FREE CRA SCOPE ASSESSMENT

Cyber Resilience Act – State of Play in 2026

May 26, 2026 | blog, Cyber resilience act, news

The implementation landscape around the Cyber Resilience Act (CRA) is evolving rapidly. While the regulation itself entered into force in 2024, the ecosystem surrounding it – including guidance documents, harmonised standards, certification schemes, and conformity assessment procedures – is now taking shape at a remarkable pace.

For companies working with products containing digital elements, 2026 has become a crucial year for understanding how CRA requirements will be interpreted and applied in practice. From draft guidance published by the European Commission to major developments in standardisation and certification, several important milestones have already been reached.

This overview is prepared based on insights and analysis provided by Michael Beine (Bureau Veritas), contributor to the CRACoWi project activities related to certification, standardisation, and CRA implementation developments.

1. Draft CRA Guidance Published by the European Commission

    In March 2026, the European Commission published the draft guidance on the Cyber Resilience Act, with the commenting period ending in April 2026. The final version is expected towards the end of 2026 or beginning of 2027:

    • It provides interpretations of CRA legal text from official source of truth.
    • A must-read for everybody seeking clarity and interpretation of CRA.
    • In some cases, the additional level of detail creates follow-up questions, which will hopefully be addressed in the final revision

    This draft guidance is particularly important because it provides interpretations of the CRA legal text directly from the official source. For many stakeholders, it is currently one of the most valuable documents available for understanding how certain provisions of the regulation may be interpreted in practice.

    The document also demonstrates the complexity of implementing the CRA. While the guidance clarifies several topics, the additional level of detail has, in some areas, also created follow-up questions from industry and standardisation groups. Many stakeholders are now expecting that some of these open points will be addressed in the final revision.

    The draft guidance can be accessed through the European Commission’s official channels under the Draft Commission guidance on the Cyber Resilience Act

    2. RED-DA Cybersecurity Requirements will be Repealed – It is Official

    Another major development became official in 2026. To avoid overlapping regulatory requirements, the cybersecurity-related provisions under Article 3.3 d/e/f of the Radio Equipment Directive (RED-DA) will be deactivated on the date the CRA becomes fully applicable: 11 December 2027.

    This confirms an important signal from the legislator: there is currently no indication that the CRA timeline will be delayed. The transition towards CRA remains firmly on track.

    The repeal was adopted through Delegated Regulation (EU) 2026/339 published on EUR-Lex: Delegated regulation – EU – 2026/339 – EN – EUR-Lex

    3. Standardisation is Moving Forward Rapidly – prEN 40000-1-2 Drafting is Completed

    Standardisation activities around the CRA are accelerating significantly.

    The drafting of the first horizontal CRA standard, prEN 40000-1-2 “Cybersecurity requirements for products with digital elements – Part 1-2: Principles for cyber resilience”, has been completed and entered final review. If the formal vote is positive, publication could follow by the end of October 2026.

    This is an important milestone because horizontal standards are expected to play a key role in supporting harmonised approaches to CRA compliance across industries.

    At the same time, discussions around sector-specific standards continue intensely.

    More info: Post | LinkedIn

    4. Debate Around “Broad Verticals” and IEC 62443 – “Broad verticals will not be cited in the OJEU“

    One statement made by the European Commission during the ENISA Conference in March 2026 created significant discussion within standardisation working groups and the OT industry.

    According to comments shared publicly after the event, the Commission stated that “broad verticals will not be cited in the Official Journal of the European Union (OJEU).”

    This has raised concerns among stakeholders working on adapting IEC 62443 standards for CRA presumption of conformity, particularly in industrial and operational technology environments.

    The standards EN IEC 62443-4-1 and EN IEC 62443-4-2 remained in public consultation (Enquiry phase) until the end of April 2026. However, discussions around how these standards may ultimately be referenced under the CRA framework are still ongoing.

    At this stage, it is clear that the final approach to sector-specific harmonisation is still evolving.

    The last word is probably not yet said about this.

    More info: Post | LinkedIn

    5. CSA2 draft regulation proposes new Certification Schemes for CRA

    The proposed update of the Cybersecurity Act (commonly referred to as CSA2) also represents an important step in aligning the EU cybersecurity certification framework with the CRA.

    The proposal aims to facilitate the creation and adaptation of certification schemes supporting CRA requirements. This is particularly relevant for products that may require third-party conformity assessment procedures.

    The proposal for the revised EU Cybersecurity Act has been published under the European Commission’s “Shaping Europe’s Digital Future” initiative.

