The implementation landscape around the Cyber Resilience Act (CRA) is evolving rapidly. While the regulation itself entered into force in 2024, the ecosystem surrounding it – including guidance documents, harmonised standards, certification schemes, and conformity assessment procedures – is now taking shape at a remarkable pace.
For companies working with products containing digital elements, 2026 has become a crucial year for understanding how CRA requirements will be interpreted and applied in practice. From draft guidance published by the European Commission to major developments in standardisation and certification, several important milestones have already been reached.
This overview is prepared based on insights and analysis provided by Michael Beine (Bureau Veritas), contributor to the CRACoWi project activities related to certification, standardisation, and CRA implementation developments.
1. Draft CRA Guidance Published by the European Commission
In March 2026, the European Commission published the draft guidance on the Cyber Resilience Act, with the commenting period ending in April 2026. The final version is expected towards the end of 2026 or beginning of 2027:
It provides interpretations of CRA legal text from official source of truth.
A must-read for everybody seeking clarity and interpretation of CRA.
In some cases, the additional level of detail creates follow-up questions, which will hopefully be addressed in the final revision
This draft guidance is particularly important because it provides interpretations of the CRA legal text directly from the official source. For many stakeholders, it is currently one of the most valuable documents available for understanding how certain provisions of the regulation may be interpreted in practice.
The document also demonstrates the complexity of implementing the CRA. While the guidance clarifies several topics, the additional level of detail has, in some areas, also created follow-up questions from industry and standardisation groups. Many stakeholders are now expecting that some of these open points will be addressed in the final revision.
2. RED-DA Cybersecurity Requirements will be Repealed – It is Official
Another major development became official in 2026. To avoid overlapping regulatory requirements, the cybersecurity-related provisions under Article 3.3 d/e/f of the Radio Equipment Directive (RED-DA) will be deactivated on the date the CRA becomes fully applicable: 11 December 2027.
This confirms an important signal from the legislator: there is currently no indication that the CRA timeline will be delayed. The transition towards CRA remains firmly on track.
3. Standardisation is Moving Forward Rapidly – prEN 40000-1-2 Drafting is Completed
Standardisation activities around the CRA are accelerating significantly.
The drafting of the first horizontal CRA standard, prEN 40000-1-2 “Cybersecurity requirements for products with digital elements – Part 1-2: Principles for cyber resilience”, has been completed and entered final review. If the formal vote is positive, publication could follow by the end of October 2026.
This is an important milestone because horizontal standards are expected to play a key role in supporting harmonised approaches to CRA compliance across industries.
At the same time, discussions around sector-specific standards continue intensely.
4. Debate Around “Broad Verticals” and IEC 62443 – “Broad verticals will not be cited in the OJEU“
One statement made by the European Commission during the ENISA Conference in March 2026 created significant discussion within standardisation working groups and the OT industry.
According to comments shared publicly after the event, the Commission stated that “broad verticals will not be cited in the Official Journal of the European Union (OJEU).”
This has raised concerns among stakeholders working on adapting IEC 62443 standards for CRA presumption of conformity, particularly in industrial and operational technology environments.
The standards EN IEC 62443-4-1 and EN IEC 62443-4-2 remained in public consultation (Enquiry phase) until the end of April 2026. However, discussions around how these standards may ultimately be referenced under the CRA framework are still ongoing.
At this stage, it is clear that the final approach to sector-specific harmonisation is still evolving.
The last word is probably not yet said about this.
5. CSA2 draft regulation proposes new Certification Schemes for CRA
The proposed update of the Cybersecurity Act (commonly referred to as CSA2) also represents an important step in aligning the EU cybersecurity certification framework with the CRA.
The proposal aims to facilitate the creation and adaptation of certification schemes supporting CRA requirements. This is particularly relevant for products that may require third-party conformity assessment procedures.
The proposal for the revised EU Cybersecurity Act has been published under the European Commission’s “Shaping Europe’s Digital Future” initiative.
CSA2 aims to boost the creation and adaptation of Certification Schemes for the CRA.
