A globally operating electronics manufacturer must align its entire development process with the Cyber Resilience Act. No critical products, but complex structures, historically evolved processes, and competency gaps across multiple departments. What follows is not a compliance project. It is a restart of product security.
Case Study: Product Security and Cyber Resilience Act
How can CRA compliance be achieved when legacy structures, competency gaps, and multiple regulations simultaneously impact an organization? In this article, we demonstrate how a compliance project becomes a fundamental restart of product security.
Customer
A global manufacturer of smart home appliances, headquartered in Germany
Industry
Electronics / Consumer Electronics
Challenge
CRA compliance for a product, taking into account complex corporate structures and customer requirements
carmasec roll
Cybersecurity consultancy and implementation partner
Initial Situation: High Uncertainty, Limited Time
With the entry into force of the Cyber Resilience Act (CRA), a globally operating manufacturer of smart household appliances based in Germany must ensure the cybersecurity of its products with digital elements/components throughout their entire product lifecycle. Initially, there was significant uncertainty regarding the exact implications of the CRA for digital products and how this could be reconciled with existing product and software development processes. It was also unclear which products were (not) affected by the CRA and which CRA requirements were already (partially) implemented.
The manufacturer commissioned our cross-functional expert team to develop a holistic strategy for achieving CRA compliance in order to establish a high level of cybersecurity throughout the entire lifecycle of digital products.
Challenges
Historically Evolved Processes
The manufacturer’s existing product and software development processes had partially evolved over an extended period and in an inconsistent manner. Furthermore, cybersecurity aspects had not been given significant consideration or were only addressed sporadically.
Complex Corporate Structure
The complexity of our globally operating client’s corporate structure presents another challenge. The company consists of numerous autonomous departments with limited communication interfaces between them. Cybersecurity had previously been considered in only a few departments, and there in very different ways.
Resources and Competencies
The personnel and financial resources as well as the necessary expertise required for implementing the Cyber Resilience Act (CRA) were distributed very unevenly across departments and were completely absent in some areas. Consequently, there was significant uncertainty regarding the measures required to meet CRA requirements.
Integration with Other Regulations and Internal Requirements
Since other national, European, and international regulations also impact the company, overlaps and duplications between them are not known or considered. Furthermore, internal company requirements partially cover these regulations already or hinder their fulfillment. Harmonization of these regulations and requirements had not yet taken place.
To address these challenges and develop solutions, our CRA Cybersecurity expert team was commissioned.
Approach: Structured, Step by Step
Identify Products & Regulations
Clarify Responsibilities & Budget
Conduct Gap Analysis
Prioritize Risks
Implement Measures
Demonstrate Conformity
Identify Affected Products and Regulations
The first step toward successful CRA implementation consisted of identifying the affected products. This required analyzing the entire portfolio and the complex structure of the company and identifying the products that fall under the CRA. During the review, an analysis was also conducted to determine whether the client or product might also fall under other relevant regulations (NIS-2 or RED – Radio Equipment Directive).
This classification served as the basis for subsequent steps.
Clarify Responsibilities and Budget
Following the identification of affected products, a clear assignment of responsibilities was developed jointly. Roles for CRA implementation within the company were defined and visibility for the topic was achieved at the management level. At the same time, the required budget for implementing CRA requirements was estimated and calculated to ensure sufficient resources and competencies were available for implementation. Budget planning considered both one-time and ongoing costs. A clearly defined budget enabled realistic and efficient implementation of security measures.
To conclude the planning phase, the further timeline was defined to meet the important EU deadlines and avoid delays in the release of new products. Since the company addressed the CRA in a timely manner, no major delays occurred.
Target/Actual Analysis of CRA Requirements
A target-actual analysis was then conducted to compare the company’s and products’ existing security measures with CRA requirements and identify gaps. Through document review, technical interviews with contacts, and examination of audit reports, we arrived at the following findings:
The company’s products already had basic security mechanisms, but the structures and processes within the company were not aligned with the new CRA requirements. While measures such as software updates and access controls existed, the product lifecycle lacked a systematic security concept based on the Security by Design principle. Security aspects were not considered during the design phase, but only shortly before or even after product release. Furthermore, some products lacked the Security by Default principle, as they were delivered with a default password. Software updates were not made available throughout the complete lifecycle of the devices due to insufficient technical capabilities, and were often discontinued after just 3 years. Additionally, it was determined that the company lacked the processes and infrastructure for the required Incident Response Management and Security Monitoring. Employees were only partially trained in cybersecurity. The company’s documentation (general product description, risk assessments, and applied standards) was partially available, but the required SBOM (Software Bill of Materials) was missing.
These findings were then compiled in a report to provide the client with a transparent overview of their current status. The result showed which measures were already compliant and which measures would need to be introduced in the further course. Based on the report, concrete recommendations for action were formulated.
