Navigating the Regulatory Maze: Cyber Resilience Act (CRA)

The ever-evolving world of cybersecurity presents a regulatory maze that can seem impossible to navigate. At the end of this labyrinth stands the Cyber Resilience Act (CRA). 

This landmark regulation is designed to fortify the cybersecurity posture of products with digital elements across the EU market, which aren’t already covered by a vertical regulation. However, the CRA is just one piece of a much larger regulatory puzzle. Organizations must determine which industry-specific and cross-sectoral (horizontal) regulations apply to their context, making it essential to identify the right combination of frameworks for compliance.

This blog will illuminate this complexity, highlighting the role of other regulations like (EU) 2019/2144 (and the UNECE R155 it incorporates), and clarifying responsibilities of stakeholders.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is a European Union regulation aiming to strengthen cybersecurity standards across products with digital components placed on the EU market. The CRA is part of the CE certification process and establishes clear cybersecurity guidelines, including:

• Security by Design: Secure engineering as a baseline requirement.
• Documentation: Proof of successful implementation of cybersecurity requirements.
• Vulnerability Management: Established processes for managing and mitigating vulnerabilities.
• Lifecycle Support: Continuous product support and updates throughout the entire product lifecycle.
• SBOMs / Asset Management: Implementation of Software Bills of Materials (SBOMs) and comprehensive asset management practices.

Compliance with CRA offers significant incentives:

• Demonstrates product quality and adherence to high production standards.
• Maintains and enhances market access and consumer trust.

However, non-compliance poses severe risks, including:

• Potential for substantial revenue and reputation losses from security breaches.
• Significant penalties: fines up to EUR 15 million or 2.5% of the company’s worldwide turnover.
• Loss of CE marking and restricted access to the EU market.

Product-Related Cybersecurity Regulations: CRA, UNECE R155, and Others

Here in Europe, cybersecurity for products is governed by both vertical (industry-specific) and horizontal (cross-sectoral) frameworks. The Cyber Resilience Act acts as a horizontal regulation, applying broadly unless superseded by more specific, vertical regulations.

Vertical Regulations:

UNECE R155 (Motor Vehicles, Trailers, and Systems Regulation):
Focuses on cybersecurity for type-approved vehicles (Categories M, N, O, and, starting in 2029, also L). The CRA itself does not mention UNECE R155 directly. Instead, Article 2(3) CRA excludes products already covered by Regulation (EU) 2019/2144 (General Safety Regulation, GSR).

The GSR, in turn, mandates UNECE R155 for type approval of vehicles in categories M, N and O (and, from 2029, L). This applies not only to complete vehicles but also to systems, components, and separate technical units intended for these vehicles.

OEMs are fully responsible for compliance with 2019/2144 / UNR 155.

Suppliers are not directly regulated under UNR 155. However, if they place type-approval relevant components independently on the market, they fall under 2019/2144. Otherwise, the CRA applies directly – making it the key regulation for most Tier-1 suppliers and software providers.

Misunderstanding this distinction can lead to compliance gaps.

Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR):
Specifically regulate cybersecurity requirements for medical and diagnostic devices, enforcing comprehensive risk management, secure software updates, detailed incident reporting, and clear documentation of cybersecurity practices. 

New Machinery Directive (EU Machinery Regulation):
Covers cybersecurity measures specifically tailored to industrial machinery. Requirements include robust cybersecurity risk assessments, clearly documented cybersecurity features, secure control systems, and continuous vulnerability management throughout the machinery’s lifecycle. 

Horizontal Regulations:

Cyber Resilience Act (CRA):
Applies to all products with digital elements not covered by the vertical regulations above. It sets comprehensive cybersecurity standards across diverse sectors.

Radio Equipment Directive (RED):
Runs horizontally, parallel to the CRA. RED applies specifically to products using radio communication (e.g., Wi-Fi devices, smartphones, infotainment systems, and car key fobs). If none of the vertical regulations is applicable, either the RED or CRA – or sometimes both- come into play!

Scope and Standards Comparison:

Roles and Responsibilities under the CRA:

Compliance responsibilities vary according to market roles:

• Suppliers (Tier 1):
  Generally no direct legal obligations under UNECE R155 unless components are placed separately on the market. In that case, they are ‘manufacturers’ under CRA.
• Manufacturers:
  Fully responsible for compliance across the value chain. Key challenges include complex reporting, comprehensive compliance assurance, and identifying CRA-relevant products.
• Importers & Distributors:
  Required to verify CRA compliance and engage actively in communication processes. Main challenges involve accurate identification of regulated products and managing compliance responsibilities.

Cybersecurity Regulations for Services and Operations

Beyond products, several EU regulations address cybersecurity specifically within services and operations:

NIS-2 Directive:
Extension of the original NIS standard. Establishes stringent cybersecurity rules for critical infrastructure and essential sectors, emphasizing risk management, robust supply chain security, comprehensive incident reporting, and management accountability. Unlike the Cybersecurity Act, NIS-2 is mandatory, setting legally binding obligations to ensure a high common level of cybersecurity across the EU.

Cybersecurity Act:
Provides a voluntary cybersecurity certification framework for ICT products, services, and processes, promoting harmonization and transparency in cybersecurity standards across the EU. It encourages industry-wide adoption of best practices without imposing mandatory obligations.

Critical Entities Resilience (CER) Directive:
Focuses on strengthening the physical resilience of critical infrastructure by requiring mandatory risk assessments and resilience planning. While the CER Directive primarily targets physical threats, it often applies to the same organizations as the NIS2 Directive, which focuses on cybersecurity. As a result, implementing both directives typically requires close coordination between the relevant authorities to ensure comprehensive protection and avoid regulatory overlaps.

General Data Protection Regulation (GDPR):
Focuses on individual data privacy rather than direct cybersecurity, impacting personal data handling across all sectors.

Digital Operational Resilience Act (DORA):
Targets financial sector resilience against cyber disruptions, ensuring stability and continuity of financial services.

Conclusion: Scalable, Continuous Cybersecurity Is Key

As regulatory frameworks multiply, continuous and scalable cybersecurity testing becomes essential. Traditional penetration testing cannot keep pace—it creates excessive workloads, fragmented reporting chains, and increasing compliance costs.

HydraVision tackles this by doing more than just detecting vulnerabilities: it helps organizations differentiate between the sheer volume of detected vulnerabilities and the comparatively few incidents that are actually exploitable. This distinction is critical—it enables security teams to cut through the noise, prioritize threats that truly matter, and avoid wasting resources on findings with no practical risk.

And all of this works even across large permutations of connected devices deployed in the field. HydraVision pinpoints which specific products or configurations are affected, enabling targeted incident reporting and helping organizations meet regulatory obligations efficiently – without triggering unnecessary alerts across entire fleets. The result: leaner processes and lower costs. 

Escape the regulatory maze – embrace comprehensive cybersecurity with HydraVision!