The European Commission has also indicated plans for an implementing act approving the EU Common Criteria (EUCC) scheme for CRA purposes. This would support conformity assessment procedures for critical products with digital elements, including categories such as payment terminals, smart cards, and smart meter gateways.
While no publicly available implementing act reference has yet been identified, this would represent another major step towards operationalising CRA conformity assessment mechanisms.
7. „fast track“ procedure for NoBo under RED-DA
Another important discussion currently taking place involves a potential “fast-track” procedure for the nomination of Notified Bodies (NoBos) under the CRA.
According to publicly shared information from discussions between the European Commission and ADCO CRA, the proposal would simplify nomination procedures for organisations already designated under RED-DA.
The objective appears straightforward: ensuring that a sufficient number of Notified Bodies are available before the CRA becomes fully applicable at the end of 2027.
As the Cyber Resilience Act (CRA) moves closer to full implementation, many SMEs are still trying to understand what the regulation means in practice and how to prepare for compliance. The good news is that support is already taking shape across Europe.
Several EU-funded initiatives, including CRACoWi and other projects within the CRA Cluster, are actively developing practical tools, guidance materials, and training resources designed to help organisations navigate the new cybersecurity requirements.
Within CRACoWi, the first support resources are already becoming available. This includes tools such as the CRA Scope Assesment, helping organisations better understand whether and how the CRA applies to their products, as well as the CRAcademy initiative, offering webinars, workshops, and educational materials focused on CRA implementation and cybersecurity compliance.
And this is only the beginning. Additional tools, guidance documents, training materials, and practical support mechanisms are currently under development and will continue to evolve over the coming months.
If you want to stay informed about the latest developments, upcoming training sessions, and new CRA support resources, make sure to follow the CRACoWi project and subscribe to the newsletter.
You can also explore the broader ecosystem of initiatives by visiting the CRA Cluster projects working towards practical CRA implementation across Europe: CRA Cluster
A Regulatory Ecosystem Taking Shape
What becomes increasingly clear is that the CRA is no longer only a legal text. The broader implementation ecosystem (guidance documents, harmonised standards, certification schemes, conformity assessment procedures, and institutional coordination) is now actively developing.
For companies across Europe, especially SMEs, staying informed about these developments will be essential over the coming months. The pace of change is high, and many practical aspects of compliance are still being refined in parallel with the regulation’s rollout.
Projects such as CRACoWi are therefore becoming increasingly relevant, not only because they raise awareness about the CRA, but because they help organisations translate evolving regulatory requirements into practical implementation steps.
About the Author Michael Beine is a cybersecurity and regulatory compliance expert at Bureau Veritas Consumer Product Services Germany, with more than 20 years of experience in the testing, inspection, and certification industry. His work focuses on cybersecurity requirements for connected products, IoT security, industrial automation, and European regulatory frameworks, including the Cyber Resilience Act (CRA) and RED Delegated Act. Within the CRACoWi project, he contributes to activities related to certification schemes, standardisation, and practical implementation of cybersecurity compliance requirements.
I am writing this article as the founder and owner of a small to medium-sized software company. At erminas, we develop software for industrial digitalisation. Our solutions are used by customers in productive environments – and that means responsibility. Responsibility for functioning systems, for security and for trust.
We are not a large corporation with our own security department. And that applies to many SMEs. Nevertheless, we bear the same responsibility as the big players – towards our customers, our employees and our society.
What cybersecurity looks like in everyday life
In many medium-sized companies, security is not a separate team. Security issues arise in the midst of everyday life – between deadlines, customer requests and ongoing operations. Mostly inconspicuously, until something happens.
Then comes the headline. A critical security breach. Everyone asks themselves:
Are we affected?
Does this affect our customers?
Do we have this under control?
And suddenly everything is urgent.
Stress arises when structures are lacking
Patching is not the problem – it’s the process of getting there.
Which software component do we use?
Which versions are affected?
Where exactly?
Which customers are affected?
Is the fix already in place?
Has it been delivered?
Without clear structures, every security breach becomes a stress test. Instead of reacting calmly, you find yourself having to explain yourself – both internally and externally. This leads to uncertainty, avoidable stress and sometimes even a loss of trust.