    CSA2 aims to boost the creation and adaptation of Certification Schemes for the CRA.

    More info: Proposal for a Regulation for the EU Cybersecurity Act | Shaping Europe’s digital future

    6. EUCC Implementing Act Expected by End of 2026

    The European Commission has also indicated plans for an implementing act approving the EU Common Criteria (EUCC) scheme for CRA purposes. This would support conformity assessment procedures for critical products with digital elements, including categories such as payment terminals, smart cards, and smart meter gateways.

    While no publicly available implementing act reference has yet been identified, this would represent another major step towards operationalising CRA conformity assessment mechanisms.

    7. „fast track“ procedure for NoBo under RED-DA

    Another important discussion currently taking place involves a potential “fast-track” procedure for the nomination of Notified Bodies (NoBos) under the CRA.

    According to publicly shared information from discussions between the European Commission and ADCO CRA, the proposal would simplify nomination procedures for organisations already designated under RED-DA.

    The objective appears straightforward: ensuring that a sufficient number of Notified Bodies are available before the CRA becomes fully applicable at the end of 2027.

    More info: Post | LinkedIn

    Help Is on the Way for SMEs

    As the Cyber Resilience Act (CRA) moves closer to full implementation, many SMEs are still trying to understand what the regulation means in practice and how to prepare for compliance. The good news is that support is already taking shape across Europe.

    Several EU-funded initiatives, including CRACoWi and other projects within the CRA Cluster, are actively developing practical tools, guidance materials, and training resources designed to help organisations navigate the new cybersecurity requirements.

    Within CRACoWi, the first support resources are already becoming available. This includes tools such as the CRA Scope Assesment, helping organisations better understand whether and how the CRA applies to their products, as well as the CRAcademy initiative, offering webinars, workshops, and educational materials focused on CRA implementation and cybersecurity compliance.

    And this is only the beginning. Additional tools, guidance documents, training materials, and practical support mechanisms are currently under development and will continue to evolve over the coming months.

    If you want to stay informed about the latest developments, upcoming training sessions, and new CRA support resources, make sure to follow the CRACoWi project and subscribe to the newsletter.

    You can also explore the broader ecosystem of initiatives by visiting the CRA Cluster projects working towards practical CRA implementation across Europe: CRA Cluster

    A Regulatory Ecosystem Taking Shape

    What becomes increasingly clear is that the CRA is no longer only a legal text. The broader implementation ecosystem (guidance documents, harmonised standards, certification schemes, conformity assessment procedures, and institutional coordination) is now actively developing.

    For companies across Europe, especially SMEs, staying informed about these developments will be essential over the coming months. The pace of change is high, and many practical aspects of compliance are still being refined in parallel with the regulation’s rollout.

    Projects such as CRACoWi are therefore becoming increasingly relevant, not only because they raise awareness about the CRA, but because they help organisations translate evolving regulatory requirements into practical implementation steps.

    Michael Beine bureau veritas

    About the Author
    Michael Beine is a cybersecurity and regulatory compliance expert at Bureau Veritas Consumer Product Services Germany, with more than 20 years of experience in the testing, inspection, and certification industry. His work focuses on cybersecurity requirements for connected products, IoT security, industrial automation, and European regulatory frameworks, including the Cyber Resilience Act (CRA) and RED Delegated Act. Within the CRACoWi project, he contributes to activities related to certification schemes, standardisation, and practical implementation of cybersecurity compliance requirements.

    Lessons from Asia-Pacific VPN Exploits

    Nov 5, 2025 | blog, Cyber resilience act

    Ransomware operators are getting faster, stealthier, and more aggressive – and the cost of delayed action is growing.

    The recent article from CySecurity News highlights a troubling surge in ransomware and data exfiltration attacks across the Asia-Pacific region. Let`s outline how ransomware groups like Akira are systematically targeting vulnerable VPN configurations and unpatched systems. The manufacturing sector, critical infrastructure, and telecommunications are particularly hard hit, revealing how outdated technologies and weak credential management expose organizations to severe risks.

    What’s concerning is not just the scale of the intrusions – but the shift in tactics:

    • Exploiting known VPN vulnerabilities (like CVE-2024-40766) within days of disclosure
    • Bypassing multi-factor authentication using stolen session tokens
    • Monetizing breaches through access sales, data theft, and non-encrypting extortion

    These attacks aren’t just technical – they’re strategic. They aim to destabilize operations, erode trust, and extract long-term value from compromised environments.

