Forward NPD

Cyber Resilience Act: All-change for connected product compliance in Europe.

Written by David Carter, Head of Engineering, Forward NPD

The upcoming Cyber Resilience Act (CRA) represents one of the biggest shifts in European product regulation in years. For companies producing connected or software-enabled devices, achieving compliance won’t be a simple box-ticking exercise. It represents a fundamental change to how these products are designed, developed, documented, manufactured and maintained throughout their lifecycle.

At Forward NPD, our work spans electronics, embedded software, and regulatory compliance. We are already seeing that many established businesses – even those with mature product lines – may be exposed to substantial compliance gaps once the CRA takes full effect.

A new baseline for digital product cybersecurity

The CRA introduces mandatory cybersecurity requirements for virtually any product with ‘digital elements’. It is applied to products that are intended, or reasonably expected, to interact with other devices or networks – either directly or indirectly. For example, a digital thermostat operating entirely independently would fall outside of the CRA’s scope, while a smart thermostat controlled via a smartphone app would be within scope. Manufacturers need to carefully assess connectivity – both direct and indirect – to determine if the regulation applies.

Crucially, the CRA is not just guidance. It is a regulation that will apply directly across all EU member states from December 2027. And it will apply to products which are currently on the market if they are to be sold after the application date.

What makes the CRA so different is its lifecycle view of security. It requires manufacturers to embed security at the design stage – for instance, through secure boot, data protection and encryption, and provision of secure update mechanisms – and to address known vulnerabilities through structured vulnerability-handling processes, which provide a repeatable workflow to identify, assess, mitigate, and report security issues. This approach elevates cybersecurity from a ‘nice to have’ feature to a core engineering requirement, alongside safety, EMC, and functional performance.

Where the CRA meets the CE mark

A point that isn’t widely appreciated is that the CRA introduces CE marking for cybersecurity. Manufacturers will need to demonstrate conformity – often through self-declaration, but in some cases through third-party assessment or EU cybersecurity certification for higher-risk products (depending upon default, important, or critical classification). The technical file must include evidence of secure design decisions, a Software Bill of Materials (to track all software components and dependencies, including open source, for transparency and vulnerability management), risk analyses, vulnerability-management processes, and update mechanisms.

For organisations that already treat European Conformity (CE marking) seriously, the structure will be familiar, but the content and expectations are significantly expanded.

Importantly, the CRA is an EU regulation. Products sold in Great Britain under the UKCA mark are not automatically subject to CRA requirements – unless the UK adopts a similar regulation in the future. That said, for any device you plan to ship into the EU or Northern Ireland, CRA compliance (and CE marking) will be essential post-2027.

The interaction with the Radio Equipment Directive

The CRA does not replace the RED; it sits alongside it. A product with radio capabilities must comply with the RED’s cybersecurity measures where applicable, as well as the CRA’s broader lifecycle-security obligations. In practical terms, this means a single CE mark supported by evidence of compliance with both frameworks. For engineering teams, this introduces additional technical considerations, particularly around network misuse, access control, and secure software behaviour.

Why compliance matters today

A significant fraction of today’s connected products – especially legacy designs – were not developed with this level of cybersecurity scrutiny. Many lack robust update mechanisms, formal threat modelling, or documented secure-development processes. Under the CRA, these gaps will become regulatory non-compliance issues, not merely engineering weaknesses. Even products that are currently standalone or minimally connected may need future-proofing, should connectivity or functionality changes be planned.

Preparing for the CRA is not just a matter of writing new documentation. It often requires rethinking architectures, redesigning update pipelines, validating secure defaults, and introducing structured vulnerability-handling processes that may not currently exist. For products with long lifecycles or that are difficult to update in the field, these challenges are particularly acute.

Structured vulnerability handling in practice

Under the CRA, manufacturers must implement a structured workflow for handling vulnerabilities throughout a product’s lifecycle. This typically involves:

  • Receiving and logging reports from customers, security researchers, or internal test processes.
  • Triaging and classifying vulnerabilities using frameworks like Common Vulnerability Scoring System (CVSS) to assess severity and risk.
  • Developing and testing fixes, such as firmware or software patches, while ensuring no new vulnerabilities are introduced.
  • Deploying updates securely and documenting all actions in the technical file.
  • Reporting exploited vulnerabilities to the EU reporting platform within prescribed timelines.

This process not only supports compliance but also ensures ongoing product security and resilience.

Where Forward NPD can help you be ready

Our work increasingly involves helping customers understand where their existing products stand relative to the CRA and updated RED requirements. Solutions can be architectural, process-based, or a combination of both. Early gap analysis combined with pragmatic secure-by-design engineering gives companies the clearest path forward – particularly for complex or safety-critical products.

Uncertainty around CRA compliance doesn’t have to slow product development. Forward NPD can help you assess, plan, and implement the right processes, ensuring your products meet the new requirements while keeping your engineering roadmap on track.

To find our more about CRA and how it could affect you and your product developments, get in touch with our team today. 

How can we help you?

Call us on +44 1223 236 262, or fill in the contact form.

Forward NPD
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.