Cybersecurity has become a fundamental market requirement for both software and hardware products. The Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market.
Products falling within the scope of the regulation must carry CE marking before they can be marketed within the European Union. The regulation specifically addresses cybersecurity requirements, and non-compliance may lead to substantial turnover-based administrative penalties as well as withdrawal of products from the market.
The CRA is not simply another technical compliance obligation - it represents a broader shift in how digital products are designed, developed, delivered, and maintained throughout their lifecycle. Although the regulation will become fully applicable in December 2027, its effects are already shaping product development practices today.
Broad Scope Creates Challenges for Manufacturers
The regulation applies to products containing digital elements that connect either directly or indirectly to networks or other devices. Its scope is extensive, covering everything from consumer products to industrial systems and connected devices.
Some products governed by sector-specific legislation remain outside the CRA’s scope, including medical devices, certain automotive systems, and defence-related solutions. Cloud services are generally excluded unless they function as remote data processing solutions directly related to the product itself.
The CRA becomes fully applicable on 11 December 2027. However, obligations concerning vulnerability handling and incident reporting will already take effect on 11 September 2026.
Demonstrating Compliance
Compliance with the CRA is demonstrated through CE marking, which requires manufacturers to implement systematic cybersecurity governance throughout product design and development, supported by conformity assessment procedures.
The required conformity assessment process depends on the product classification category - such as default, important class I or II, or critical products. For default-class products, manufacturers may rely on self-assessment, whereas higher-risk categories are subject to stricter assessment requirements.
Manufacturers are also required to maintain comprehensive documentation, including cybersecurity risk assessments, technical documentation, and end-user instructions.
Strong Alignment Between CRA Requirements and Secure Software Development
The CRA’s requirements focus on three core areas:
Secure Development and Lifecycle Management
Products must be designed, developed, and manufactured to ensure cybersecurity measures are proportionate to identified risks. The requirements apply across the entire product lifecycle, from initial design through end-of-life management.Cyber Security Capabilities of Products
Manufacturers must conduct cyber security risk assessments to ensure products satisfy the regulation’s essential cyber security requirements. These include secure-by-default configurations, protection of data confidentiality and integrity, and adherence to data minimization principles.Products must also support vulnerability remediation through security updates, and products placed on the market must not contain known exploitable vulnerabilities.
Vulnerability Management
Manufacturers are required to implement systematic vulnerability management processes. This includes identifying vulnerabilities and software components, remediating vulnerabilities without undue delay through patches and updates, and performing regular cybersecurity testing.
The practical interpretation of many CRA requirements will ultimately depend on harmonized standards currently under development, with the first standards expected during 2026. In the meantime, the European Commission’s FAQ material and draft guidance published in March 2026 already provide important interpretative direction.
There is a strong connection between CRA requirements and established Secure Development Lifecycle (SDL) frameworks. Organizations already operating according to recognized frameworks such as NIST SSDF, IEC 62443-4-1, or OWASP SAMM are likely to be in a strong position to meet future CRA requirements.
Practical Example — Cyber Security as a Competitive Advantage
Driven by digitalization and increasing regulation, cybersecurity has evolved into a core business requirement. In the industrial sector, for example, Sandvik Mining elevated cybersecurity into a strategic priority by strengthening its Secure Development Lifecycle practices and aligning them with internationally recognized cybersecurity standards.
Sandvik identified the need to systematically integrate cybersecurity into product development while simultaneously ensuring compliance with IEC 62443-4-1 requirements.
Insta was selected as the project partner due to its deep expertise in cybersecurity standards, extensive experience in similar implementations, and its established SDL model, which provided a structured foundation for the initiative.
As a result, Sandvik became one of the first companies in its industry to achieve IEC 62443-4-1 certification. The company has also established a roadmap toward Maturity Level 3 (ML-3). Through certification, Sandvik demonstrates standards-based cybersecurity maturity to both customers and regulatory authorities. Cybersecurity capabilities were strengthened across several product lines, reinforcing the company’s position as a pioneer in secure product development.
-------
Insta’s services combine expertise in information security, Secure Development Lifecycle (SDL) practices, and cyber security regulation. Insta’s secure software development approach integrates seamlessly with standards such as ISO 27001 and IEC 62443.
Read more:
Case Sandvik Mining: Strengthening Cybersecurity to Support Competitiveness
Data and Cyber Compliance Services
