I am writing this article as the founder and owner of a small to medium-sized software company. At erminas, we develop software for industrial digitalisation. Our solutions are used by customers in productive environments – and that means responsibility. Responsibility for functioning systems, for security and for trust.
We are not a large corporation with our own security department. And that applies to many SMEs. Nevertheless, we bear the same responsibility as the big players – towards our customers, our employees and our society.
What cybersecurity looks like in everyday life
In many medium-sized companies, security is not a separate team. Security issues arise in the midst of everyday life – between deadlines, customer requests and ongoing operations. Mostly inconspicuously, until something happens.
Then comes the headline. A critical security breach. Everyone asks themselves:
Are we affected?
Does this affect our customers?
Do we have this under control?
And suddenly everything is urgent.
Stress arises when structures are lacking
Patching is not the problem – it’s the process of getting there.
Which software component do we use?
Which versions are affected?
Where exactly?
Which customers are affected?
Is the fix already in place?
Has it been delivered?
Without clear structures, every security breach becomes a stress test. Instead of reacting calmly, you find yourself having to explain yourself – both internally and externally. This leads to uncertainty, avoidable stress and sometimes even a loss of trust.
The Cyber Resilience Act: not an adversary, but a help
The Cyber Resilience Act (CRA) provides a legal framework that demands transparency and responsibility. For us, this is not a threat scenario, but an opportunity:
Clear processes instead of ad hoc reactions
Transparent information for customers
Well-founded decisions instead of gut feelings
The CRA does not force anyone to be perfect. But it does demand traceability – and that can be achieved with good teamwork and smart tools.
In practice, this often means combining a few well-established approaches rather than building a heavy security organization. Many teams rely on Security Champions to embed security awareness into day-to-day work and act as local points of contact. Regular security awareness training helps ensure that risks and responsibilities are understood across the organization. On a structural level, frameworks such as the NIST Cybersecurity Framework provide a common language for documenting decisions, processes, and responsibilities – which is exactly what traceability under the CRA is about.
What this means for our work – A realistic scenario from our everyday life
Let’s imagine that a critical security vulnerability is discovered in a widely used open source library that is also used in our products. In the past, this would have triggered a chain reaction: Who uses what? Where? Which version? Has it been fixed yet? Who needs to be informed?
Today, the process is more structured – thanks to clear processes and a shared understanding of responsibility.
Step 1: Overview via the SBOM
Our software contains a Software Bill of Materials (SBOM) for each release. This allows us to see immediately:
Whether the affected library is used at all
In which version
In which products
And: Which customer installations are specifically affected
This reduces the potential circle from ‘all’ to ‘these five installations’. This creates focus – and saves valuable time.
Step 2: Check patch status
The next question: Is there already a patch? If so:
Have we already integrated it?
Is it part of a release?
Has this release already been delivered to the affected customers?
This can also be tracked – not always automatically, but transparently documented. And if no patch exists yet, we at least know where we need to prioritise.
Step 3: Include the threat model
Not every vulnerability is automatically critical in real-world use. That’s why we also evaluate:
Is the affected function even used by us?
Is the system exposed to the outside world?
Could external access to the vulnerability even take place?
This threat model helps to avoid panic and set priorities correctly. There is a difference between something being theoretically vulnerable and practically vulnerable.
Step 4: Communicate with the customer
On this basis, we can communicate confidently – not evasively, but clearly:
‘Your system uses the library, but not the affected version – no action is required.’
‘Yes, the vulnerability affects you. We have tested the patched version internally and will deliver it tomorrow.’
Or: ‘No fix is currently available, but your specific usage scenario is not vulnerable. We are monitoring the situation closely and will keep you informed.’
These conversations are very different from before: instead of uncertainty, we show clarity. Instead of technical explanations, we convey security. This strengthens trust – especially in critical moments.
That’s a difference. And it shows in customer relationships: trust grows when we take responsibility and act in a transparent manner.
