Cybersecurity for digital products is becoming a regulatory priority in Europe. With the Cyber Resilience Act (CRA), the European Union is introducing new security requirements for software, embedded systems, and connected devices placed on the European market.
The regulation entered into force on December 10, 2024. Its reporting obligations will apply from September 11, 2026, and its general application will begin on December 11, 2027.
For affected companies, this means integrating cybersecurity from the product design phase and throughout its entire lifecycle. It is therefore essential to anticipate these requirements now.
Good news: the SECURE project, established by the European Commission, supports small businesses in strengthening the cybersecurity of their hardware and software products, helping them comply with the CRA.
Understanding the requirements of the Cyber Resilience Act
The CRA imposes cybersecurity requirements for products with digital elements. Its objective is to ensure that these products maintain an appropriate level of security throughout their lifecycle.
These requirements notably cover design, development, maintenance, vulnerability management, and the provision of security updates. The regulation is also aligned with CE marking, which conditions access to the European market for the concerned products.
In practical terms, companies must:
- integrate security from the design phase (security by design);
- conduct cybersecurity risk assessments;
- implement a vulnerability management process;
- ensure the publication and deployment of security patches;
- organize post-market monitoring;
- establish technical compliance documentation.
Why act before 2027
Although the main deadline is set for December 11, 2027, compliance cannot be achieved in just a few weeks. It often requires revising development practices, cybersecurity governance, product documentation, and vulnerability management processes.
Moreover, the fact that reporting obligations start as early as September 11, 2026 further reinforces the need to anticipate.
Starting now allows companies to:
- spread investments over time;
- reduce compliance gaps;
- avoid costly late-stage remediation;
- better prepare for access to the European market.
Financial support is available for CRA compliance
Compliance with the Cyber Resilience Act can represent a significant investment, especially for SMEs. This process can be supported by European public funding schemes and, depending on the case, by other national or regional funding programs dedicated to cybersecurity and innovation projects.
Eligible expenses often include:
- cybersecurity audits
- risk assessments
- securing the software development lifecycle
- technical testing and security evaluations
- implementation of vulnerability management processes
- regulatory compliance support
The SECURE program is currently the most concrete initiative directly linked to funding CRA preparation.
Since January 28, 2026, companies with fewer than 250 employees and a turnover below €50 million can benefit from €30,000 in funding to support this process.
Key steps to prepare for CRA compliance
Compliance with the Cyber Resilience Act generally follows a structured and progressive approach.
- Define the regulatory scope
Identify the products concerned, applicable obligations, and impacts on the product lifecycle. - Conduct a maturity assessment
A diagnostic helps identify gaps between the current state and CRA requirements. - Structure product cybersecurity
This includes risk analysis, secure development, cybersecurity governance, and vulnerability management. - Verify technical robustness
Audits and technical testing help identify exploitable weaknesses and prioritize corrective actions. - Prepare documentation and compliance
Technical documentation, compliance evidence, and post-market processes must be organized to meet regulatory requirements.
How SERMA Safety and Security supports companies
SERMA Safety and Security provides dedicated support for the Cyber Resilience Act (CRA), based on a comprehensive approach to product cybersecurity. The objective is to help companies anticipate regulatory requirements while ensuring the long-term security of their digital products.
SERMA’s approach covers all product cybersecurity challenges: auditing, risk analysis, vulnerability management, technical compliance, and traceability. It supports companies at every stage of the product lifecycle, from design to market operation.
More specifically, SERMA Safety and Security supports companies in:
- raising awareness of CRA requirements;
- assessing cybersecurity maturity levels;
- performing product risk analyses;
- establishing cybersecurity governance and associated documentation;
- conducting audits and technical testing;
- preparing for CE marking;
- managing post-market monitoring and vulnerabilities.
This approach transforms CRA compliance into a structured, pragmatic process aligned with industrial and software constraints.
Turning the CRA into a strategic lever
The Cyber Resilience Act should not be viewed solely as an additional obligation. For companies that anticipate it, it can become a strategic lever to improve product security, strengthen customer trust, and better prepare access to the European market.
The existence of programs like SECURE also changes the perspective: it is no longer just about financing a constraint, but about leveraging funding to accelerate the cybersecurity maturity of products.
Would you like to assess the impact of the Cyber Resilience Act on your products and identify available funding for your project?
SERMA Safety and Security supports you in analyzing your obligations, securing your products, and structuring your CRA compliance approach.
