The Cyber Resilience Act (CRA) is set to fundamentally transform how digital products are developed, maintained, and introduced to the European market. This landmark regulation establishes mandatory cybersecurity requirements for products featuring digital elements, encompassing connected devices, embedded software, and cloud-connected services.
To ensure security obligations remain proportionate, the CRA categorizes products into Class I and Class II. Class I encompasses the majority of products, allowing manufacturers to utilize internal controls and self-assessments. Conversely, Class II includes products with greater cybersecurity relevance, demanding more rigorous conformity assessment procedures that often involve a notified body. Ultimately, this classification directly dictates the required level of assurance, documentation, and your specific compliance pathway.
Although the CRA entered into force in December 2024, many organizations still underestimate how rapidly key milestones are approaching. Requirements concerning vulnerability and incident reporting will take effect starting September 2026, while the comprehensive set of obligations will apply to all products placed on the EU market by December 2027.
For companies engineering complex digital products, this timeline is far shorter than it appears. Achieving true CRA compliance requires much more than simply updating documentation. It demands foundational changes to your engineering practices, governance structures, and overall product lifecycle management.
While the Cyber Resilience Act is frequently interpreted at the product level, compliance cannot be achieved product by product in isolation—especially within organizations managing extensive portfolios. Companies overseeing hundreds or thousands of products must embed cybersecurity, compliance processes, and governance models at the organizational level to guarantee both consistency and scalability.
At Nemko Digital, we advocate for a holistic approach to Cyber Resilience Act preparation. CRA readiness isn't solely about making individual products compliant; it’s about establishing shared processes, defining clear ownership, and enabling tooling that allows compliance to be executed consistently across all teams and product lines. The six steps outlined below detail the product compliance journey, though their ultimate success depends on how effectively you embed them into your organizational structures and operational practices.
1. Discovery and Alignment
The crucial first step in preparing for the CRA is establishing a shared understanding of exactly how the regulation applies to your organization. This typically requires close alignment among product teams, cybersecurity specialists, legal advisors, and executive leadership.
Organizations must clearly determine which products fall within scope and identify their specific role under the regulation. These roles—whether as a manufacturer, importer, or distributor—define the exact responsibilities your organization must fulfill.
In larger organizations, this step also builds the foundation for scaling CRA compliance across multiple product lines. It ensures that governance and ownership models can be consistently applied, rather than constantly redefined for every single product.
Activities in this stage usually include:
- Identifying products with digital elements that fall within CRA scope
- Clarifying regulatory roles and responsibilities
- Determining whether products fall into Class I or Class II categories
- Establishing governance structures and decision-making processes
For example, a manufacturer of smart home thermostats might begin by mapping all products sold in the EU, including device firmware, mobile applications, and associated cloud services. During this exercise, the company can determine that its devices fall into the Class I category rather than Class II, a distinction that directly influences how compliance and certification will be approached later.
2. Applicability and Requirements
Once your scope and governance are clearly defined, organizations must translate these regulatory obligations into concrete operational requirements. The CRA outlines essential cybersecurity requirements that apply across the entire product lifecycle.
These requirements address critical areas such as secure development practices, vulnerability management, transparency toward users, and the ability to provide consistent security updates throughout the product's support period.
At this stage, organizations should define what compliance means in practical terms by establishing a clear definition of done for Cyber Resilience Act readiness.
Typical activities include:
- Mapping CRA requirements to internal policies and development processes
- Identifying applicable technical standards and security frameworks
- Determining additional obligations for high-risk products
- Assigning accountable owners for each requirement
The distinction between Class I and Class II products becomes highly important here. Class II products must meet stricter requirements and will likely require more comprehensive documentation and rigorous assurance processes.
For instance, a manufacturer of wearable fitness devices might translate CRA requirements into specific development checkpoints, such as mandatory threat modelling and security testing. If the company were developing a product categorized as Class II, it might also need to align its development processes with additional standards to support future certification.
Standards Are Evolving, Preparation Should Not Wait
At this stage, many organizations raise questions about the availability of harmonized technical standards that will support CRA compliance. While these are still under development—with an official publication deadline set for 16 July 2027—the overall direction of these standards is already clear. They are expected to build upon existing best practices in secure development, vulnerability management, and product lifecycle security, concepts many organizations are already familiar with.
This means organizations should not wait for the final standards to begin their preparation. Leading companies are already aligning their processes with established frameworks and implementing core capabilities such as security by design, vulnerability handling, and robust documentation practices. Starting now allows organizations to build maturity progressively and avoid compressed, stressful timelines as regulatory deadlines approach.
3. Gap Analysis and Roadmap
With requirements clarified, organizations should evaluate their current level of readiness. Many companies already have security practices in place, but these existing practices may not fully address CRA expectations or might lack the documentation needed to actively demonstrate compliance.
A structured gap analysis compares your existing processes and controls against specific CRA requirements. This assessment identifies exactly where improvements are necessary and helps prioritize your remediation efforts effectively.
Typical focus areas include:
- Integration of cybersecurity requirements into development processes
- Maturity of vulnerability management and disclosure practices
- Availability of technical documentation and compliance evidence
- Readiness for potential third-party conformity assessments
The roadmap that follows will differ depending on whether your products fall into Class I or Class II categories. Class II products typically require more extensive preparation for external conformity assessments and formal certification procedures.
At an organizational level, this phase often reveals fragmentation across teams—for example, where different business units follow inconsistent security practices or documentation standards. Addressing these inconsistencies head-on is critical to enabling a truly scalable compliance approach.