Responding better together – in the CRACoWi project
In the EU project CRACoWi, we are developing pragmatic approaches for precisely this purpose. Not with the expectation that SMEs will do everything perfectly right away, but with the goal of enabling them to take action in the first place.
Sharing responsibility instead of passing it on
Learning together
Using tools that work in everyday life
This is in line with our attitude: we want to grow together, work fairly and remain human – even in stressful situations.
Conclusion: cyber security is teamwork
Secure software is not a luxury, but part of our responsibility. The CRA can help us to work in a more organised, calm and transparent manner – without any glossy strategies.
The CRACoWi consortium met in Athens last week for its latest plenary meeting, marking an important milestone as the project reached Month 18 of its implementation. The meeting focused on assessing progress, aligning next steps, and preparing for the upcoming midterm review.
Now halfway through its 36-month journey, CRACoWi continues to advance its core objective of supporting companies in meeting the requirements of the Cyber Resilience Act (CRA). As the regulation introduces mandatory cybersecurity obligations for products with digital elements, the project is developing a practical Compliance Wizard to help SMEs, manufacturers, distributors, and importers navigate these requirements in a structured and accessible way.
At this stage, the project has moved beyond initial setup and into tangible implementation. In parallel, partners are actively working on use cases covering critical infrastructure and market actors such as importers and distributors, ensuring that the tool reflects real-world compliance challenges.
Beyond technical development, CRACoWi has established a strong foundation for stakeholder engagement and capacity building. Through initiatives such as the CRAcademywebinar series and targeted communication activities, the project is already reaching its key audiences and building awareness around CRA requirements and practical compliance pathways.
The Athens meeting served as a key checkpoint, confirming that the project is progressing according to plan and is well-positioned for the midterm review. Partners aligned on the consolidation of results, upcoming deliverables, and the next phase of development, which will focus on further validation, stakeholder uptake, and scaling of the solution.
As Europe moves closer to the implementation of the Cyber Resilience Act, initiatives like CRACoWi are becoming increasingly important. The project plays a critical role in translating complex regulatory requirements into practical tools that businesses can actually use, reducing the compliance burden and supporting a more secure and resilient digital market.
Meet the CRACoWi partners – ITML, Seven Shift and Tiko Pro – a the InCyber forum 31 March – 2 April, Pavilion Europe – booth E20-8A.
The CRACoWi project will be showcased at the InCyber Forum Europe 2026, one of Europe’s leading events dedicated to cybersecurity and digital trust. Bringing together thousands of experts, policymakers, and industry leaders, the Forum serves as a key platform for addressing the most pressing challenges in today’s digital landscape and strengthening cooperation across the European cybersecurity ecosystem.
CRACoWi partners ITML, SevenShift, and Tiko Pro will be present at the Pavilion Europe (Booth E20-8A), where they will introduce the project and engage with stakeholders from across the cybersecurity and innovation community.
As the Cyber Resilience Act (CRA) introduces new mandatory cybersecurity requirements for digital products in the EU, CRACoWi plays an important role in supporting organisations, especially SMEs, in navigating compliance. Through its Compliance Wizard, the project provides a practical, step-by-step approach to understanding and implementing CRA obligations.
The InCyber Forum offers a valuable opportunity to exchange knowledge, explore collaboration opportunities, and connect with organisations shaping the future of cyber resilience in Europe.
We invite you to meet the CRACoWi team at the booth and learn more about how the project is contributing to a more secure and trusted digital environment.
The Cyber Resilience Act (CRA) is a European Law aiming to enhance cybersecurity standards for products with digital components, ensuring that they remain secure throughout their lifecycle.
In particular, the products of interest are the ones connected directly or indirectly to another device or network, except for the ones that are already covered by similar regulations, such as medical devices, aviation and cars. Since these domains are the ones that bear the most dangers when it comes to safety, it is easy to neglect the risks that poor cybersecurity standards result in when it comes to seemingly less critical digital products, like IoT devices. These devices though, like smart home appliances, interact with the physical world through sensors and actuators and are also vulnerable to cyberattacks.