The Cyber Resilience Act: not an adversary, but a help
The Cyber Resilience Act (CRA) provides a legal framework that demands transparency and responsibility. For us, this is not a threat scenario, but an opportunity:
Clear processes instead of ad hoc reactions
Transparent information for customers
Well-founded decisions instead of gut feelings
The CRA does not force anyone to be perfect. But it does demand traceability – and that can be achieved with good teamwork and smart tools.
In practice, this often means combining a few well-established approaches rather than building a heavy security organization. Many teams rely on Security Champions to embed security awareness into day-to-day work and act as local points of contact. Regular security awareness training helps ensure that risks and responsibilities are understood across the organization. On a structural level, frameworks such as the NIST Cybersecurity Framework provide a common language for documenting decisions, processes, and responsibilities – which is exactly what traceability under the CRA is about.
What this means for our work – A realistic scenario from our everyday life
Let’s imagine that a critical security vulnerability is discovered in a widely used open source library that is also used in our products. In the past, this would have triggered a chain reaction: Who uses what? Where? Which version? Has it been fixed yet? Who needs to be informed?
Today, the process is more structured – thanks to clear processes and a shared understanding of responsibility.
Step 1: Overview via the SBOM
Our software contains a Software Bill of Materials (SBOM) for each release. This allows us to see immediately:
Whether the affected library is used at all
In which version
In which products
And: Which customer installations are specifically affected
This reduces the potential circle from ‘all’ to ‘these five installations’. This creates focus – and saves valuable time.
Step 2: Check patch status
The next question: Is there already a patch? If so:
Have we already integrated it?
Is it part of a release?
Has this release already been delivered to the affected customers?
This can also be tracked – not always automatically, but transparently documented. And if no patch exists yet, we at least know where we need to prioritise.
Step 3: Include the threat model
Not every vulnerability is automatically critical in real-world use. That’s why we also evaluate:
Is the affected function even used by us?
Is the system exposed to the outside world?
Could external access to the vulnerability even take place?
This threat model helps to avoid panic and set priorities correctly. There is a difference between something being theoretically vulnerable and practically vulnerable.
Step 4: Communicate with the customer
On this basis, we can communicate confidently – not evasively, but clearly:
‘Your system uses the library, but not the affected version – no action is required.’
‘Yes, the vulnerability affects you. We have tested the patched version internally and will deliver it tomorrow.’
Or: ‘No fix is currently available, but your specific usage scenario is not vulnerable. We are monitoring the situation closely and will keep you informed.’
These conversations are very different from before: instead of uncertainty, we show clarity. Instead of technical explanations, we convey security. This strengthens trust – especially in critical moments.
That’s a difference. And it shows in customer relationships: trust grows when we take responsibility and act in a transparent manner.
Responding better together – in the CRACoWi project
In the EU project CRACoWi, we are developing pragmatic approaches for precisely this purpose. Not with the expectation that SMEs will do everything perfectly right away, but with the goal of enabling them to take action in the first place.
Sharing responsibility instead of passing it on
Learning together
Using tools that work in everyday life
This is in line with our attitude: we want to grow together, work fairly and remain human – even in stressful situations.
Conclusion: cyber security is teamwork
Secure software is not a luxury, but part of our responsibility. The CRA can help us to work in a more organised, calm and transparent manner – without any glossy strategies.
The Cyber Resilience Act (CRA) is a European Law aiming to enhance cybersecurity standards for products with digital components, ensuring that they remain secure throughout their lifecycle.
In particular, the products of interest are the ones connected directly or indirectly to another device or network, except for the ones that are already covered by similar regulations, such as medical devices, aviation and cars. Since these domains are the ones that bear the most dangers when it comes to safety, it is easy to neglect the risks that poor cybersecurity standards result in when it comes to seemingly less critical digital products, like IoT devices. These devices though, like smart home appliances, interact with the physical world through sensors and actuators and are also vulnerable to cyberattacks.
