Cyber Resilience Act: everything you need to know about the new European regulation

What is the Cyber Resilience Act?

Official definition of CRA

The Cyber Resilience Act (CRA) is a European Union regulation that establishes cybersecurity requirements for all digital products placed on the European market. It applies to software, connected devices, and digital components integrated into larger systems.

Unlike a directive, this regulation is directly applicable in each Member State. It thus creates a harmonized framework for the safety of digital products within theEuropean Union, without local interpretation or transposition deadlines.

‍

What are the objectives of the regulation?

The CRA has three main objectives:

1. Raise the level of cybersecurity for products right from the design stage.
2. Sustainably reduce exploitable vulnerabilities in the European market.
3. Improve transparency and incident management throughout the product lifecycle.

In concrete terms, the regulation brings about a paradigm shift: safety is no longer corrected after the fact. It becomes a structural element of product development, on a par with performance, cost, and ergonomics.

‍

Difference with NIS2, DORA, GDPR

The CRA is part of an already dense regulatory landscape:

• NIS2 regulates the security of essential and important entities.
• DORA targets the operational resilience of the financial sector.
• The GDPR protects personal data.

The Cyber Resilience Act stands out for its approach: it does not regulate organizations, but products. It acts upstream, on the digital elements themselves, whether they are integrated into services, industrial systems, or business tools.

‍

Which products are affected?

The following are affected:

• Software (on-premise, SaaS, embedded)
• Connected devices
• Products containing digital elements
• Components used in larger systems

In other words, almost all digital products used in businesses fall within the scope of the regulation: ERP, HR tools, business solutions, industrial sensors, network equipment, etc.

‍

Security by design and by default logic

The text imposes a logic of security by design and by default: security must be integrated from the design stage and activated by default.

This involves, in particular:

• Reducing the attack surface
• Proactive vulnerability management
• The ability to deploy security updates
• Clear documentation of residual risks

Cybersecurity thus becomes an intrinsic feature of the product, rather than a simple add-on.

‍

Who is affected by the Cyber Resilience Act?

Digital product manufacturers:

Manufacturers are on the front line. They must ensure that their products comply with the requirements of the regulation, from the development phase to the end of their life cycle.

‍

Software publishers:

Publishers are subject to the same obligations: vulnerability management, update mechanisms, security documentation, incident response processes.

‍

Integrators/suppliers:

Integrators, importers, and distributors must ensure that the products they place on the market comply with the CRA.

‍

Other stakeholders involved in the CRA:

Even if you are not a publisher, you are directly affected:

• As a user, you must demand compliance guarantees.
• As a CISO, you must assess the risks associated with the products used.
• As an organization, you must document your exposure.

The CRA transforms the supplier relationship into a structural cybersecurity issue.

‍

What are the requirements of the Cyber Resilience Act?

Product safety requirements

The regulation imposes a common set of requirements:

• Products designed to limit vulnerabilities
• Secure update mechanisms
• Protection against unauthorized access
• Documented risk management
• Safety maintained throughout the entire service life

These obligations apply to all relevant digital products, regardless of the size of the operator.

Reporting obligations

Manufacturers must:

• Detect incidents and exploited vulnerabilities
• Notify the authorities within strict deadlines
• Inform users
• Retain information that can be used for evaluation purposes

Reporting is becoming a central pillar of regulation, just like security itself.

Penalties for non-compliance

The Cyber Resilience Act is based on a particularly dissuasive penalty system. In the event of non-compliance with European regulations, authorities may impose:

• fines of up to €15 million or 2.5% of global annual turnover (whichever is higher) for the most serious violations;
• up to €10 million or 2% of global annual turnover for other breaches of cybersecurity obligations ;
• up to €5 million or 1% of turnover in the event of inaccurate or misleading information being provided to the authorities.

In addition to financial penalties, the CRA provides for strong operational measures:

• withdrawal or recall of non-compliant products,
• marketing ban,
• compliance orders with deadlines.

These penalties come with major legal, reputational, and contractual risks, which can even lead to exclusion from certain supply chains.

The Cyber Resilience Act is clearly part of a restrictive approach: cybersecurity for digital products is becoming a regulatory, economic, and strategic prerequisite.

