{"id":3638,"date":"2026-02-16T10:12:22","date_gmt":"2026-02-16T10:12:22","guid":{"rendered":"https:\/\/www.carmasec.com\/?post_type=knowledge-center&#038;p=3638"},"modified":"2026-06-01T11:10:48","modified_gmt":"2026-06-01T11:10:48","slug":"case-study-product-security-and-cyber-resilience-act","status":"publish","type":"knowledge-center","link":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/","title":{"rendered":"Case Study: Product Security and Cyber Resilience Act"},"content":{"rendered":"\n<section id=\"m-facts__container-block_37352a0a8f912084c75e49c95c096271\" class=\"m-facts__container u-pt-x8 u-pb-x0 u-pt-x20@md u-pb-x0@md u-bgcolor-gray-blue\">\n    <div class=\"o-container\">\n        <div class=\"o-grid o-grid--center\">\n            <div class=\"o-grid__col u-6\/12@sm u-4\/12@md u-3\/12@lg m-facts__left--horizontal u-mb-x6 u-mb-x0@md\" data-aos=\"none\"><\/div>\n            <div class=\"o-grid__col u-6\/12@sm u-6\/12@md u-4\/12@lg u-push-1\/12@md m-facts__right--horizontal\">\n                    <div class=\"m-fact__item u-mb-x6\" data-aos=\"none\">\n                        <p class=\"m-fact__headline h3 u-mb-x2\">Customer<\/p>\n                        <p class=\"m-fact__text o-type-small\">A global manufacturer of smart home appliances, headquartered in Germany<br \/>\r\n<\/p>\n                    <\/div>\n                    <div class=\"m-fact__item u-mb-x6\" data-aos=\"none\">\n                        <p class=\"m-fact__headline h3 u-mb-x2\">Industry<\/p>\n                        <p class=\"m-fact__text o-type-small\">Electronics \/ Consumer Electronics<br \/>\r\n<\/p>\n                    <\/div>\n                    <div class=\"m-fact__item u-mb-x6\" data-aos=\"none\">\n                        <p class=\"m-fact__headline h3 u-mb-x2\">Challenge<\/p>\n                        <p class=\"m-fact__text o-type-small\">CRA compliance for a product, taking into account complex corporate structures and customer requirements<br \/>\r\n<\/p>\n                    <\/div>\n                    <div class=\"m-fact__item u-mb-x6\" data-aos=\"none\">\n                        <p class=\"m-fact__headline h3 u-mb-x2\">carmasec roll<\/p>\n                        <p class=\"m-fact__text o-type-small\">Cybersecurity consultancy and implementation partner<\/p>\n                    <\/div><\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"introduction\" data-anchor-title=\"Introduction\" class=\"m-text__container u-pt-x8 u-pb-x0 u-pt-x12@md u-pb-x0@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"fade\">\n                    <p class=\"o-type-large\">A globally operating electronics manufacturer must align its entire development process with the Cyber Resilience Act. No critical products, but complex structures, historically evolved processes, and competency gaps across multiple departments. What follows is not a compliance project. It is a restart of product security.   <\/p>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"initial-situation-high-uncertainty-limited-time\" data-anchor-title=\"Initial Situation: High Uncertainty, Limited Time\" class=\"m-text__container u-pt-x8 u-pb-x0 u-pt-x12@md u-pb-x0@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"fade\">\n                    <h2>Initial Situation: High Uncertainty, Limited Time<\/h2>\n<p>With the entry into force of the <a href=\"https:\/\/www.carmasec.com\/de\/glossar\/cyber-resilience-act-cra\/\">Cyber Resilience Act (CRA)<\/a>, a globally operating manufacturer of smart household appliances based in Germany must ensure the cybersecurity of its products with digital elements\/components throughout their entire product lifecycle. Initially, there was significant uncertainty regarding the exact implications of the CRA for digital products and how this could be reconciled with existing product and software development processes. It was also unclear which products were (not) affected by the CRA and which CRA requirements were already (partially) implemented.  <\/p>\n<p>The manufacturer commissioned our cross-functional expert team to develop a holistic strategy for achieving CRA compliance in order to establish a high level of cybersecurity throughout the entire lifecycle of digital products.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Challenges<\/strong><\/h2>\n<h3><\/h3>\n<h3>Historically Evolved Processes<\/h3>\n<p>The manufacturer&#8217;s existing product and software development processes had partially evolved over an extended period and in an inconsistent manner. Furthermore, cybersecurity aspects had not been given significant consideration or were only addressed sporadically. <\/p>\n<h3>Complex Corporate Structure<\/h3>\n<p>The complexity of our globally operating client&#8217;s corporate structure presents another challenge. The company consists of numerous autonomous departments with limited communication interfaces between them. Cybersecurity had previously been considered in only a few departments, and there in very different ways.  <\/p>\n<h3>Resources and Competencies<\/h3>\n<p>The personnel and financial resources as well as the necessary expertise required for implementing the Cyber Resilience Act (CRA) were distributed very unevenly across departments and were completely absent in some areas. Consequently, there was significant uncertainty regarding the measures required to meet CRA requirements. <\/p>\n<h3>Integration with Other Regulations and Internal Requirements<\/h3>\n<p>Since other national, European, and international regulations also impact the company, overlaps and duplications between them are not known or considered. Furthermore, internal company requirements partially cover these regulations already or hinder their fulfillment. Harmonization of these regulations and requirements had not yet taken place.  <\/p>\n<p>To address these challenges and develop solutions, our CRA Cybersecurity <a href=\"https:\/\/www.carmasec.com\/en\/about-us\/team\/\">expert team<\/a> was commissioned.<\/p>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-text__container-block_a3ff467ac3cdc4cd266c94988bf38f1f\" class=\"m-text__container u-pt-x8 u-pb-x4 u-pt-x20@md u-pb-x8@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-8\/12@md\" data-aos=\"none\">\n                    <h2>Approach: Structured, Step by Step<\/h2>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-tiles__container-block_6863ac17151467b1c2024cc9a82853a2\" class=\"m-tiles__container u-pt-x0 u-pb-x0 u-pt-x0@md u-pb-x0@md\">\n    <div class=\"o-container\">\n        <div class=\"o-grid\">\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/03\/Icon_Schritt-1_Candidate-Journey.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Icon f\u00fcr Schritt 1 von 4 im Bewerbungsprozess bei carmasec\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Identify Products &#038; Regulations<br \/>\n<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/03\/Icon_Schritt-2_Candidate-Journey.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Icon f\u00fcr Schritt 2 von 4 im Bewerbungsprozess bei carmasec\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Clarify Responsibilities &#038; Budget<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/03\/Icon_Schritt-3_Candidate-Journey.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Icon f\u00fcr Schritt 3 von 4 im Bewerbungsprozess bei carmasec\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Conduct Gap Analysis<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-tiles__container-block_dcc2b3b5e289173d03f35c9acf46eb85\" class=\"m-tiles__container u-pt-x0 u-pb-x8 u-pt-x0@md u-pb-x20@md\">\n    <div class=\"o-container\">\n        <div class=\"o-grid\">\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/03\/Icon_Schritt-4_Candidate-Journey.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Icon f\u00fcr Schritt 4 von 4 im Bewerbungsprozess bei carmasec\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Prioritize Risks<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/Icon_Schritt-4_Candidate-Journey.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Grafik mit der Zahl 5 in Orange auf blau-goldenem Kreishintergrund\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Implement Measures<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n                <div class=\"o-grid__col u-mb-x4 u-6\/12@sm u-4\/12@md\" data-aos=\"none\">\n                \n                    <figure class=\"c-card u-relative u-block u-full--height c-card--border u-bgcolor-white u-p-x4 u-p-x8@md\">\n                        <img decoding=\"async\" src=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/Icon_Schritt-4_Candidate-Journey-2.svg\" width=\"1500\" height=\"1499\" srcset=\"\" sizes=\"(max-width: 480px) 100vw, 480px\" alt=\"Grafik mit der Zahl 6 in Orange auf blau-goldenem Kreishintergrund\" class=\"u-image__icon u-mb-x5\"  \/>\n                        <figcaption class=\"u-relative\"><p><strong>Demonstrate Conformity<\/strong><\/p>\n<\/figcaption>\n                    <\/figure>\n                    \n                <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-text__container-block_8e32fdab3a33af22ca033c6c91c43afa\" class=\"m-text__container u-pt-x0 u-pb-x0 u-pt-x0@md u-pb-x0@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"none\">\n                    <h4>Identify Affected Products and Regulations<\/h4>\n<p>The first step toward successful CRA implementation consisted of identifying the affected products. This required analyzing the entire portfolio and the complex structure of the company and identifying the products that fall under the CRA. During the review, an analysis was also conducted to determine whether the client or product might also fall under other relevant regulations (NIS-2 or RED &#8211; Radio Equipment Directive).  <\/p>\n<p>This classification served as the basis for subsequent steps.<\/p>\n<h4>Clarify Responsibilities and Budget<\/h4>\n<p>Following the identification of affected products, a clear assignment of responsibilities was developed jointly. Roles for CRA implementation within the company were defined and visibility for the topic was achieved at the management level. At the same time, the required budget for implementing CRA requirements was estimated and calculated to ensure sufficient resources and competencies were available for implementation. Budget planning considered both one-time and ongoing costs. A clearly defined budget enabled realistic and efficient implementation of security measures.    <\/p>\n<p>To conclude the planning phase, the further timeline was defined to meet the important EU deadlines and avoid delays in the release of new products. Since the company addressed the CRA in a timely manner, no major delays occurred. <\/p>\n<h4>Target\/Actual Analysis of CRA Requirements<\/h4>\n<p>A target-actual analysis was then conducted to compare the company&#8217;s and products&#8217; existing security measures with CRA requirements and identify gaps. Through document review, technical interviews with contacts, and examination of audit reports, we arrived at the following findings: <\/p>\n<p>The company&#8217;s products already had basic security mechanisms, but the structures and processes within the company were not aligned with the new CRA requirements. While measures such as software updates and access controls existed, the product lifecycle lacked a systematic security concept based on the Security by Design principle. Security aspects were not considered during the design phase, but only shortly before or even after product release. Furthermore, some products lacked the Security by Default principle, as they were delivered with a default password. Software updates were not made available throughout the complete lifecycle of the devices due to insufficient technical capabilities, and were often discontinued after just 3 years. Additionally, it was determined that the company lacked the processes and infrastructure for the required Incident Response Management and Security Monitoring. Employees were only partially trained in cybersecurity. The company&#8217;s documentation (general product description, risk assessments, and applied standards) was partially available, but the required SBOM (Software Bill of Materials) was missing.       <\/p>\n<p>These findings were then compiled in a report to provide the client with a transparent overview of their current status. The result showed which measures were already compliant and which measures would need to be introduced in the further course. Based on the report, concrete recommendations for action were formulated.  <\/p>\n<h4>Analyze Risks Within Affected Products<\/h4>\n<p>Following the target-actual analysis, a detailed risk analysis was conducted. Potential security risks for the products were evaluated. Traditional vulnerability analyses were combined with Threat-Informed Defense (TID) to establish a well-founded prioritization of required security measures.  <\/p>\n<p>Furthermore, penetration tests were conducted on some products with the goal of identifying critical product vulnerabilities. In this way, we completed our picture of the company. Based on the insights gained, we prioritized the required security measures and incorporated them into our recommendations for action.  <\/p>\n<p>&nbsp;<\/p>\n<h2>Implementation of Identified Measures (Procedural &#038; Technical)<\/h2>\n<p>The first measure implemented was training relevant personnel. In addition to the knowledge conveyed, this had the side effect of enabling us to better involve employees in the implementation of measures. <\/p>\n<p>A particular challenge was presented by the historically evolved product and software development processes, which had emerged over years without a unified security strategy. We adapted these by introducing structured Security by Design principles and thus establishing a secure product development process and lifecycle. Product security is now considered throughout all phases of the product lifecycle from the design phase onward. This also took into account that security updates for products must now correspond to the product lifespan. Technology is selected to ensure it can still receive security updates even after 5 years.    <\/p>\n<p>Furthermore, with our support, the company introduced a new Continuous Integration and Continuous Delivery (CI\/CD) pipeline with automated security checks. An Application Security Platform was implemented that automatically reviews developers&#8217; code and reports vulnerabilities in code and libraries during programming. This program can also create the SBOM required by the CRA for all software developed by the company.  <\/p>\n<p>Simultaneously, an Incident Response Team was established within the company and the infrastructure for Incident Response Management and Security Monitoring was created. The company is now able to report vulnerabilities and security incidents within a maximum of 24 hours. It can respond quickly to internal and external reports and provide users with security updates for their products.  <\/p>\n<p><strong>Due to the new processes and the new security mindset, the products now fulfill the Security by Design &#038; Default principles.<\/strong><\/p>\n<h3>Conducting the Conformity Assessment<\/h3>\n<p>The company had no critical products, so the conformity assessment could be conducted by the company itself; it did not require evaluation by a third party. We supported the company in the self-evaluation and were able to obtain the CE marking for the new products, so that they can enter the EU market without delay after December 2027. <\/p>\n<h2>Added Value<\/h2>\n<p>Thanks to the in-depth expertise of our CRA Cybersecurity expert team and our many years of experience in Product Security and secure software development, we were able to precisely capture the specific challenges of our client and individual organizational units and develop tailored solutions.<\/p>\n<p>In addition to our transparent and holistic approach, close customer-oriented communication and flexibility also contributed significantly to success. Through a thorough assessment of the existing maturity level in the departments and comprehensive education about legal requirements, we provided the client with a clear overview and promoted their security awareness. <\/p>\n<p>At carmasec, we place great value on close collaboration with our clients. Through detailed targeted interviews and the involvement of all relevant stakeholders, we were able to generate a deep understanding of the specific challenges in this project. This enabled us to develop tailored recommendations to ensure compliance with the CRA and other client-specific requirements. We relied on an integrative approach with our Open Source Security experts, which was considered both in strategy development and in the definition of concrete measures. In addition to analysis and assessment, we also supported practical implementation by enabling the client to build sustainable and practical Product Security structures. Together, we defined roles and responsibilities and developed a roadmap for implementing security measures, such as integrating security steps into the development process, defining Secure Coding Standards, and introducing a process for Vulnerability and Incident Management. Additionally, we provided expert consulting support in creating required documentation and processes.      <\/p>\n<p>Within one year, we established the framework conditions for CRA and implemented both a secure development process and comprehensive Vulnerability Management including CRA reporting obligations.<\/p>\n<p>This spared the client the challenge of recruiting scarce experts and instead enabled them to build internal knowledge in a targeted manner. This allowed them to effectively implement Product Security and set the course for secure products of tomorrow. <\/p>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"conclusion\" data-anchor-title=\"Conclusion\" class=\"m-text__container u-pt-x8 u-pb-x0 u-pt-x12@md u-pb-x0@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"fade\">\n                    <h3 class=\"h3\">Conclusion<\/h3>\n<p>Compliance with the Cyber Resilience Act is not a one-time project. It is a structural question. Companies that build security late in the development process pay twice: once for retrofitting, once for lost time.  <\/p>\n<p>This project demonstrates what is possible when starting early. Security by Design as a principle. An SBOM as a foundation. Incident Response as infrastructure. And a team that does not have requirements imposed from outside, but understands why they make sense.    <\/p>\n<p>The result is not a checked-off compliance document. It is a product development process that starts securely from now on. <\/p>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"faq\" data-anchor-title=\"FAQ\" class=\"m-text__container u-pt-x0 u-pb-x8 u-pt-x20@md u-pb-x0@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"none\">\n                    <h3>FAQ on CRA Implementation in Practice<\/h3>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-accordion__container-block_0bc7827b5d387761a2c8e45e2bebb41a\" class=\"m-accordion__container u-pt-x0 u-pb-x8 u-pt-x0@md u-pb-x20@md \">\n    <div class=\"o-container\">\n        <div class=\"o-grid\">\n            <div class=\"o-grid__col u-12\/12@md\">\n                <div class=\"m-accordion\" itemscope itemtype=\"https:\/\/schema.org\/FAQPage\">\n                         <div class=\"m-accordion__item u-bgcolor-white u-mb-x2\" itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\" data-aos=\"none\">\n                             <div class=\"m-accordion__header u-relative u-pv-x2 u-pv-x4@sm u-ph-x3 u-ph-x6@sm\">\n                                 <p class=\"h6 u-mb-x0\" itemprop=\"name\">\n                                     How long does a CRA compliance implementation take? \n                                 <\/p>\n                             <\/div>\n                             <div class=\"m-accordion__body u-relative u-index--1\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\n                                 <div class=\"u-ph-x3 u-ph-x6@sm u-pb-x2\" itemprop=\"text\"><p><span data-ccp-props=\"{\"335559738\":200,\"335559739\":200,\"335572079\":4,\"335572080\":0,\"335572081\":13421772,\"469789806\":\"single\"}\"> That depends on the initial situation. In this project, the complete framework conditions including CE marking were achieved within one year. Companies with a more mature security level can be faster, those with more complex structures require more time.  <\/span><\/p>\n<\/div>\n                             <\/div>\n                         <\/div>\n                         <div class=\"m-accordion__item u-bgcolor-white u-mb-x2\" itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\" data-aos=\"none\">\n                             <div class=\"m-accordion__header u-relative u-pv-x2 u-pv-x4@sm u-ph-x3 u-ph-x6@sm\">\n                                 <p class=\"h6 u-mb-x0\" itemprop=\"name\">\n                                     Must all company products be CRA-compliant? \n                                 <\/p>\n                             <\/div>\n                             <div class=\"m-accordion__body u-relative u-index--1\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\n                                 <div class=\"u-ph-x3 u-ph-x6@sm u-pb-x2\" itemprop=\"text\"><p>No. The CRA applies to products with digital elements that are placed on the EU market after entry into force. The first step is always the product-specific applicability analysis: What falls under the CRA, what does not?  <\/p>\n<\/div>\n                             <\/div>\n                         <\/div>\n                         <div class=\"m-accordion__item u-bgcolor-white u-mb-x2\" itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\" data-aos=\"none\">\n                             <div class=\"m-accordion__header u-relative u-pv-x2 u-pv-x4@sm u-ph-x3 u-ph-x6@sm\">\n                                 <p class=\"h6 u-mb-x0\" itemprop=\"name\">\n                                     What is the difference between standard and critical products? \n                                 <\/p>\n                             <\/div>\n                             <div class=\"m-accordion__body u-relative u-index--1\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\n                                 <div class=\"u-ph-x3 u-ph-x6@sm u-pb-x2\" itemprop=\"text\"><p>Standard products can be certified through self-assessment. Class I and II products require external review by a notified body. Classification is based on the product&#8217;s risk potential and is defined in the Annex of EU Regulation 2024\/2847.  <\/p>\n<\/div>\n                             <\/div>\n                         <\/div>\n                         <div class=\"m-accordion__item u-bgcolor-white u-mb-x2\" itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\" data-aos=\"none\">\n                             <div class=\"m-accordion__header u-relative u-pv-x2 u-pv-x4@sm u-ph-x3 u-ph-x6@sm\">\n                                 <p class=\"h6 u-mb-x0\" itemprop=\"name\">\n                                     What does a CRA gap analysis cost? \n                                 <\/p>\n                             <\/div>\n                             <div class=\"m-accordion__body u-relative u-index--1\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\n                                 <div class=\"u-ph-x3 u-ph-x6@sm u-pb-x2\" itemprop=\"text\"><p>Costs depend on the size of the company, the number of affected products, and the complexity of existing processes. We discuss the scope in the initial consultation. <\/p>\n<\/div>\n                             <\/div>\n                         <\/div>\n                         <div