The CRA was signed in law on October 10, 2024, and was set into force on December 10, 2024. By 2027, there will be mandatory compliance for all software and hardware digital projects sold within the EU. To be confirmed that the products comply with the CRA requirements, they will bear the CE marking, which is part of the EU’s harmonisation legislation and declares that products sold within the EEA have been assessed to complete a satisfactory level of safety.
It is important to note that CRA complements other legislation in this area, specifically the NIS2 Directive, which together form a consistent model. While NIS2 ensures secure operations like policy, detection, incident reporting and supplier assurance, CRA ensures secure products by design integrity, vulnerability handling and updates.
The CRA strategy is that products must initially comply only with essential, high-level requirements in terms of health and safety, which are subsequently specified in detail through technical harmonised Standards drafted by European Standardisation Organisations.
Why should you care?
The significant difference between CRA and previous regulations is that CRA proposes horizontal legislation. Until now, the European Commission has followed a sector-by-sector approach in cybersecurity, which, although effective to some extent, also creates challenges such as overlapping or conflicting rules for similar types of products, duplicate requirements for companies that make products across different sectors, and an overall fragmentation of the market, due to inconsistency in cybersecurity obligations.
CRA aspires to establish a unified and concise cybersecurity framework that is accessible to all relevant stakeholders, without the need for sector-specific regulations. Such harmonisation also facilitates consumer choice, enabling individuals to more easily identify the products with the right cybersecurity features, as all products will be evaluated against the same coherent requirements.
The CRA acts as a proactive protection mechanism against security issues such as data breaches, operational disruptions, and safety risks. By enforcing minimum security requirements that are broadly applicable across the EU market, it reduces the likelihood of such incidents as well as the heavy fines associated with non-compliance. From an economic perspective, beyond regulatory penalties, stronger cybersecurity standards help organisations avoid the massive financial damages that cyberattacks cause every year.
Finally, the new requirements introduced by the CRA must be implemented across all stages of the value chain of digital products, beginning from the planning and design phase and extending to their development, deployment and maintenance. This lifecycle-wide approach ensures not only security, but also reliability and privacy, as products are built on robust cybersecurity principles from the very beginning.
The CRACoWi project stands at the spotlight of these regulatory demands, supporting SMEs in understanding and applying he CRA. By developing practical tools and methodologies and facilitating knowledge-sharing activities, CRACoWi empowers stakeholders to achieve compliance more effectively and strengthen their overall cyber resilience.
The importance of cybersecurity has never been greater, especially in light of the evolving digital landscape and escalating cyber risks. Two major EU regulatory frameworks – the Cyber Resilience Act (CRA) and the NIS2 (Network and Information Security) Directive – epitomize the growing commitment to securing the digital ecosystem, both by setting rigorous cybersecurity standards and by fostering cooperation among member states.
The Cybersecurity Landscape
According to the Global Cybersecurity Outlook 2025, cyber threats continue to escalate worldwide. Around 72% of organizations surveyed have reported a rise in cyber risks, largely fueled by ransomware, AI-powered tools, and increasingly sophisticated attacks. Examining how organizations measure up, it was found:
Amongst large corporations the average cybersecurity maturity level stands at 54%, showing a slight yearly improvement but indicating a need for growth. A 56% average protection rate against ransomware attack vectors among large companies indicates that without improved defences, major breaches can still occur. Small and mid-sized businesses also lag behind, with 36% considered in a critical cybersecurity state, despite an 18% improvement from 2024. (Source)
The financial sector leads with a 62.5% maturity score, motivated by regulatory pressure and investments. (Source)
Information security spending is rising, now at 9% of IT budgets in the EU, reflecting increasing investment but also recruitment challenges, as cybersecurity staffing ratios have declined despite the rising demand. 90% of organizations expect a surge in cyberattacks next year, emphasizing the urgency for preparedness. (Source)
Why the Cyber Resilience Act is Crucial for Digital Products
The Cyber Resilience Act (CRA) addresses the challenges of managing vulnerabilities and preventing cyber incidents by establishing uniform cybersecurity criteria for digital products available on the EU market. Around two-thirds of incidents reported under the Network and Information Security (NIS) framework result from exploited vulnerabilities, showing that managing hardware and software security throughout the entire product lifecycle – from design, to development, and through to decommissioning – is essential. (Source)
The CRA focuses on:
Cybersecurity rules and essential requirements for connected products with digital elements, including hard- and software, in both consumer and OT contexts.
