulnerability handling standard will be very welcome, since the reporting obligations starts to apply just two weeks later.

Towards the end of October, we should also have completed versions of the vertical standards covering the important and critical products, as they all have October 30th as deadline. The last standard, on product-agnostic technical measures, is not expected until October 2027.

What Can be Done Right Now?

Manufacturers should not interpret this period as “waiting time”. On the contrary, the coming months are a crucial window to build understanding, reduce uncertainty, and embed cybersecurity requirements into products and processes early. Decisions made now will directly impact the effort required to achieve compliance once the CRA becomes fully applicable.

Manufacturers can already take the following concrete steps:

  1. Review the CRA requirement and scope
  2. Monitor and analyze available drafts and standards
  3. Perform internal gap analysis and readiness assessments
  4. Engage with external experts for readiness support

atsec Can Get You Started

atsec is ready and able to get you prepared for these changes by performing readiness assessments to provide an objective view of the CRA readiness, clarify interpretation of requirements, and prepare for future conformity assessment and certification activities.

For more information, please reach out to info@atsec.com.

[1] https://docbox.etsi.org/CYBER/EUSR/Open

[2] https://labs.etsi.org/rep/stan4cra/

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32025R2392&qid=1764577062755

[4] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=PI_COM%3AC%282025%298407&qid=1765524819538

[5] https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation

An arrow divider