FAQ on the Cyber Resilience Act: What you need to know

Key information for manufacturers

  • Digitalization
  • Service
  • News
Digitales Schild mit Schaltkreismustern auf einem dunklen, sternenklaren Hintergrund, das Cybersicherheit und Datenschutz symbolisiert.
Since December 2024, the Cyber Resilience Act (CRA) has been in force across the EU. It introduces binding requirements for manufacturers of digital products. The aim is to protect consumers and businesses that purchase and use products or software with digital components. Here’s what companies need to know and how they can prepare.

The European Commission describes the CRA as a “game-changer” for the single market, introducing minimum cybersecurity requirements and obligations for vulnerability management. The goal is to enhance user trust and reduce the economic risks of cyberattacks.

This article answers the most frequently asked questions about the Cyber Resilience Act:

When does the CRA take effect, and what does it cover?

The CRA has been in force since December 10, 2024, with a three-year transition period. It sets minimum cybersecurity requirements for products placed on the European single market. Key provisions include:

  • Cybersecurity must be incorporated into the product design.
  • Security features must be documented.
  • Vulnerability monitoring and management are mandatory.
  • Security updates must be provided free of charge.


Cybersecurity will also become part of the CE marking, affecting all products circulated within the European single market.

Is the CRA binding? Does it mean that non-compliant products may no longer be sold?

Yes, the CRA is a legally binding EU regulation. The focus is on the principle of “security by default.” The requirement for CE marking with a cybersecurity reference becomes mandatory at the end of the transition period. The European Commission emphasizes the need for manufacturers to prepare for audits and transparency.

Non-compliant Products may still be sold during the transition period, but manufacturers must adapt to the requirements within three years of the law's entry into force.

Which products are not affected by the CRA?

Mainly products that do not process or transmit data are excluded. For example, at KEBA, this applies to:

  • Accessories such as mounts or plugs.
  • Spare parts that replace an existing product one-to-one—even if they are from an old design.


However, once a product processes or communicates data, it falls under the CRA. This means that most core products from KEBA Industrial Automation are affected.

Will the CRA remain static once introduced, or are updates expected?

While the core content is largely finalized, product classification is still being developed—and this has major practical implications.

Products will be classified as:

  • Standard products
  • Important products
  • Critical products


The classification determines who declares the product’s conformity:

  • For standard products, the manufacturer may declare conformity.
  • For important or critical products, third-party assessment is required—e.g., by TÜV or other certified bodies.


A harmonized standard is still in development and will provide a uniform testing framework.

What specific technical requirements must manufacturers meet to ensure cybersecurity?

The CRA revolves around four key requirements:

  1. Security by design: Cybersecurity must be embedded into the development process from the outset.
  2. Documentation: Users must understand how to configure the product securely.
  3. Update capability: Security updates must be planned, provided, and integrable.
  4. Vulnerability monitoring: Manufacturers must establish processes to detect and manage vulnerabilities.


All measures must be documented and demonstrable in case of audits.

How can manufacturers ensure that their products remain resilient to cyberattacks over time?

Only through a secure end-to-end process: development, risk analysis, monitoring, and updates. Once vulnerabilities are identified, they must be addressed reliably and traceably.

What role do existing standards and certifications play in implementing the CRA?

Currently, no harmonized standards exist. However, existing norms such as IEC 62443-4-1 (for processes) and IEC 62443-4-2 (for products) are helpful reference points, though not directly linked to the CRA. Additional sector-specific standards will follow.

Where do the greatest challenges—or perhaps opportunities—lie?

The biggest challenge is retrofitting legacy products that were developed years ago without security requirements. In contrast, new products can integrate security from the beginning—much more efficiently.

What applies when machinery is modernized?

Significant changes—such as replacing the control system—create a new product that must comply with all CRA requirements. Mechanical components are typically exempt, but software and electronics are not.

How can stakeholders cooperate effectively?

Implementation will be driven by trade associations, information platforms, and reporting authorities. The EU sets the framework, while manufacturers and certification bodies handle the details.

Man with headset reviews document at a table, with a laptop displaying a presentation and a smartphone nearby.

Want to know more about the Cyber Resilience Act? Sign up now for future web seminars

Click here to register
What is needed to make the CRA truly effective?

Process establishment, documentation, training, customer transparency, and risk analysis. It’s a long-term transformation process.

How much will implementation cost?

A rule of thumb: approximately 15% additional effort in software development. These costs remain with the manufacturer and must be factored into pricing. A surcharge for CRA compliance is not permitted.

Does the CRA apply only within the EU?

Not quite. It applies to all products sold in the EU and the European Economic Area (EEA) —including imports. In such cases, the importer assumes responsibility with the CRA.

What about open source components?

If manufacturers use open source components in their products, they remain responsible for ensuring their secure integration.

Conclusion: What does cyber resilience mean in the long run?

Cybersecurity / Cyber Resilience is not a one-time task but an ongoing obligation throughout the product lifecycle. It must be integrated into existing processes—comparable to other quality certifications.

The Cyber Resilience Act (CRA) is more than a regulatory requirement—it is a strategic signal for a secure digital future. Cybersecurity must be a permanent element of product strategy, quality management, and corporate governance. Those who invest today in resilient development processes, transparent documentation, and organizational security reduce legal risks and position themselves for long-term market success. The CRA is not a burden—it’s a catalyst for future viability.

Please select your preferred language
Your browser is out of date
Internet Explorer is no longer supported. Please switch to a current browser to use keba.com to its fullest extent.

Edge

Chrome

Safari

Firefox