Obligations spanning the entire supply chain, to be addressed by manufacturers, importers and distributors.
Lifecycle security, market surveillance, and enforcement to ensure ongoing compliance.
Notably, the CRA excludes cloud-based services or SaaS products, which fall under the scope of the NIS2 Directive, and other special categories such as medical or automotive devices, which are already covered by existing legislation.
The Role of NIS2 in Strengthening Cyber Resilience
The revised NIS2 Directive builds on its predecessor by addressing fragmented resilience across member states and sectors. It promotes:
A high level of cybersecurity across the EU, with mandatory measures such as incident handling, supply chain security and vulnerability management.
Enhanced cooperative structures, including a dedicated Cooperation Group to facilitate sharing of cyber threat intelligence and best practices, as well as a network of national Computer Security Incident Response Teams (CSIRTs) to coordinate operational response efforts.
The NIS2 directive raises the bar on cybersecurity governance, risk management, and compliance especially amongst the sectors newly included within its scope. Despite ongoing efforts, many organizations currently fail to fully comply with NIS2 standards, with significant gaps remaining in areas such as third-party risk evaluation and asset management.
Furthermore, while cybersecurity budgets and manpower have generally risen due to NIS2, many entities (particularly SMEs) face difficulties in securing adequate resources to meet these demands.
What These Developments Mean
The CRA and NIS2 together set EU-wide stringent cybersecurity standards that impact businesses operating in the EU, and also help to elevate security practices globally due to the market’s size and influence. The regulations encourage adoption of secure-by-design principles and robust risk management processes across digital product and service lifecycles.
These regulations incentivize greater investment in cybersecurity technologies and human capital, though persistent workforce shortages pose ongoing challenges. With cyberattacks growing in frequency and complexity, compliance with CRA and NIS2 provisions is critical to mitigating breaches, protecting sensitive data, and maintaining confidence in digital applications and products.
The emphasis on cross-border cooperation also strengthens the EU’s collective capabilities in incident detection, response, and recovery, thereby enhancing the overall resilience of the union against cyber threats.
While this overview only scratches the surface of the Cyber Resilience Act and NIS2 Directive, it is clear that cybersecurity remains a foundational element for the safety and reliability of digital products and services. The EU’s evolving regulatory landscape continues to make decisive progress in enforcing security from the earliest stages of product development, and unifying efforts to counteract rising cyber threats. To navigate the complex cyber risk landscape effectively, organizations must commit to compliance and allocate appropriate resources toward cybersecurity initiatives.
We are delighted that CRACoWi projectwas invited to participate in the Cyber Resilience Act (CRA) Webinar on 11 November, organized by the Dutch Ministry of Economic Affairs and the National Cybersecurity Center of the Netherlands (NCC NL).
The webinar aimed to help Dutch SMEs understand the Cyber Resilience Act and prepare for compliance with the upcoming regulation. Two EU-funded projects, CRACoWi and SECURE, were featured during the session,
Eleftheria Marini (ITML) as Project Coordinator of CRACoWi, provided an overview of the the project’s goals and impact in supporting European SMEs toward CRA compliance, with a special focus on how CRACoWi can benefit end users, particularly SMEs developing or deploying digital products.
Pablo Endres (SevenShift) presented the technical perspective, offering a high-level overview of the technologies and tools being developed, including the Cyber Resilience Act Compliance Wizard, an AI-supported framework for automated cybersecurity assessment, documentation and certification support.
The event was an important step in raising awareness and enhancing collaboration around CRA implementation across Europe, showcasing how initiatives like CRACoWi and SECURE contribute to empowering SMEs toward a more secure digital future.
Ransomware operators are getting faster, stealthier, and more aggressive – and the cost of delayed action is growing.