The CRA was signed in law on October 10, 2024, and was set into force on December 10, 2024. By 2027, there will be mandatory compliance for all software and hardware digital projects sold within the EU. To be confirmed that the products comply with the CRA requirements, they will bear the CE marking, which is part of the EU’s harmonisation legislation and declares that products sold within the EEA have been assessed to complete a satisfactory level of safety.
It is important to note that CRA complements other legislation in this area, specifically the NIS2 Directive, which together form a consistent model. While NIS2 ensures secure operations like policy, detection, incident reporting and supplier assurance, CRA ensures secure products by design integrity, vulnerability handling and updates.
The CRA strategy is that products must initially comply only with essential, high-level requirements in terms of health and safety, which are subsequently specified in detail through technical harmonised Standards drafted by European Standardisation Organisations.
Why should you care?
The significant difference between CRA and previous regulations is that CRA proposes horizontal legislation. Until now, the European Commission has followed a sector-by-sector approach in cybersecurity, which, although effective to some extent, also creates challenges such as overlapping or conflicting rules for similar types of products, duplicate requirements for companies that make products across different sectors, and an overall fragmentation of the market, due to inconsistency in cybersecurity obligations.
CRA aspires to establish a unified and concise cybersecurity framework that is accessible to all relevant stakeholders, without the need for sector-specific regulations. Such harmonisation also facilitates consumer choice, enabling individuals to more easily identify the products with the right cybersecurity features, as all products will be evaluated against the same coherent requirements.
The CRA acts as a proactive protection mechanism against security issues such as data breaches, operational disruptions, and safety risks. By enforcing minimum security requirements that are broadly applicable across the EU market, it reduces the likelihood of such incidents as well as the heavy fines associated with non-compliance. From an economic perspective, beyond regulatory penalties, stronger cybersecurity standards help organisations avoid the massive financial damages that cyberattacks cause every year.
Finally, the new requirements introduced by the CRA must be implemented across all stages of the value chain of digital products, beginning from the planning and design phase and extending to their development, deployment and maintenance. This lifecycle-wide approach ensures not only security, but also reliability and privacy, as products are built on robust cybersecurity principles from the very beginning.
The CRACoWi project stands at the spotlight of these regulatory demands, supporting SMEs in understanding and applying he CRA. By developing practical tools and methodologies and facilitating knowledge-sharing activities, CRACoWi empowers stakeholders to achieve compliance more effectively and strengthen their overall cyber resilience.
CRACoWi is launching the CRAcademy webinar series – a structured set of training sessions designed to support manufacturers, SMEs, and product teams in navigating the EU Cyber Resilience Act (CRA) from understanding to implementation and compliance.
The CRA introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. While many organisations are aware of the regulation, uncertainty often remains around how obligations translate into practical steps, technical requirements, and demonstrable compliance.
The CRACoWi addresses this gap through CRAcademy training series, workshops and by developing practial tools.
1. CRA Overview, Regulatory Landscape, and Product Classification
FEB 18, 2026 // 11:00 – 12:00 CET
This session provides a structured, practical introduction to the CRA, focusing on how to correctly interpret the regulation, understand its scope, and position your product within the CRA classification framework. You will also gain clarity on how the CRA aligns with and differs from other relevant EU regulations, helping you avoid misinterpretation and compliance gaps.
The webinar is designed as a foundational training session and sets the baseline for all subsequent CRA-related technical and compliance activities.
2. CRA Standards, Risk Analysis, and Technical Requirements
MARCH 26, 2026 // 11:00 – 12:00 CET
This webinar focuses on the practical building blocks of CRA compliance: the current state of standardisation, how risk analysis is expected to be performed, and what the CRA requires in terms of technical cybersecurity measures. You will gain clarity on how harmonised standards support compliance, how risk analysis connects legal obligations to technical controls, and how to interpret the CRA’s technical requirements in a way that is actionable for product teams.
This session is designed as a bridge between regulation and engineering reality.