Analyze Risks Within Affected Products
Following the target-actual analysis, a detailed risk analysis was conducted. Potential security risks for the products were evaluated. Traditional vulnerability analyses were combined with Threat-Informed Defense (TID) to establish a well-founded prioritization of required security measures.
Furthermore, penetration tests were conducted on some products with the goal of identifying critical product vulnerabilities. In this way, we completed our picture of the company. Based on the insights gained, we prioritized the required security measures and incorporated them into our recommendations for action.
Implementation of Identified Measures (Procedural & Technical)
The first measure implemented was training relevant personnel. In addition to the knowledge conveyed, this had the side effect of enabling us to better involve employees in the implementation of measures.
A particular challenge was presented by the historically evolved product and software development processes, which had emerged over years without a unified security strategy. We adapted these by introducing structured Security by Design principles and thus establishing a secure product development process and lifecycle. Product security is now considered throughout all phases of the product lifecycle from the design phase onward. This also took into account that security updates for products must now correspond to the product lifespan. Technology is selected to ensure it can still receive security updates even after 5 years.
Furthermore, with our support, the company introduced a new Continuous Integration and Continuous Delivery (CI/CD) pipeline with automated security checks. An Application Security Platform was implemented that automatically reviews developers’ code and reports vulnerabilities in code and libraries during programming. This program can also create the SBOM required by the CRA for all software developed by the company.
Simultaneously, an Incident Response Team was established within the company and the infrastructure for Incident Response Management and Security Monitoring was created. The company is now able to report vulnerabilities and security incidents within a maximum of 24 hours. It can respond quickly to internal and external reports and provide users with security updates for their products.
Due to the new processes and the new security mindset, the products now fulfill the Security by Design & Default principles.
Conducting the Conformity Assessment
The company had no critical products, so the conformity assessment could be conducted by the company itself; it did not require evaluation by a third party. We supported the company in the self-evaluation and were able to obtain the CE marking for the new products, so that they can enter the EU market without delay after December 2027.
Added Value
Thanks to the in-depth expertise of our CRA Cybersecurity expert team and our many years of experience in Product Security and secure software development, we were able to precisely capture the specific challenges of our client and individual organizational units and develop tailored solutions.
In addition to our transparent and holistic approach, close customer-oriented communication and flexibility also contributed significantly to success. Through a thorough assessment of the existing maturity level in the departments and comprehensive education about legal requirements, we provided the client with a clear overview and promoted their security awareness.
At carmasec, we place great value on close collaboration with our clients. Through detailed targeted interviews and the involvement of all relevant stakeholders, we were able to generate a deep understanding of the specific challenges in this project. This enabled us to develop tailored recommendations to ensure compliance with the CRA and other client-specific requirements. We relied on an integrative approach with our Open Source Security experts, which was considered both in strategy development and in the definition of concrete measures. In addition to analysis and assessment, we also supported practical implementation by enabling the client to build sustainable and practical Product Security structures. Together, we defined roles and responsibilities and developed a roadmap for implementing security measures, such as integrating security steps into the development process, defining Secure Coding Standards, and introducing a process for Vulnerability and Incident Management. Additionally, we provided expert consulting support in creating required documentation and processes.
Within one year, we established the framework conditions for CRA and implemented both a secure development process and comprehensive Vulnerability Management including CRA reporting obligations.
This spared the client the challenge of recruiting scarce experts and instead enabled them to build internal knowledge in a targeted manner. This allowed them to effectively implement Product Security and set the course for secure products of tomorrow.
Conclusion
Compliance with the Cyber Resilience Act is not a one-time project. It is a structural question. Companies that build security late in the development process pay twice: once for retrofitting, once for lost time.
This project demonstrates what is possible when starting early. Security by Design as a principle. An SBOM as a foundation. Incident Response as infrastructure. And a team that does not have requirements imposed from outside, but understands why they make sense.
The result is not a checked-off compliance document. It is a product development process that starts securely from now on.
FAQ on CRA Implementation in Practice
How long does a CRA compliance implementation take?
That depends on the initial situation. In this project, the complete framework conditions including CE marking were achieved within one year. Companies with a more mature security level can be faster, those with more complex structures require more time.
Must all company products be CRA-compliant?
No. The CRA applies to products with digital elements that are placed on the EU market after entry into force. The first step is always the product-specific applicability analysis: What falls under the CRA, what does not?
What is the difference between standard and critical products?
Standard products can be certified through self-assessment. Class I and II products require external review by a notified body. Classification is based on the product’s risk potential and is defined in the Annex of EU Regulation 2024/2847.
What does a CRA gap analysis cost?
Costs depend on the size of the company, the number of affected products, and the complexity of existing processes. We discuss the scope in the initial consultation.
Can carmasec also handle implementation, not just analysis?
Yes. carmasec accompanies the entire process: from applicability analysis through gap analysis and risk analysis to implementation of technical measures, establishment of SBOM and Incident Response infrastructure, and preparation for conformity assessment.
Is your team facing similar questions?
Our team supports you from the initial assessment to CE marking. Competent, direct, and without detours.