The recent article from CySecurity News highlights a troubling surge in ransomware and data exfiltration attacks across the Asia-Pacific region. Let`s outline how ransomware groups like Akira are systematically targeting vulnerable VPN configurations and unpatched systems. The manufacturing sector, critical infrastructure, and telecommunications are particularly hard hit, revealing how outdated technologies and weak credential management expose organizations to severe risks.
What’s concerning is not just the scale of the intrusions – but the shift in tactics:
Exploiting known VPN vulnerabilities (like CVE-2024-40766) within days of disclosure
Bypassing multi-factor authentication using stolen session tokens
Monetizing breaches through access sales, data theft, and non-encrypting extortion
These attacks aren’t just technical – they’re strategic. They aim to destabilize operations, erode trust, and extract long-term value from compromised environments.
This alarming trend underscores a universal truth – cyber resilience is no longer optional – it is a business imperative. The evolving sophistication of ransomware actors, coupled with the rise of non-encrypting extortion schemes, demands a paradigm shift from reactive patching to proactive, intelligence-driven defence.
What does this mean for Europe?
While the attacks are currently concentrated in APAC, the tactics are global – and the vulnerabilities they exploit exist in EU-based networks and products. That’s why the European Cyber Resilience Act (CRA) is not just timely – it’s necessary.
The CRA sets a clear baseline – if a product is digital, connected, and sold in the EU, it must be secure-by-design and secure-by-default. This means embedding cybersecurity principles from the earliest stages of product conception, rather than adding fixes later. Its goal is to shift the burden away from consumers and reactive IT teams and toward manufacturers and developers – ensuring that digital products are designed with security in mind from day one, and supported throughout their lifecycle.
Specifically, the CRA requires:
Mandatory risk management throughout the product lifecycle
Post-market support and timely software updates
Built-in mechanisms for vulnerability handling and reporting
However, legislation alone isn’t enough. Compliance must be supported by guidance, tools, and practical frameworks -especially for SMEs that lack extensive cybersecurity resources (as well as money, time and knowledge).
The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
This is precisely where the European Union’s projects like the CRACoWi project(Cyber Resilience Act Compliance Wizard Tool) play a crucial role. CRACoWi is a digital assistant that helps companies (particularly SMEs) understand what CRA means for them, assess their cybersecurity risks, and take concrete compliance actions early in the product design process. It promotes a “secure-by-design” approach, which is essential to prevent vulnerabilities like those exploited in these APAC VPN attacks.
The EU’s Cyber Resilience Act and initiatives like CRACoWi champion embedding cybersecurity into digital products -including VPNs and network devices – to reduce risks before they become incidents. While patch management, credential hygiene, and account lockout policies remain critical, they are reactive measures. The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
Moreover, the APAC ransomware crisis reflects broader global challenges – supply chains dependent on legacy technology, complex operational networks vulnerable to breach, and the human factor as the primary entry vector exploited via social engineering. These challenges emphasize why the EU’s holistic approach – combining regulation, innovative compliance tools like CRACoWi, and continuous awareness campaigns – is critical to enhancing digital trust and resilience.
As ransomware actors sharpen their tactics with automation, credential theft, and stealthy persistence, Europe’s emphasis on a multilayered defense posture and intelligence-led security frameworks becomes a model for global cybersecurity strategies.
Cybersecurity is an enabler of business continuity and trust, not just compliance.
Funded under the Digital Europe Programme, CRACoWi is not only building the CRA Compliance Wizard but also providing awareness materials, FAQs, and support resources to bridge the gap between regulation and implementation for European businesses.
The APAC ransomware wave and VPN exploit trends serve as a critical reminder – cybersecurity is an enabler of business continuity and trust, not just compliance. By embedding security from design to deployment, European initiatives like CRACoWi are paving the way toward a safer digital future for all.
Because cyber resilience is not just about patching systems after the fact – it’s about building products, businesses, and ecosystems capable of resisting, recovering, and adapting to threats that continue to evolve.
If ransomware actors are moving faster, so must we. Security-by-design is not a feature – it’s a requirement.
