Product Security and EU CRA
Resilient. Compliant. At AI speed.
The Cyber Resilience Act (CRA) is changing the rules of the game for digital products in Europe. Modern AI models can reduce the time between the discovery and exploitation of vulnerabilities to less than 24 hours. CLOUDYRION makes your products secure against the new AI threat landscape and ready for the CRA – with Secure by Design and Ethical Hacking.
What is the EU Cyber Resilience Act?
The first EU-wide regulation to establish mandatory cybersecurity requirements for all products containing digital components. The Cyber Resilience Act (CRA) entered into force on December 10, 2024, and affects virtually every manufacturer, importer, and distributor of products with digital elements – from IoT sensors to industrial control systems, video conferencing systems, smartwatches, and device management as Software-as-a-Service (SaaS). Unlike previous directives, the CRA takes a holistic approach to the product lifecycle: security must be considered from planning, design, development, manufacturing, delivery, and maintenance (for at least 5 years) through to end of support. The Essential Cybersecurity Requirements in Annex I cover topics such as access control, data confidentiality, product availability, product verification, risk assessment, secure default configuration, data minimization and purpose limitation, user instructions, event monitoring, and vulnerability management.
Planning
Risk assessment, product classification, and the support period are determined before a single line of code is written.
Conception
Security architecture, attack surface, access control, and update mechanisms are established as “Secure by Design” (SbD) requirements.
Development
SBOM requirements are being implemented, vulnerability management is being established, third-party components are being reviewed, and the SBOM is being created.
Production
The product undergoes conformity assessment, receives the CE marking, and is approved for shipment. The technical documentation, which includes the SbD requirements, is central to this process. Ethical Hacking tests the finished prototype for known vulnerabilities prior to mass production.
Delivery
User information, contact points, and the end date of the support period are made publicly available online.
Maintenance
Vulnerabilities are addressed on an ongoing basis, new capabilities and features are added via SbD, security updates are released, and incidents are reported within the CRA deadlines.
End of Support
Users are notified, a safe decommissioning is ensured, and the documentation is retained.
The Federal Office for Information Security (BSI) is expected to assume the responsibilities of the national market surveillance authority. The BSI has published TR-03183, a set of recommendations for implementing the CRA in Germany. For companies without structured cybersecurity processes, this will require significant adjustments.
Complication
The Cost of Non-compliance
The CRA imposes severe penalties, and market surveillance authorities can remove products from the market.
€15 Mio.
or 2.5% of global annual turnover for serious violations of fundamental cybersecurity requirements, manufacturer obligations, or reporting obligations.
€10 Mio.
or 2% of global annual turnover for less serious violations and documentation deficiencies
€5 Mio.
or 1% of global annual turnover for false, incomplete, or misleading information provided in response to market surveillance inquiries.
Market withdrawal
Market surveillance authorities may prohibit sales, recall products, or have them withdrawn from the market
CRA Risk Classes: Which Tier Applies to You?
The CRA distinguishes three risk classes with increasing requirements for conformity assessment. The classification determines your adaptation needs.
Standard (Default)
Not listed in Annex III or IV
The Standard category covers approximately 90% of all products with digital elements. These products present a lower cybersecurity risk but must nevertheless meet all essential cybersecurity requirements under Annex I. A self-assessment (Module A) by the manufacturer is sufficient, provided the technical documentation and risk assessment meet the requirements of the national market surveillance authority, presumably the BSI.
Affected Products
- Standard software
- Business applications
- Smart devices (without AI assistance, monitoring, or security functionality)
- Wearables (for adults, without health data)
- Toys (without internet functionality, social interaction, or location tracking)
and others
Requirements
- Secure by Design – All essential cybersecurity requirements implemented
- Vulnerability Management – SBOM, updates, CVD strategy, and reporting obligations to CSIRT + ENISA (24h / 72h / 14 days or 1 month respectively)
- Documentation & Conformity – Technical documentation, risk assessment, CE marking, user information. Retention for at least 10 years or the support period.
- Conformity Procedure: Self-assessment by the manufacturer (Module A)
Class I (Important)
Annex III (important products)
Class I products carry an elevated cybersecurity risk and play a significant role in network and system security; industrial and consumer products for adults or children, specifically with features for AI assistance, security, or monitoring functionality, e.g. health monitoring. Class I products permit a self-assessment (Module A), provided that harmonized standards can be fully applied; otherwise, third-party assessment by a notified body is required (Module B + C or H).
Affected Products
- Identity management, including readers
- SIEM systems
- Routers, switches, and VPN products
- Smart devices (with AI assistance, monitoring, or security functionality)
- Wearables (with health monitoring or for children)
- Toys (with internet functionality, social interaction, or location tracking) and others
Requirements
- Secure by Design – As Standard
- Vulnerability Management – As Standard
- Documentation & Conformity – As Standard
- Conformity Procedure: Self-assessment (Module A) only with full application of harmonized standards – otherwise third-party assessment by a notified body (Module B+C or H)
Class II (Important+, elevated risk)
Annex III (important products)
Class II covers products with the highest risk potential among the important products. A security incident can have severe cascading effects on numerous systems – for instance through central functions such as virtualization or network protection. Third-party assessment is always mandatory here, even with full application of harmonized standards.