‍

When does the Cyber Resilience Act come into effect?

‍

The Cyber Resilience Act was passed in 2024 and came into force on December 10, 2024.

A transition period is planned to allow market players to adapt their products, processes, and organization. The deadline for full compliance is December 11, 2027: after this date, only compliant products may be placed on the European Union market.

Certain interim obligations will apply as early as 2026, particularly with regard to vulnerability and incident reporting. For CISOs, this means one thing: preparations must begin well before 2027.

‍

Cyber Resilience Act: what are the implications for CISOs?

‍

Increasing number of requirements to be met:

The CRA adds a new layer of regulation alongside NIS2, ISO 27001, and DORA. Each text brings its own set of requirements, evidence, and audits.

‍

Increased supplier control:

Cybersecurity no longer depends solely on your internal systems. It relies on the robustness of the products you use. Your suppliers' compliance is becoming a key factor in your own level of resilience.

‍

Factual and rigorous management:

The CISO must now:

• Centralize supplier information
• Structure requirements
• Assess discrepancies
• Produce actionable reports
• Demonstrate compliance over time

The CRA requires industrial compliance management.

‍

How to prepare for the Cyber Resilience Act?

1. Map the digital products used

Identify all products containing digital elements: business software, SaaS tools, connected devices, critical components. This mapping becomes the basis for your CRA governance.

‍

2. Identify critical suppliers

Not all suppliers present the same level of risk. Prioritize those that impact your sensitive systems, critical data, or business continuity.

‍

3. Define CRA requirements

Translate the text into operational requirements: security criteria, contractual clauses, reporting expectations, update commitments.

‍

4. Collect evidence of compliance

Certifications, attestations, technical documents, contractual commitments: each item must be centralized, tracked, and logged.

‍

5. Track deviations

Compare the actual status of products with regulatory requirements to identify residual risks and drive concrete action plans.

‍

6. Prepare reporting

You must be able to produce clear reports for:

• Management
• The listeners
• The authorities
• The partners

CRA transforms reporting into a strategic asset.

‍

Centralize, automate, report: the key to managing the CRA over the long term

‍

Why Excel is no longer sufficient:

Spreadsheets do not enable traceability or alignment between requirements, evidence, and risks. They quickly become unmanageable given the complexity of the regulatory framework.

‍

Why general-purpose tools quickly reveal their limitations:

They do not manage:

• Regulatory frameworks
• The links between products, suppliers, and requirements
• Monitoring over time
• Structured reporting

The result: fragile compliance that is time-consuming and difficult to defend in audits.

‍

What a modern platform should enable:

An effective GRC platform must:

• Centralize CRA requirements
• Align them with ISO, NIS2, and other regulations
• Automate information gathering
• Monitor deviations
• Produce audit-ready reports

It is this shift from "artisanal" compliance to "industrial" compliance that makes all the difference.

‍

How Tenacy helps CISOs navigate the Cyber Resilience Act

Tenacy is the leading GRC platform for managing multi-compliance in cybersecurity. It models the main standards (ISO 27001, NIST, SOC2, DORA, etc.) and integrates the CRA reference framework.

With Tenacy, you can:

• Generate action plans based on the CRA reference framework
• Align it with your other cybersecurity frameworks
• Centralize all information and evidence
• Track your deviations in real time
• Generate actionable reports in just a few clicks

Instead of struggling with complex regulations, CISOs now have a tool to industrialize compliance, increase efficiency, and enhance their impact.

Are you affected by the Cyber Resilience Act? Request a demo and discover how Tenacy simplifies your compliance management.

The Cyber Resilience Act: a summary

‍

The CRA marks a major turning point for cybersecurity in Europe. The regulation:

• Creates a common framework for digital products
• Imposes strict obligations on manufacturers and publishers
• Directly impacts users and CISOs
• Strengthens accountability throughout the entire life cycle
• Makes reporting and traceability the cornerstones of compliance

In an increasingly dense regulatory landscape, the ability to centralize, automate, and report becomes a strategic advantage. This is precisely what Tenacy enables: transforming regulation into controlled, transparent, and sustainable management.

‍