In an era of growing cyber threats, the European Union and the United States have taken a major step toward enhancing global cybersecurity. On January 30, 2024, both sides signed an Administrative Arrangement on a Joint CyberSafe Products Action Plan, reinforcing their commitment to securing consumer IoT products. This collaboration aims to advance technical cooperation and work toward mutual recognition of cybersecurity requirements for IoT hardware and software, ultimately strengthening consumer protection while easing compliance for businesses.
This agreement builds on existing cybersecurity frameworks. In the EU, the Cyber Resilience Act (CRA) establishes security requirements for digital products, while in the U.S., the Cyber Trust Mark Program serves as a labeling system to help consumers identify secure IoT products. By aligning regulatory approaches, the EU and U.S. are working toward a seamless transatlantic market for trusted digital products, making it easier for companies to comply with consistent security standards while enhancing global cybersecurity.
As part of this initiative, both sides are committed to developing a shared cybersecurity lexicon and taxonomy, improving coordination in standards development, and exploring potential alignment of certification processes. The Action Plan highlights the importance of fostering collaboration between governments and industry players, ensuring that regulations remain effective and practical. European Commissioner Thierry Breton emphasized that this agreement brings “concrete benefits for consumers and businesses” and reinforces the shared commitment to strengthening cybersecurity across borders.
The CRACoWi project (Cyber Resilience Act Compliance Wizard) plays an essential role in supporting businesses – particularly SMEs – by helping them navigate cybersecurity regulations, assess compliance under the Cyber Resilience Act, and integrate security-by-design principles into IoT product development. By providing clear guidance on certification processes, CRACoWi ensures that companies can meet regulatory requirements without being overwhelmed by complexity.
With this agreement in place, the EU and U.S. are setting the stage for stronger cybersecurity cooperation. Their focus on harmonizing security standards, promoting international best practices, and fostering industry engagement will help shape a more resilient digital ecosystem. As the world becomes increasingly interconnected, initiatives like these are vital to ensuring the safety and trustworthiness of digital products.
On November 25, 2024, Australia passed the Cyber Security Bill 2024, ushering in a significant step forward in its efforts to enhance cybersecurity. At its core, this legislation sets mandatory security standards for “relevant connectable products,” or smart devices, that connect to the internet. This landmark move reflects a global trend toward stricter regulations on consumer technologies to safeguard against the increasing risks of cyber threats. Let’s take a look at what the Cyber Security Bill 2024 is all about.
What Does the Cyber Security Bill 2024 Do?
One of the defining features of the Bill focuses specifically on security standards for connectable products such as smart home devices, wearables, and IoT systems. The legislation mandates that manufacturers, suppliers, and importers of these products comply with strict security measures to ensure their safety and reliability.
The Cyber Security Bill 2024 introduces robust measures to enhance the security of internet-connected devices, aiming to protect consumers and businesses from the growing risks of cyberattacks.
Mandatory Security Standards
At the heart of the legislation is the requirement for manufacturersto comply with mandatory cybersecurity standards set out by the Australian Minister for Home Affairs. These standards are defined through Ministerial rules, providing a flexible framework that can adapt to evolving cybersecurity challenges and emerging threats. By ensuring that all “relevant connectable products” meet these security benchmarks, the legislation establishes a baseline for device safety, making it harder for vulnerabilities to be exploited.
Definition Alignment
To streamline compliance for international manufacturers, the legislation aligns its definitions with those found in the UK’s Product Security and Telecommunications Infrastructure Act 2022. This alignment not only reduces complexity for global companies but also encourages a harmonized approach to IoT security across jurisdictions. For manufacturers operating in multiple markets, this consistency minimizes administrative burdens and supports the development of secure products that meet global standards.
Consumer Focus
One of the Cyber Security Bill’s primary objectives is to prioritize consumer safety and trustin the ever-expanding market of smart devices. As smart home appliances, wearable technologies, and IoT-enabled systems become ubiquitous, the risks of cyberattacks increase exponentially. This legislation ensures that products are designed with security as a core feature, protecting end-users from threats such as unauthorized access, data breaches, and system hijacking.
The focus on consumer protection reflects a broader commitment to fostering trust in technology, ensuring that users feel confident adopting smart devices without compromising their security or privacy.