class=\"m-accordion__item u-bgcolor-white u-mb-x2\" itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\" data-aos=\"none\">\n                             <div class=\"m-accordion__header u-relative u-pv-x2 u-pv-x4@sm u-ph-x3 u-ph-x6@sm\">\n                                 <p class=\"h6 u-mb-x0\" itemprop=\"name\">\n                                     Can carmasec also handle implementation, not just analysis? \n                                 <\/p>\n                             <\/div>\n                             <div class=\"m-accordion__body u-relative u-index--1\" itemscope itemprop=\"acceptedAnswer\" itemtype=\"https:\/\/schema.org\/Answer\">\n                                 <div class=\"u-ph-x3 u-ph-x6@sm u-pb-x2\" itemprop=\"text\"><p>Yes. carmasec accompanies the entire process: from applicability analysis through gap analysis and risk analysis to implementation of technical measures, establishment of SBOM and Incident Response infrastructure, and preparation for conformity assessment. <\/p>\n<\/div>\n                             <\/div>\n                         <\/div>\n                 <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"m-text__container-block_62cbabad54dc647937c1abe37ffe9c9a\" class=\"m-text__container u-pt-x0 u-pb-x8 u-pt-x0@md u-pb-x20@md\"><div class=\"o-container u-relative\">\n        <div class=\"o-grid\">\n                <article class=\"o-grid__col u-12\/12@md\" data-aos=\"none\">\n                    <p class=\"h3 h4\">Is your team facing similar questions?<\/p>\n<p>Our team supports you from the initial assessment to CE marking. Competent, direct, and without detours. <\/p>\n<p><a class=\"c-btn c-btn__primary u-mt-x3\" href=\"https:\/\/www.carmasec.com\/en\/contact\/\">Schedule initial consultation<\/a><\/p>\n\n                <\/article>\n        <\/div>\n    <\/div>\n<\/section>","protected":false},"excerpt":{"rendered":"<p>How can CRA compliance be achieved when legacy structures, competency gaps, and multiple regulations simultaneously impact an organization? In this article, we demonstrate how a compliance project becomes a fundamental restart of product security. <\/p>\n","protected":false},"author":4,"featured_media":3625,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":true},"content-type":[21],"industry":[33,38,35,40],"persona":[27,30,29,28],"topic":[11,13,16],"class_list":["post-3638","knowledge-center","type-knowledge-center","status-publish","has-post-thumbnail","hentry","content-type-case-study","industry-automotive","industry-logistics-transportation","industry-manufacturing-industry","industry-other-industries","persona-ciso-security-leadership","persona-compliance-legal-privacy","persona-dev-devops-engineering","persona-it-operations-infrastructure","topic-information-security-compliance","topic-offensive-security","topic-risk-crisis-management"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Case Study: Product Security and Cyber Resilience Act Case Study: CRA Compliance in Practice | carmasec - carmasec<\/title>\n<meta name=\"description\" content=\"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Case Study: Product Security and Cyber Resilience Act\" \/>\n<meta property=\"og:description\" content=\"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/\" \/>\n<meta property=\"og:site_name\" content=\"carmasec\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-01T11:10:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/caramsec_CRA_CE-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1068\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/\",\"url\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/\",\"name\":\"Case Study: Product Security and Cyber Resilience Act Case Study: CRA Compliance in Practice | carmasec - carmasec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.carmasec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/caramsec_CRA_CE-1.jpg\",\"datePublished\":\"2026-02-16T10:12:22+00:00\",\"dateModified\":\"2026-06-01T11:10:48+00:00\",\"description\":\"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.carmasec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/caramsec_CRA_CE-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.carmasec.com\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/caramsec_CRA_CE-1.jpg\",\"width\":1920,\"height\":1068,\"caption\":\"Illustration of a robotic gripper hand holding a technically shaped element with CE engraved.