Last week, Rasma Araby represented atsec information security AB, Sweden, as a panelist in the “CRA compliance of products with digital elements and routes to market” discussion at the Making the EU Market Resilient conference in Bucharest. The event gathered regulators, industry leaders, and cybersecurity experts to exchange insights on the upcoming Cyber Resilience Act (CRA) and its implications.
During the discussion, Luis Miguel Vega Fidalgo, Coordinator for International Cybersecurity Policy at the European Commission (DG CNECT), rightly described the CRA as a revolution – a term that captures the scale of change this regulation will bring. For the first time, the CRA establishes clear accountability for manufacturers, not only for their own software and hardware but also for any third-party components they integrate; cybersecurity becomes an embedded responsibility across the entire product lifecycle.
However, one of the key challenges highlighted during the panel is the low level of awareness among manufacturers. Many companies have not yet realized that the CRA applies broadly to almost all products with digital elements – from connected devices and embedded systems to software applications and industrial components. Only a few, narrowly defined exceptions exist, meaning that the vast majority of products entering the EU market will need to demonstrate compliance once the CRA becomes applicable.
The panel also examined how the CRA introduces different routes to market, depending on the product’s risk level and intended use. Manufacturers will need to navigate options ranging from self-assessment for lower-risk products to third-party conformity assessment for higher-risk categories.
At the same time, there remains a degree of uncertainty around legal and technical clarity. While the regulation establishes the principles, many harmonized standards and guidance documents are still under development. This creates challenges for manufacturers, conformity assessment bodies, and evaluators alike, who are eager for clear direction on what evidence, documentation, and testing will be required in practice.
Other interesting panel discussions also touched upon concerns that the CRA may impact competitive advantage, as some participants noted that smaller manufacturers or startups could find compliance requirements more challenging to meet, potentially creating market imbalances. Balancing security assurance with innovation and competitiveness will therefore be crucial as the CRA framework evolves and as its implementation details become clearer.
Despite these uncertainties and challenges, the CRA represents an essential evolution in how we manage cybersecurity in various products. Collaboration between industry, conformity assessment bodies, and regulators will be crucial in transforming the CRA’s ambitions into consistent, practical, and measurable security assurance.
The Bucharest conference was an excellent opportunity to exchange perspectives and align on the next steps toward implementation. The message is clear: the CRA is coming, and it applies to nearly everyone building digital products for the European market. Now is the time for manufacturers to act, raise awareness internally, and prepare for compliance.
