Cyber Resilience Act

The Cyber Resilience Act – CRA – is an EU regulation that defines harmonization rules for products with digital elements. Manufacturers, importers and distributors are therefore required to consider and implement cyber security in their products from the outset. The aim and motivation of the EU is to eliminate known problems in digital products and generally strengthen cyber resilience in the EU internal market.

The number of discovered product vulnerabilities (e.g. already in the design) is increasing from year to year, as are the number of detected cyberattacks. The CRA is therefore intended to ensure that security vulnerabilities are identified and eliminated before products are placed on the market, thereby increasing cyber security in Europe.

What supplier need to know now

The Cyber Resilience Act (CRA) was adopted by the European Council in October 2024. This defines two deadlines that are relevant for manufacturers, importers and distributors of products with digital elements: From December 11, 2027, a product with digital elements may only bear the CE mark and be sold in the EU internal market if it meets the requirements of the CRA.

Violations can result in severe fines: up to 15 million euros or 2.5% of the company’s global annual turnover – whichever is higher. The market supervisory authority can also withdraw products from the market or demand improvements.

From September 11, 2026

There is an obligation to report: companies must report serious security incidents and actively exploited vulnerabilities that affect the cyber security of a product to national (CSIRT) and European authorities (ENISA).

As of December 11, 2027

all technical and organizational requirements of the CRA must be met. These include risk-based security measures and the provision of security updates over the entire support period to be defined.

White paper: Everything you need to know about the CRA

We – Limes Security and Ginzinger Electronics – have pooled our expertise to give you a clear overview of the requirements of the CRA – including specific recommendations for practical implementation.

Free download

How we support you in implementing the CRA

The Cyber Resilience Act (CRA) requires far-reaching security measures – in the product, in the development processes and in the organization. Harmonized standards in this regard are currently being developed. These will define specific requirements. For many companies, however, the question is still: what is enough to be CRA-compliant?

Provisioning of guidelines and interpretations on normative and regulatory requirements

Creation of documents and provision of established templates for them!

Regular check-ins at which Limes Security is available as an external sparring partner to discuss plans, implementations and open questions. This ensures that your project makes steady progress.

Support in the creation of concrete security concepts for products.

Review of internally created documents and subsequent optimization proposals if necessary.

Joint implementation of security processes
for learning on the job, e.g:

Implementation of a workshop on threat modeling
Carrying out safety tests for your product

How secure is your OT environment really?

Our OT Cyber Health Check provides a structured first assessment of your current security posture and highlights potential risks.

Start the OT Cyber Health Check

Limes Academy

Practical implementation of the Cyber Resilience Act

If you would like to learn more about the requirements of the Cyber Resilience Act and their practical implementation in your company, we recommend our training course

Show all

Select options This product has multiple variants. The options may be chosen on the product page Quick View

SEC.312 Cyber Resilience Act (CRA) for manufacturers of machinery and equipment
€ 940,00