For example, a manufacturer of connected industrial sensors may discover that while security testing is already performed, the organization is not prepared for an external conformity assessment that could apply to certain product categories. The resulting roadmap might therefore include strengthening documentation and preparing processes for third-party audits.
4. Remediation and Controls
Once priorities have been defined, organizations can begin implementing the controls and operational changes needed to meet CRA expectations. This phase focuses heavily on embedding cybersecurity practices directly into your development and operational workflows.
Implementing these changes often requires close, cross-functional collaboration between engineering, security, product management, and compliance teams.
Typical initiatives include:
- Integrating security by design principles into development workflows
- Implementing Software Bill of Materials (SBOM) management capabilities
- Establishing coordinated vulnerability disclosure processes
- Strengthening governance procedures for product security risk management
For example, a company developing connected medical devices may introduce automated security scanning into its software development pipeline. Every time the software is updated, the process can automatically generate a Software Bill of Materials and check for known vulnerabilities in third-party components. These proactive measures help ensure the product meets both regulatory expectations and internal security standards.
For organizations managing large product portfolios, standardization is key. Controls should be implemented in a way that allows them to be seamlessly reused across teams through shared frameworks, templates, and tooling.
5. Validation, Testing and Certification
Before products can be placed on the EU market, manufacturers must actively demonstrate that they meet CRA cybersecurity requirements. The level of conformity assessment required depends entirely on whether the product falls into Class I or Class II.
Standard products typically allow manufacturers to perform internal conformity assessments and self-declare compliance. Class II products, however, may require independent evaluation by accredited third-party conformity assessment bodies before they can be legally placed on the market.
This stage focuses on verifying the effectiveness of your implemented controls and preparing the comprehensive documentation required for regulatory assurance.
Key activities typically include:
- Conducting security testing and product risk assessments
- Reviewing technical documentation and compliance evidence
- Preparing the EU Declaration of Conformity
- Supporting CE marking where applicable
For example, a manufacturer of network routers preparing a new device for the European market may conduct penetration testing on the router firmware and connectivity interfaces. If the device falls into a Class II category, the results of these tests and the associated documentation may be reviewed by an external certification body as part of the conformity assessment process.
6. Enhancements and Monitoring
CRA compliance does not end the moment a product is released. Manufacturers must maintain robust cybersecurity throughout the entire product lifecycle and rapidly respond to vulnerabilities that may arise after deployment.
Organizations must therefore establish operational processes that support continuous monitoring and agile response.
Key capabilities include:
- Monitoring vulnerabilities affecting deployed products
- Issuing security updates during the defined support period
- Reporting actively exploited vulnerabilities and significant incidents
- Tracking evolving regulatory requirements
At scale, this requires centralized oversight combined with distributed execution. Organizations must ensure that monitoring, reporting, and response processes are consistently applied across all products, while still empowering individual teams to operate efficiently.
For example, a company producing connected electric vehicle charging stations may need to monitor vulnerabilities in the software components used in its systems. If a critical vulnerability is discovered, the company must assess the impact, develop a patch, distribute the update, and—where required—report the incident under CRA reporting obligations.
From Compliance to Digital Trust
The Cyber Resilience Act represents a significant shift in how cybersecurity is regulated within the European digital market. Moving forward, cybersecurity is becoming a strict prerequisite for market access for many digital products.
Organizations that begin preparing early can seamlessly integrate security practices into their engineering processes and product lifecycle management. This proactive approach not only reduces regulatory risk but also strengthens product resilience and builds lasting customer trust. Conversely, companies that delay preparation may face compressed timelines, costly engineering changes, and potential disruptions to critical product launches.
In practice, the right starting point depends heavily on your organization's current level of maturity and internal alignment.
For many larger organizations, the first priority is to establish internal alignment before moving into detailed implementation. This typically involves clarifying which products are in scope, defining responsibilities across teams, and setting up governance structures that enable compliance to scale across the organization.
Where this foundation is already in place, organizations can move more directly into translating CRA requirements into internal standards and assessing current capabilities against those expectations. This allows them to identify gaps, prioritize actions, and begin structured remediation.
From there, organizations can progress through the remaining steps, focusing on implementation, validation, and the establishment of sustainable monitoring capabilities.
Taking a structured and phased approach enables organizations to move forward pragmatically while building the organizational capabilities required to scale compliance across large product portfolios.
For organizations developing advanced digital technologies, including AI-enabled systems, aligning cybersecurity with broader trust and compliance frameworks is becoming increasingly important. Building these capabilities today allows companies to meet CRA obligations while delivering digital products that are secure, resilient, and trustworthy by design.
At Nemko Digital, we are equipped to support a substantial part of your Cyber Resilience Act preparation effort, covering up to 80% of the required activities. This is especially valuable for organizations with limited internal capacity or complex product portfolios. We provide end-to-end support across governance, risk assessment, implementation, and compliance preparation within the broader cybersecurity domain, helping organizations translate CRA requirements into operational practices in a structured and scalable way.
DOWNLOAD OUR FREE EXPERT INSIGHT HERE.
AI Author Expert
Before joining Nemko Digital, Alicja Halbryt worked for the Dutch Ministry of Economic Affairs as an AI standardisation expert at CEN/CENELEC JTC 21. She holds an MSc in Philosophy of Technology and an MA in Human-Centred Design. She is dedicated to shaping an ethical and human-aligned AI ecosystem.