Cyber Resilience Act adopted by the EU

Product manufacturers in particular are held accountable: They must ensure that their products meet the security criteria for the European market. The Fraunhofer IEM is working with companies such as Adesso mobile solutions, Phoenix Contact and Kraft Maschinenbau to develop security measures - and provides tips on how companies can equip themselves for the CRA.

"The transition period until CRA 2027 must be fully complied with is short. Companies will have to reposition themselves in many areas - from carrying out security risk analyses and short-term reporting obligations when vulnerabilities become known to free security updates during the expected lifetime of the product," explains Dr. Matthias Meyer, Head of Software Engineering and IT Security at Fraunhofer IEM. Procrastination is not advisable, as non-compliance with the CRA can result in fines running into millions.
The research institute recommends that companies take three measures to start on the path to CRA-compliant product development.

1. setting up a rapid response team for emergencies

If manufacturers become aware that vulnerabilities in their products are being exploited, they must in future inform the European Union Agency for Cybersecurity (ENISA) immediately: They must give an initial warning within 24 hours and provide further details on the nature of the vulnerability, possible countermeasures and more within 72 hours. Apart from that, they must be available at all times for people who want to report security vulnerabilities and keep an eye on whether vulnerabilities become known in a supplied software component. This is one of the tasks of a Product Security Incident Response Team (PSIRT): Manufacturers who have not yet established a PSIRT should look into this, as the aforementioned obligations must be fulfilled from June 2026 for all products on the market, including those that were launched long before the CRA came into force.

2. threat and risk analyses as a central instrument

Essentially, the CRA requires manufacturers to regularly analyze their products for security risks and integrate security measures adapted to these risks. Companies must firmly integrate the performance of threat and risk analyses for all products into the development process: In this way, they systematically identify threats, assess the respective security risk and derive informed and targeted protective and countermeasures. The security level of the software can thus be increased continuously and, above all, appropriately.

3. overview through status quo analysis

Companies need to get an idea of which CRA requirements they meet, both in terms of their processes in the product life cycle and the specific products. Even if there are no harmonized standards on CRA yet, the unanimous opinion of experts is that the existing standard for industrial cyber security IEC 62443 provides good guidance. Companies can already carry out an analysis of the current status of their processes and products and derive measures.