    This alarming trend underscores a universal truth – cyber resilience is no longer optional – it is a business imperative. The evolving sophistication of ransomware actors, coupled with the rise of non-encrypting extortion schemes, demands a paradigm shift from reactive patching to proactive, intelligence-driven defence.

    What does this mean for Europe?

    While the attacks are currently concentrated in APAC, the tactics are global – and the vulnerabilities they exploit exist in EU-based networks and products. That’s why the European Cyber Resilience Act (CRA) is not just timely – it’s necessary.

    The CRA sets a clear baseline – if a product is digital, connected, and sold in the EU, it must be secure-by-design and secure-by-default. This means embedding cybersecurity principles from the earliest stages of product conception, rather than adding fixes later. Its goal is to shift the burden away from consumers and reactive IT teams and toward manufacturers and developers – ensuring that digital products are designed with security in mind from day one, and supported throughout their lifecycle.

    Specifically, the CRA requires:

    • Mandatory risk management throughout the product lifecycle
    • Post-market support and timely software updates
    • Built-in mechanisms for vulnerability handling and reporting

    However, legislation alone isn’t enough. Compliance must be supported by guidance, tools, and practical frameworks -especially for SMEs that lack extensive cybersecurity resources (as well as money, time and knowledge).

    The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.

    This is precisely where the European Union’s projects like the CRACoWi project(Cyber Resilience Act Compliance Wizard Tool) play a crucial role. CRACoWi is a digital assistant that helps companies (particularly SMEs) understand what CRA means for them, assess their cybersecurity risks, and take concrete compliance actions early in the product design process. It promotes a “secure-by-design” approach, which is essential to prevent vulnerabilities like those exploited in these APAC VPN attacks.

    The EU’s Cyber Resilience Act and initiatives like CRACoWi champion embedding cybersecurity into digital products -including VPNs and network devices – to reduce risks before they become incidents. While patch management, credential hygiene, and account lockout policies remain critical, they are reactive measures. The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.

    Moreover, the APAC ransomware crisis reflects broader global challenges – supply chains dependent on legacy technology, complex operational networks vulnerable to breach, and the human factor as the primary entry vector exploited via social engineering. These challenges emphasize why the EU’s holistic approach – combining regulation, innovative compliance tools like CRACoWi, and continuous awareness campaigns – is critical to enhancing digital trust and resilience.

    As ransomware actors sharpen their tactics with automation, credential theft, and stealthy persistence, Europe’s emphasis on a multilayered defense posture and intelligence-led security frameworks becomes a model for global cybersecurity strategies.

    Cybersecurity is an enabler of business continuity and trust, not just compliance.

    Funded under the Digital Europe Programme, CRACoWi is not only building the CRA Compliance Wizard but also providing awareness materials, FAQs, and support resources to bridge the gap between regulation and implementation for European businesses.

    The APAC ransomware wave and VPN exploit trends serve as a critical reminder – cybersecurity is an enabler of business continuity and trust, not just compliance. By embedding security from design to deployment, European initiatives like CRACoWi are paving the way toward a safer digital future for all.

    Because cyber resilience is not just about patching systems after the fact – it’s about building products, businesses, and ecosystems capable of resisting, recovering, and adapting to threats that continue to evolve.

    If ransomware actors are moving faster, so must we. Security-by-design is not a feature – it’s a requirement.

    Understanding the US Cyber Trust Mark

    Mar 3, 2025 | Cyber resilience act, news

    The United States is set to launch the US Cyber Trust Mark in 2025, a groundbreaking voluntary initiative aimed at enhancing the cybersecurity of wireless consumer IoT products sold in the U.S. market. This program marks a significant step in creating safer digital ecosystems by promoting transparency, security, and trust in smart devices.

    As mentioned in our previous article, a CyberSafe Products Action Plan builds on existing cybersecurity frameworks. In the EU we have the Cyber Resilience Act (CRA) that establishes security requirements for digital products, while in the U.S. there is the Cyber Trust Mark Program. Let`s dive deeper to understand better this trust mark.

    What is the US Cyber Trust Mark?

    The US Cyber Trust Mark is a cybersecurity labeling program introduced by the Federal Communications Commission (FCC). Its goal is to help consumers identify IoT products that meet recognized cybersecurity standards, empowering them to make informed decisions about the devices they bring into their homes.

    The program is designed to enhance the security of wireless consumer IoT products sold in the United States. The program applies to a wide range of devices, including smart home appliances, wearable technologies, and other connected products, ensuring comprehensive coverage of the consumer IoT market.