3. Conformity Assessment, CE Marking, and Vulnerability Management under the CRA
APRIL 14, 2026 // 11:00 – 12:00 CET
Understanding the Cyber Resilience Act is not enough -manufacturers must demonstrate compliance. This webinar focuses on the final and most critical phase of CRA readiness: conformity assessment procedures, the rules and logic behind CE marking, and the ongoing obligations related to vulnerability handling and reporting. You will learn how CRA compliance moves from internal preparation to formal assessment, market placement, and post-market obligations, and how vulnerability handling becomes a continuous compliance requirement rather than a one-off activity.
The session concludes with actionable next steps, translating regulatory obligations into a realistic compliance roadmap.
Michael Beine, Business Unit Manager – CyberSecurity, Bureau Veritas CPS Germany
Michael Beine has over 20 years of experience in the Testing, Inspection, and Certification (TIC) industry. He has led testing and approval activities for a wide range of wireless technologies and developed testing procedures and services for connected and IoT devices.
In recent years, his work has focused on cybersecurity. He acts as a cybersecurity auditor for industrial automation components and systems in line with the IEC 62443 standard and leads cybersecurity services at Bureau Veritas Consumer Product Services in Germany. He is a recognised expert in regulatory cybersecurity compliance for connected products, including RED-DA and the Cyber Resilience Act (CRA).
The importance of cybersecurity has never been greater, especially in light of the evolving digital landscape and escalating cyber risks. Two major EU regulatory frameworks – the Cyber Resilience Act (CRA) and the NIS2 (Network and Information Security) Directive – epitomize the growing commitment to securing the digital ecosystem, both by setting rigorous cybersecurity standards and by fostering cooperation among member states.
The Cybersecurity Landscape
According to the Global Cybersecurity Outlook 2025, cyber threats continue to escalate worldwide. Around 72% of organizations surveyed have reported a rise in cyber risks, largely fueled by ransomware, AI-powered tools, and increasingly sophisticated attacks. Examining how organizations measure up, it was found:
Amongst large corporations the average cybersecurity maturity level stands at 54%, showing a slight yearly improvement but indicating a need for growth. A 56% average protection rate against ransomware attack vectors among large companies indicates that without improved defences, major breaches can still occur. Small and mid-sized businesses also lag behind, with 36% considered in a critical cybersecurity state, despite an 18% improvement from 2024. (Source)
The financial sector leads with a 62.5% maturity score, motivated by regulatory pressure and investments. (Source)
Information security spending is rising, now at 9% of IT budgets in the EU, reflecting increasing investment but also recruitment challenges, as cybersecurity staffing ratios have declined despite the rising demand. 90% of organizations expect a surge in cyberattacks next year, emphasizing the urgency for preparedness. (Source)
Why the Cyber Resilience Act is Crucial for Digital Products
The Cyber Resilience Act (CRA) addresses the challenges of managing vulnerabilities and preventing cyber incidents by establishing uniform cybersecurity criteria for digital products available on the EU market. Around two-thirds of incidents reported under the Network and Information Security (NIS) framework result from exploited vulnerabilities, showing that managing hardware and software security throughout the entire product lifecycle – from design, to development, and through to decommissioning – is essential. (Source)
The CRA focuses on:
Cybersecurity rules and essential requirements for connected products with digital elements, including hard- and software, in both consumer and OT contexts.
Obligations spanning the entire supply chain, to be addressed by manufacturers, importers and distributors.
Lifecycle security, market surveillance, and enforcement to ensure ongoing compliance.
Notably, the CRA excludes cloud-based services or SaaS products, which fall under the scope of the NIS2 Directive, and other special categories such as medical or automotive devices, which are already covered by existing legislation.
The Role of NIS2 in Strengthening Cyber Resilience
The revised NIS2 Directive builds on its predecessor by addressing fragmented resilience across member states and sectors. It promotes:
A high level of cybersecurity across the EU, with mandatory measures such as incident handling, supply chain security and vulnerability management.
Enhanced cooperative structures, including a dedicated Cooperation Group to facilitate sharing of cyber threat intelligence and best practices, as well as a network of national Computer Security Incident Response Teams (CSIRTs) to coordinate operational response efforts.