Affected Products
- Firewalls, IDS/IPS systems
- Hypervisors and container runtime systems
- Tamper-resistant microprocessors and microcontrollers and others
Requirements
- Secure by Design – As Standard
- Vulnerability Management – As Standard
- Documentation & Conformity – As Standard
- Conformity Procedure: Always third-party assessment (Module B+C, H, or EU certification “substantial”). No self-assessment possible.
Critical (highest security tier)
Annex IV
Critical products with digital elements affect a small group and are intended for critical infrastructure and security-relevant applications. They require assessment by a notified body – the strictest form of conformity assessment. A failure of these products can have severe effects on public safety, health, or essential societal functions.
Affected Products
- Smart meter gateways in smart metering systems
- Hardware Security Modules (HSMs) / hardware devices with security boxes
- Smart cards with security elements/cryptography functions
- Additional devices for advanced security purposes, including secure crypto-processing
Requirements
- Secure by Design – As Standard
- Vulnerability Management – As Standard
- Documentation & Conformity – As Standard
- Conformity Procedure: EU cybersecurity certification (at least “substantial”) once the delegated act is in place. Until then: as Class II.
The CRA-Ready Framework
Our field-proven framework systematically addresses all CRA requirements throughout your product lifecycle—with “Secure by Design” at every stage:
Planning
Conduct risk assessment and threat modeling
Determine product classification and scope of application
Define the support period
Define due diligence criteria for third-party components and open source software (Vendor Risk Assessment)
Conception
Secure by Default: Designing a Secure Default Configuration
Minimizing the attack surface, including for external interfaces
Embedding access control and authentication into the architecture
Encryption strategy for data at rest and in transit
Implementing data minimization as a design principle
Developing an availability and resilience concept
Design an update architecture: automatic security updates
Create a logging and monitoring concept
Identify Key Risk Indicators (KRI)
Implement mechanisms for detecting and responding to security incidents
Development
Build and maintain an SBOM
Build and maintain a pipeline for automated and rapid vulnerability detection
Establish vulnerability management for third-party components and report findings
Production
Test the finished prototype using ethical hacking—as effective evidence to meet the CRA requirement that there are no known exploitable vulnerabilities.
Use results from ethical hacking and vulnerability reports from the pipeline as evidence that no exploitable vulnerabilities are identifiable at the time of placing on the market (Annex I, Part I, letter a)
Finalize technical documentation, including Secure by Design and Default requirements and the results of the risk assessment, threat modeling, and vendor risk assessment
Delivery
Provide a central point of contact for vulnerability reports from customers and security researchers
Provide a secure mechanism for distributing updates
Maintenance
Address and resolve vulnerabilities immediately
Implement a strategy for coordinated vulnerability disclosure (CVD)
Report actively exploited vulnerabilities and serious security incidents in a timely and appropriate manner
Ensure ongoing compliance in the event of a changing threat landscape or new features, e.g., significant changes
End of Support
Provide instructions for the safe decommissioning and secure deletion of user data
Secure by Design
Security as a Design Principle
The CRA makes “Security by Design” mandatory. We turn it into your competitive advantage. “Security by Design” means more than just a security audit at the end of the development process. It is a fundamental paradigm shift: cybersecurity becomes an integral part of every design decision, every line of code, and every architectural element. In Annex I, Part I, the CRA explicitly requires that products be brought to market “without known exploitable vulnerabilities,” be configured with “secure default settings,” and offer “the smallest possible attack surface.” These requirements can only be met with a systematic Security-by-Design approach. CLOUDYRION helps your teams seamlessly integrate security requirements into the existing product lifecycle – without slowing down your development speed.
Ethical Hacking
Think Like an Attacker
Everything you need
Upgrade your Cybersecurity Process
Upgrading your cybersecurity process not only strengthens your defense against threats but also integrates security strategies directly into your daily operations. This ensures long-term protection while keeping you agile in the face of new challenges.
Secure by Design
Secure By Design
More than just a service – a guarantee for a secure digital future. Integrate robust security measures from the very beginning into every phase of your system development.Hacking
Ethical Hacking
We help you identify and fix vulnerabilities.Consulting
Strategy Consulting
Team strengths for sustainable internal security expertise and a secure digital future.Insights
Dive Deeper into the Topic
Secure by Design
CRA Compliance with Secure by Design and Pentesting
How Secure by Design and Pentesting Accelerate CRA Compliance
Is your business ready for the EU Cyber Resilience Act? Learn what the CRA means for your products, the challenges you need to overcome, and how secure by design and ethical hacking can turn compliance into a competitive edge.
Secure by Design
Why SBOM is Critical for Compliance Under the EU Cyber Resilience Act (CRA)
Why SBOM is Critical for Compliance Under the EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (CRA) mandates Software Bill of Materials (SBOM) as a cornerstone of compliance for all products with digital elements sold in the EU. With the regulation now in force and key deadlines approaching, organisations that implement SBOM practices today gain both regulatory compliance and stronger supply chain security.
Secure by Design
Secure by Design 101
Secure by Design 101: Turning Security into a Competitive Advantage
Most organizations still treat security as an afterthought — added too late, at too high a cost. Secure by Design flips this script by embedding security into every decision from day one. Discover how this approach transforms risk reduction into real business advantage.
Frequently Asked Questions about the CRA
Ready for the Cyber Resilience Act?
Start with a free CRA-readiness-check and learn where your organization stands – and what steps to take next.
Request CRA-readiness-check