Cyber Resilience Act

Use the EU law as a competitive advantage.

Cyber Resilience Act

Industry and Cyber Security: The Cyber Resilience Act (CRA) as a competitive advantage

In an increasingly connected world, cyber threats to both consumers and businesses are on the rise. To ensure that fewer products with vulnerabilities are brought to market in the future, the European Union aims to make the cyber security of products recognizable to the user and ensure the security and reliability of domestic supply chains by making manufacturers and retailers implement effective cyber security measures. The relevant requirements are defined by the Cyber Resilience Act (CRA), which was passed by the EU Parliament in March 2024. With its introduction, companies face the challenge of complying with strict regulations in order to continue to successfully serve the European market.

However, the groundbreaking EU legislation on cyber resilience not only brings challenges, but also opens up a wide range of opportunities: companies that adapt to the requirements of the CRA at an early stage can gain a competitive advantage, strengthen the trust of their customers and protect their corporate values. As a leading management consultancy, we support companies in the development and implementation of strategies to strengthen their cyber resilience. In doing so, we contribute our strengths from various disciplines: strategic product planning, innovative product development, efficient production processes and cyber security. Our holistic approach enables us to prepare you for the EU-wide CRA at an early stage and make your company fit for the future.

Goals of CRA

Standards should ensure that products offer a high level of safety throughout the EU internal market.

All companies in the EU must fulfill the same cybersecurity obligations in order to guarantee fair competition.

Clear guidelines should create legal certainty for manufacturers, retailers and consumers.

Our Consulting Services in Cyber Resilience Act

Readiness Check for the CRA

Inventory and identification of potentials for optimization

Your challenges:

Complexity of the requirements for the products by the CRA
Lack of clarity about the next steps for implementing the requirements within the specified timeframe

Our solution approach:

Gain an understanding of product requirements and an initial analysis of your product portfolio
Review your products with regard to the requirements of the CRA
Perform a risk analysis for a representative product
Gap analysis between the current cybersecurity capabilities of a product and the requirements of the CRA

Resilience concept CRA

Strategies for increasing resilience

Your challenges:

Lack of guidance for the effective implementation of requirements and their integration into product development
Complex product portfolio with different development cycles

Our solution approach:

Collaboratively develop a company-specific action plan for the product-related implementation of the relevant requirements
Identify and prioritize relevant product strategies to develop a safe and CRA-compliant product life cycle

Realization & qualification for the CRA

Support for successful implementation

Your challenges:

Compatibility and interoperability with existing systems
Lack of an implementation plan with prioritized goals, measures and responsibilities

Our solution approach:

Technical support to create a master plan of action
Enablement in the technical implementation of the action plan for selected products

Motivation der Europäischen Union

Verbesserung der Resilienz der EU-Mitgliedstaaten gegenüber Cyberbedrohungen

Förderung einer koordinierten Reaktion auf Cyberangriffe durch verstärkte Zusammenarbeit

Weniger Produkte mit Schwachstellen auf den europäischen Markt bringen (Erhöhung der Sicherheit der EU)

Anwendern bei der Produktwahl und Nutzung die Möglichkeit geben, Cybersicherheit zu berücksichtigen

Verpflichtungen des Cyber Resilience Acts

Bewertung und Dokumentation von Cybersicherheitsrisiken der Produkte bis zur Zulassung der Produkte durch Prüfungsinstanzen

Effektives Schwachstellenmanagement, um bekannte Schwachstellen zu beheben oder zu reduzieren.

Bereitstellen von Betriebsanleitungen, um den sicheren Gebrauch ihrer Produkte zu gewährleisten.

Regelmäßige Bereitstellung von kostenfreien Sicherheitsupdates, um Produkte vor neuen Bedrohungen zu schützen.

Verpflichtung zur Meldung von Cyberangriffen oder Sicherheitsvorfällen an die Europäische Sicherheitsbehörde ENISA.

Implement cyber-relevant EU regulations holistically with UNITY

Any questions about the Cyber Resilience Act?

What impact will the Cyber Resilience Act have on my company?

The CRA aims to increase manufacturers' responsibility for the cyber security of their products.

This is achieved by requiring fewer products with vulnerabilities, which should improve protection against cyber attacks.

Manufacturers bear responsibility throughout the entire life cycle of their product and are therefore responsible for security from the development stage to disposal.

After the law comes into force, a transitional period of 24 months is planned during which the member states must prepare for implementation. Manufacturers are obliged to provide evidence of compliance with the requirements 36 months after the directive comes into force. Failure to comply could result in penalties of up to 15 million euros or 2.5 percent of global turnover.
Who is affected by the Cyber Resilience Act?
The CRA affects all manufacturers of products with digital elements (e.g. software, hardware) as well as distributors and importers who place such products on the market. This covers a wide range of sectors, from the electronics and digital industry to to the automotive industry, the toy industry and many others.

The Regulation establishes obligations for member states, including market surveillance and enforcement. It aims to regulate products with digital elements that enable a data connection to a device or network. These products are divided into two categories:
- Highly critical products that are crucial for supply chain resilience and require European cyber security certificates.
- Critical products, which are subject to a conformity assessment procedure and require CE marking.
  - Class I includes products such as VPN products, password managers and routers.
  - Class II includes products such as operating systems for servers and industrial firewalls.
There are exceptions for products that are already regulated by existing regulations, such as medical devices and products in connection with motor vehicles or airplanes.
How can I best prepare for the Cyber Resilience Act?

Companies should prepare for the upcoming CRA legislation by developing a robust security strategy. This strategy should focus on making products secure from the outset and continually keeping them up to date with the latest security technology through regular updates.

The first step is to familiarize yourself with the requirements of the CRA in order to understand what requirements are placed on your own company. The next step is to compare the status quo of the products with the requirements and develop a company-specific roadmap for implementing the CRA requirements.

The CRA should not only be seen as an obligation for companies, but also as a structured framework for building cyber resilience within the company and avoiding security gaps.

We look forward to supporting you with our expertise in understanding the complex requirements of the CRA and implementing them successfully in your company.

Make an appointment with our experts

Depending on the topic, we provide you with the right experts. Select your preferred date from our calendar and discuss your concerns with our experts by phone or via Microsoft Teams without any obligation. We look forward to getting to know you!

Book an appointment

Why UNITY?

We see cyber security not as an end in itself, but as an integral part of doing business in the digital era. This is why we provide a holistic view of your challenges in relation to the Cyber Resilience Act.

Customized security

Do you have a tight budget or a large-scale cyber security program? Are you solely responsible for product security in your organization or are you the CISO in charge of an entire department? Regardless of your requirements, UNITY will respond to your individual needs and work with you to find a solution that suits you.

Integrative and strong in implementation

We look at your company's overall situation and optimize your organization, processes and IT. The security requirements must match the product strategy, the PLM system, the development process, the production processes and the IT systems. Our consultants specialize in each area.

We feel at home in the manufacturing industry

UNITY has been consulting medium-sized and international companies with a focus on the development and production of industrial products since 1995. With our DNA in digitalization, we advise at eye level and provide impulses for digital and networked products.

Are you familiar with Smart Mechatronics?

A development partner for intelligent, networked systems

Smart Mechatronics is your partner for the cyber security of your products and product development processes. As a member of our UNITY Innovation Alliance group of companies, the experts at Smart Mechatronics will advise you throughout the development process and support you in implementing security requirements to increase the cyber resilience of your company and your products.

Learn more!

Cyber Security Insights