The NIS2 directive raises the bar on cybersecurity governance, risk management, and compliance especially amongst the sectors newly included within its scope. Despite ongoing efforts, many organizations currently fail to fully comply with NIS2 standards, with significant gaps remaining in areas such as third-party risk evaluation and asset management.
Furthermore, while cybersecurity budgets and manpower have generally risen due to NIS2, many entities (particularly SMEs) face difficulties in securing adequate resources to meet these demands.
What These Developments Mean
The CRA and NIS2 together set EU-wide stringent cybersecurity standards that impact businesses operating in the EU, and also help to elevate security practices globally due to the market’s size and influence. The regulations encourage adoption of secure-by-design principles and robust risk management processes across digital product and service lifecycles.
These regulations incentivize greater investment in cybersecurity technologies and human capital, though persistent workforce shortages pose ongoing challenges. With cyberattacks growing in frequency and complexity, compliance with CRA and NIS2 provisions is critical to mitigating breaches, protecting sensitive data, and maintaining confidence in digital applications and products.
The emphasis on cross-border cooperation also strengthens the EU’s collective capabilities in incident detection, response, and recovery, thereby enhancing the overall resilience of the union against cyber threats.
While this overview only scratches the surface of the Cyber Resilience Act and NIS2 Directive, it is clear that cybersecurity remains a foundational element for the safety and reliability of digital products and services. The EU’s evolving regulatory landscape continues to make decisive progress in enforcing security from the earliest stages of product development, and unifying efforts to counteract rising cyber threats. To navigate the complex cyber risk landscape effectively, organizations must commit to compliance and allocate appropriate resources toward cybersecurity initiatives.
We are delighted that CRACoWi projectwas invited to participate in the Cyber Resilience Act (CRA) Webinar on 11 November, organized by the Dutch Ministry of Economic Affairs and the National Cybersecurity Center of the Netherlands (NCC NL).
The webinar aimed to help Dutch SMEs understand the Cyber Resilience Act and prepare for compliance with the upcoming regulation. Two EU-funded projects, CRACoWi and SECURE, were featured during the session,
Eleftheria Marini (ITML) as Project Coordinator of CRACoWi, provided an overview of the the project’s goals and impact in supporting European SMEs toward CRA compliance, with a special focus on how CRACoWi can benefit end users, particularly SMEs developing or deploying digital products.
Pablo Endres (SevenShift) presented the technical perspective, offering a high-level overview of the technologies and tools being developed, including the Cyber Resilience Act Compliance Wizard, an AI-supported framework for automated cybersecurity assessment, documentation and certification support.
The event was an important step in raising awareness and enhancing collaboration around CRA implementation across Europe, showcasing how initiatives like CRACoWi and SECURE contribute to empowering SMEs toward a more secure digital future.
Ransomware operators are getting faster, stealthier, and more aggressive – and the cost of delayed action is growing.
The recent article from CySecurity News highlights a troubling surge in ransomware and data exfiltration attacks across the Asia-Pacific region. Let`s outline how ransomware groups like Akira are systematically targeting vulnerable VPN configurations and unpatched systems. The manufacturing sector, critical infrastructure, and telecommunications are particularly hard hit, revealing how outdated technologies and weak credential management expose organizations to severe risks.
What’s concerning is not just the scale of the intrusions – but the shift in tactics:
Exploiting known VPN vulnerabilities (like CVE-2024-40766) within days of disclosure
Bypassing multi-factor authentication using stolen session tokens
Monetizing breaches through access sales, data theft, and non-encrypting extortion
These attacks aren’t just technical – they’re strategic. They aim to destabilize operations, erode trust, and extract long-term value from compromised environments.
This alarming trend underscores a universal truth – cyber resilience is no longer optional – it is a business imperative. The evolving sophistication of ransomware actors, coupled with the rise of non-encrypting extortion schemes, demands a paradigm shift from reactive patching to proactive, intelligence-driven defence.
What does this mean for Europe?