    Participation in the initiative is voluntary, allowing manufacturers to demonstrate their commitment to cybersecurity by meeting established standards. With the program’s expected launch in 2025, businesses have time to align their products with the framework and prepare for compliance, showcasing their dedication to delivering secure and trustworthy technologies.

    How Does the U.S. Cyber Trust Mark Work?

    The program involves Cybersecurity Label Administrators (CLAs)– organizations authorized to assess IoT products for compliance with security standards. In December 2024, the FCC announced the conditional approval of 11 companies as CLAs, with UL Solutions selected as the Lead Administrator. These administrators will evaluate product applications, authorize the use of the label, and support consumer education.

    Participating devices will feature a certification label with a shield logo and a QR code, allowing consumers to scan for detailed security information, including support periods, automatic software updates, and security patch details.

    Bureau Veritas (7layers), a partner in the CRACoWi Project, is one of the organizations that can conduct these cybersecurity assessments under the U.S. Cyber Trust Mark framework through authorization as Lab for CSA-PSWG, CTIA IoT-Cyber and ioXt. With its expertise in testing, certification, and regulatory compliance, Bureau Veritas helps businesses navigate the certification process efficiently, ensuring they meet the necessary security requirements.

    Global Streamlining

    In a joint statement, the European Union (EU) and U.S. have emphasized their commitment to mutual recognition of cybersecurity standards, including the US Cyber Trust Mark and the EU’s Cyber Resilience Act (CRA). This alignment seeks to streamline compliance for global manufacturers, ensuring that IoT products meet shared security expectations across both markets. Read also our article on Transatlantic Cooperation for Cybersecurity and a Safer Future for IoT Products

    Except initiatives introduced by national authorities, we can see some good examples of projects, like the CRACoWi Project, that play a vital role in improving cybersecurity awareness and resilience in IoT devices. By highlighting initiatives like the U.S. Cyber Trust Mark, CRACoWi helps manufacturers navigate global cybersecurity requirements and align with emerging standards.

    The launch of the U.S. Cyber Trust Mark is a critical step toward securing the digital world. By adopting voluntary cybersecurity certifications, manufacturers can demonstrate their commitment to security and innovation, while consumers gain greater confidence in IoT technologies.

    💡 Stay Connected:

    CRACoWi White Paper

    Dec 11, 2024 | blog, CRACoWi project, Cyber resilience act, news

    The digitalization of the global economy is driving a massive shift in consumer and business behaviors, creating an interconnected ecosystem of billions of devices and millions of applications. This exponential growth amplifies the importance of robust cybersecurity measures, especially as critical infrastructures like energy, healthcare, and financial services become increasingly reliant on digital technologies.

    Recognizing these challenges, the EU has introduced the Cyber Resilience Act (CRA) to establish mandatory cybersecurity requirements for products with digital elements. To support organizations in meeting these stringent standards, the CRACoWi project has developed an innovative solution – the Cyber Resilience Act Compliance Wizard. This white paper explores the critical role of CRACoWi in helping SMEs navigate the complexities of CRA compliance.

    A few topics from the document:

    • The emerging cybersecurity risks for critical infrastructures and IoT ecosystems.How the CRA establishes a secure framework for digital products through lifecycle management and vulnerability reduction.
    • The role of the CRACoWi Compliance Wizard in automating compliance, documentation, and certification processes for SMEs.
    • Real-world applications of CRACoWi tools, showcasing their adaptability across industries and product categories.
    • The strategic importance of collaboration between regulatory bodies, industry leaders, and innovative SMEs to ensure a resilient digital future.

    SMEs play a vital role in the EU’s digital economy but often face challenges in meeting complex regulatory requirements. This white paper outlines practical solutions provided by CRACoWi, including automated compliance assessments, AI-powered self-assessment tools, and lifecycle security management methodologies. It highlights how CRACoWi enables SMEs to strengthen product security, reduce compliance burdens, and maintain a competitive edge in a rapidly evolving market.

    Gain comprehensive insights about CRACoWi:

    Download the CRACoWi White Paper

    Cyber Resilience Act Published as Regulation in the Official Journal

    Nov 22, 2024 | blog, Cyber resilience act, news

    The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle​.

    This final step defines the deadlines as follows:

    • December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
    • September 11, 2026: Reporting obligations for stakeholders take effect.
    • December 11, 2027: Full application of the regulation.

    The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.

    The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.

    The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.

    The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.

    Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.

    Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.

    For more details, see the full regulation on EUR-Lex.