Sitting in the meeting room in Brussels, surrounded by some of the most influential cybersecurity experts and policymakers in Europe, I couldn’t help but feel the weight of the moment. The Cyber Resilience Act (CRA) is no longer a draft on paper - it’s real, it’s happening, and now, the real work begins.
As the first CRA Expert Group Meeting unfolded, it became clear that this was more than just a regulatory discussion. This was a collective effort to define how the cybersecurity of products in Europe will be shaped for decades to come. And as someone who has spent my career helping manufacturers secure their products, I knew that this meeting was crucial—not just for compliance, but for building a more resilient digital future.
Bridging the Gap Between Regulation and Industry
From the start, the European Commission made its priorities clear:
- The technical descriptions of important and critical products need to be finalized by December 2025.
- Standardization efforts are already underway, with a request issued to ETSI, CEN, and CENELEC.
- Notified bodies must be ready by 2026, but accreditation challenges remain.
- Risk assessment and proportionality are still open questions, with many manufacturers unsure of how to approach compliance.
Listening to these discussions, one thing was evident: there is still a gap between the regulatory framework and the practical reality manufacturers will face. And this is where my focus was throughout the meeting - helping ensure that the CRA is not just enforceable, but actually workable.
The Challenges Ahead: Standardization, Risk Assessment & Certification
1️⃣ Standardization: The Need for Clarity
One of the most debated topics was how standards will align with the CRA’s requirements. The Commission has requested 41 new standards, but the timeline is tight, and manufacturers will need clarity sooner rather than later.
I raised a key concern: How do we ensure that these standards are practical for industry adoption?
- If standards aren’t finalized in time, how will companies ensure compliance?
- Will there be transitional measures to avoid bottlenecks?
The answers weren’t definitive, but there was agreement that standardization needs to be accelerated while keeping industry needs in mind. This reinforced my belief that companies cannot afford to wait - engaging in standardization discussions NOW is critical.
2️⃣ Risk Assessment: A Lingering Uncertainty
Another major issue was how manufacturers should conduct risk assessments under the CRA. The regulation requires a proportional approach, meaning security measures should be adapted to product risk.
But here’s the problem: the CRA does not clearly define what “low-risk” and “high-risk” products are.
Some experts suggested formalizing risk categories, while others worried that doing so would be too rigid. My take? Manufacturers need clear guidelines, but they also need flexibility.
I supported the idea of a “digital guide” to help companies navigate risk assessment requirements. But I also warned that without providing a clear framework taking into consideration an alignment with existing frameworks, the CRA could create unnecessary complexity for businesses already following global best practices.
3️⃣ Certification & Conformity Assessment: The Race Against Time
One of the most urgent concerns was whether there will be enough notified bodies ready to certify products by 2026.
Here’s the challenge:
- Accreditation procedures for notified bodies are not yet fully defined.
- Without harmonized standards, notified bodies lack a clear framework for assessing CRA compliance.
This could create a bottleneck, with manufacturers struggling to get their products certified in time. Spain proposed a dedicated forum for notified bodies and certification authorities, which I strongly support. Without coordination, we risk a fragmented approach across member states.
The CRA is Here - Now What?
Walking out of that meeting, I felt both energized and concerned. The CRA is a game-changer, and I fully support its goal of making cybersecurity a core requirement for products in Europe. But implementation will not be easy.
Here’s my message to businesses: The CRA is not just another regulation - it’s a shift in how cybersecurity is approached across the supply chain. And waiting until 2026/2027 to act is not an option.
? So what’s next ?
✔ Engage with standardization efforts NOW - this is where the rules of compliance will be shaped.
✔ Prepare for risk assessments - even without full clarity, starting early will help avoid last-minute panic.
✔ Monitor certification pathways - understand what will be required for your products before it’s too late.
This is an opportunity for all of us - not just to comply with a regulation, but to build a safer, more secure digital landscape for the future.
Let’s not wait for compliance deadlines to force our hand. Let’s lead.
Simplifying CRA, RED, and Global Compliance with CyberPass
While the CRA and RED Directive introduce groundbreaking cybersecurity requirements, navigating compliance can be overwhelming - especially with the EN 18031 standard now officially published and the August 2025 RED compliance deadline fast approaching.
This is where CyberPass comes in. Our AI-powered platform streamlines compliance for vendors, labs, Notified Bodies, and scheme owners, helping you stay ahead of evolving regulations with precision and efficiency.
? How CyberPass Helps You Achieve Compliance Faster ?
✔ AI-Powered Self-Assessments – Instantly identify gaps and understand your obligations under CRA, RED, EN 18031, EN 303 645 and global cybersecurity frameworks.
✔ Automated Documentation & Compliance Evidence – Generate, review, and organize the necessary technical files for seamless certification.
✔ Seamless Collaboration with Labs & Notified Bodies – Accelerate evaluations, streamline communication, and ensure faster approvals.
✔ Real-Time Compliance Monitoring – Stay on track with interactive dashboards and up-to-date regulatory insights.
With just months until key deadlines, I strongly believe that CyberPass is your fastest, smartest, and most reliable way to achieve and maintain compliance - without the complexity.
My 2cents!