While the attacks are currently concentrated in APAC, the tactics are global – and the vulnerabilities they exploit exist in EU-based networks and products. That’s why the European Cyber Resilience Act (CRA) is not just timely – it’s necessary.
The CRA sets a clear baseline – if a product is digital, connected, and sold in the EU, it must be secure-by-design and secure-by-default. This means embedding cybersecurity principles from the earliest stages of product conception, rather than adding fixes later. Its goal is to shift the burden away from consumers and reactive IT teams and toward manufacturers and developers – ensuring that digital products are designed with security in mind from day one, and supported throughout their lifecycle.
Specifically, the CRA requires:
Mandatory risk management throughout the product lifecycle
Post-market support and timely software updates
Built-in mechanisms for vulnerability handling and reporting
However, legislation alone isn’t enough. Compliance must be supported by guidance, tools, and practical frameworks -especially for SMEs that lack extensive cybersecurity resources (as well as money, time and knowledge).
The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
This is precisely where the European Union’s projects like the CRACoWi project(Cyber Resilience Act Compliance Wizard Tool) play a crucial role. CRACoWi is a digital assistant that helps companies (particularly SMEs) understand what CRA means for them, assess their cybersecurity risks, and take concrete compliance actions early in the product design process. It promotes a “secure-by-design” approach, which is essential to prevent vulnerabilities like those exploited in these APAC VPN attacks.
The EU’s Cyber Resilience Act and initiatives like CRACoWi champion embedding cybersecurity into digital products -including VPNs and network devices – to reduce risks before they become incidents. While patch management, credential hygiene, and account lockout policies remain critical, they are reactive measures. The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
Moreover, the APAC ransomware crisis reflects broader global challenges – supply chains dependent on legacy technology, complex operational networks vulnerable to breach, and the human factor as the primary entry vector exploited via social engineering. These challenges emphasize why the EU’s holistic approach – combining regulation, innovative compliance tools like CRACoWi, and continuous awareness campaigns – is critical to enhancing digital trust and resilience.
As ransomware actors sharpen their tactics with automation, credential theft, and stealthy persistence, Europe’s emphasis on a multilayered defense posture and intelligence-led security frameworks becomes a model for global cybersecurity strategies.
Cybersecurity is an enabler of business continuity and trust, not just compliance.
Funded under the Digital Europe Programme, CRACoWi is not only building the CRA Compliance Wizard but also providing awareness materials, FAQs, and support resources to bridge the gap between regulation and implementation for European businesses.
The APAC ransomware wave and VPN exploit trends serve as a critical reminder – cybersecurity is an enabler of business continuity and trust, not just compliance. By embedding security from design to deployment, European initiatives like CRACoWi are paving the way toward a safer digital future for all.
Because cyber resilience is not just about patching systems after the fact – it’s about building products, businesses, and ecosystems capable of resisting, recovering, and adapting to threats that continue to evolve.
If ransomware actors are moving faster, so must we. Security-by-design is not a feature – it’s a requirement.
📅 20 November 2025 | 14:00–15:00 CET | Online | English | Free
Join us for the first CRACoWi project webinar with Katherine Leese from SevenShift, to explore a practical, evidence-based threat modelling process that aligns directly with the CRA’s risk-assessment and documentation requirements.
Are you ready for the Cyber Resilience Act (CRA)? The CRA requires manufacturers to understand and document cybersecurity risks in their connected products – but how do you actually do that in practice?
This hands-on session bridges the gap between paper compliance and practical, testable security – giving you a repeatable approach adaptable to your own environment.
What you’ll learn: – How to use Data Flow Diagrams (DFDs) to map system context, – How to apply STRIDE to identify threats, – How to link findings to real attacker techniques using MITRE, – How the CRACoWi Wizard supports you in gathering the right evidence and demonstrating CRA readiness.
Who should attend: Engineers, product security teams, managers, and anyone involved in designing, building, or securing connected products.
ℹ️ This webinar is the first in a series of CRAcademy training sessions — practical learning opportunities designed to help you navigate and implement the Cyber Resilience Act with confidence.