Addressing Vulnerabilities in Smart Devices
Smart devices have become an integral part of daily life, from wearables and home assistants to industrial IoT applications. However, their rapid adoption has also made them prime targets for cyberattacks. These attacks can result in devastating consequences, including data breaches, unauthorized surveillance, and disruptions to critical systems.
By mandating robust security standards, the Cyber Security Bill 2024 aims to reduce these vulnerabilities, ensuring that manufacturers adopt secure-by-design principles. This not only safeguards consumers but also mitigates risks for businesses and critical infrastructures relying on IoT solutions.
In combination with its focus on adaptability and global alignment, this legislation positions Australia as a leader in IoT security, setting a standard that other nations may follow. As cybersecurity becomes an essential feature rather than an afterthought, this legislation paves the way for a more secure and resilient digital future.
Why the Cyber Security Bill Matters
The introduction of the Cyber Security Bill 2024 reflects Australia’s commitment to staying ahead in the cybersecurity landscape, particularly in the rapidly expanding market of smart devices. Its alignment with international standards underscores a coordinated global approach to managing cyber risks.
This move is particularly timely, given the growing number of smart devices in homes and workplaces. From connected thermostats to industrial IoT devices, these technologies introduce convenience but also create potential security vulnerabilities. By requiring manufacturers to incorporate robust security measures, the Bill ensures a safer environment for consumers and businesses alike.
Setting the Global Standard
Both Australia’s Cyber Security Bill and the EU’s Cyber Resilience Act (CRA) highlight the increasing focus on IoT and digital product security. These regulations signal to manufacturers worldwide that cybersecurity can no longer be an afterthought. Instead, secure-by-design principles and ongoing compliance will be critical for market access.
These laws contribute to streamlined global standards, simplifying compliance for global manufacturers, enabling them to design products that meet multiple regulatory frameworks. At the same time, these regulations elevate consumer expectations, as end-users increasingly demand robust security features in digital products. In turn, this puts pressure on companies to innovate and prioritize safety in their offerings, and open up new opportunities for innovation in cybersecurity, particularly for companies specializing in tools and solutions that assist manufacturers in meeting stringent security requirements.
Together, these trends are reshaping the digital product landscape, driving progress toward a more secure and resilient global ecosystem.
What Businesses Should Do Now
Whether targeting the Australian, European, or global market, businesses must:
Understand Regional Regulations: Stay updated on cybersecurity laws in key markets.
Adopt Secure-by-Design Principles: Integrate security into product development from the outset.
Collaborate Globally: Engage with initiatives like CRACoWi to stay ahead of regulatory trends.
The digitalization of the global economy is driving a massive shift in consumer and business behaviors, creating an interconnected ecosystem of billions of devices and millions of applications. This exponential growth amplifies the importance of robust cybersecurity measures, especially as critical infrastructures like energy, healthcare, and financial services become increasingly reliant on digital technologies.
Recognizing these challenges, the EU has introduced the Cyber Resilience Act (CRA) to establish mandatory cybersecurity requirements for products with digital elements. To support organizations in meeting these stringent standards, the CRACoWi project has developed an innovative solution – the Cyber Resilience Act Compliance Wizard. This white paper explores the critical role of CRACoWi in helping SMEs navigate the complexities of CRA compliance.
A few topics from the document:
The emerging cybersecurity risks for critical infrastructures and IoT ecosystems.How the CRA establishes a secure framework for digital products through lifecycle management and vulnerability reduction.
The role of the CRACoWi Compliance Wizard in automating compliance, documentation, and certification processes for SMEs.
Real-world applications of CRACoWi tools, showcasing their adaptability across industries and product categories.
The strategic importance of collaboration between regulatory bodies, industry leaders, and innovative SMEs to ensure a resilient digital future.
SMEs play a vital role in the EU’s digital economy but often face challenges in meeting complex regulatory requirements. This white paper outlines practical solutions provided by CRACoWi, including automated compliance assessments, AI-powered self-assessment tools, and lifecycle security management methodologies. It highlights how CRACoWi enables SMEs to strengthen product security, reduce compliance burdens, and maintain a competitive edge in a rapidly evolving market.