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Case Study: Product Security and Cyber Resilience Act\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/\",\"name\":\"carmasec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/#organization\",\"name\":\"carmasec GmbH & Co. KG\",\"alternateName\":\"carmasec\",\"url\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/carmasec\\\/\"],\"description\":\"Die carmasec GmbH & Co. KG ist eine auf Cybersicherheit und Cyberresilienz spezialisierte Beratungsunternehmen mit Sitz in Essen. Das Leistungsspektrum verbindet zwei essenzielle Welten: strategische Compliance und dem Schutz vor Cyberangriffen. Mit einem klaren Fokus auf agile Sicherheitsprozesse unterst\u00fctzt carmasec Kunden branchenneutral und herstellerunabh\u00e4ngig. Das interdisziplin\u00e4re Team integriert langj\u00e4hrige Beratungserfahrung mit modernen Arbeitsweisen, um komplexe Anforderungen \u2013 von ISMS und Risikomanagement bis hin zu Cloud Security und Offensive Security \u2013 effizient umzusetzen. Zu den Kunden z\u00e4hlen der gehobene Mittelstand sowie internationale Konzerne, insbesondere aus Finanz- und Versicherungswesen, Fertigungsindustrie, Automotive sowie Kritischen Infrastrukturen. Mit der etablierten Veranstaltungsreihe \u201efriends of carmasec\\\" schafft das Unternehmen eine zentrale Plattform f\u00fcr den Branchen-Dialog und vernetzt regelm\u00e4\u00dfig Entscheidungstr\u00e4ger:innen und Expert:innen aus der Security-Community. carmasec bef\u00e4higt Organisationen, Risiken ganzheitlich zu managen und digitale Infrastrukturen proaktiv zu sch\u00fctzen.\",\"legalName\":\"carmasec GmbH & Co. KG\",\"foundingDate\":\"2018-12-18\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"11\",\"maxValue\":\"50\"},\"telephone\":[],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"17:00\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.carmasec.com\\\/en\\\/security-knowledge\\\/case-study-product-security-and-cyber-resilience-act\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/www.carmasec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/logo-carmasec.svg\",\"contentUrl\":\"https:\\\/\\\/www.carmasec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/logo-carmasec.svg\",\"width\":299,\"height\":40,\"caption\":\"carmasec GmbH & Co. KG\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Case Study: Product Security and Cyber Resilience Act Case Study: CRA Compliance in Practice | carmasec - carmasec","description":"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/","og_locale":"en_US","og_type":"article","og_title":"Case Study: Product Security and Cyber Resilience Act","og_description":"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap","og_url":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/","og_site_name":"carmasec","article_modified_time":"2026-06-01T11:10:48+00:00","og_image":[{"width":1920,"height":1068,"url":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/caramsec_CRA_CE-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/","url":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/","name":"Case Study: Product Security and Cyber Resilience Act Case Study: CRA Compliance in Practice | carmasec - carmasec","isPartOf":{"@id":"https:\/\/www.carmasec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#primaryimage"},"image":{"@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#primaryimage"},"thumbnailUrl":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/caramsec_CRA_CE-1.jpg","datePublished":"2026-02-16T10:12:22+00:00","dateModified":"2026-06-01T11:10:48+00:00","description":"How an electronics manufacturer achieved CRA compliance within one year. SBOM, Security by Design, Incident Response: The complete implementation roadmap","breadcrumb":{"@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#primaryimage","url":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/caramsec_CRA_CE-1.jpg","contentUrl":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/04\/caramsec_CRA_CE-1.jpg","width":1920,"height":1068,"caption":"Illustration of a robotic gripper hand holding a technically shaped element with CE engraved."},{"@type":"BreadcrumbList","@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.carmasec.com\/en\/"},{"@type":"ListItem","position":2,"name":"Case Study: Product Security and Cyber Resilience Act"}]},{"@type":"WebSite","@id":"https:\/\/www.carmasec.com\/en\/#website","url":"https:\/\/www.carmasec.com\/en\/","name":"carmasec","description":"","publisher":{"@id":"https:\/\/www.carmasec.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.carmasec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Organization","Place"],"@id":"https:\/\/www.carmasec.com\/en\/#organization","name":"carmasec GmbH & Co. KG","alternateName":"carmasec","url":"https:\/\/www.carmasec.com\/en\/","logo":{"@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#local-main-organization-logo"},"image":{"@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#local-main-organization-logo"},"sameAs":["https:\/\/www.linkedin.com\/company\/carmasec\/"],"description":"Die carmasec GmbH & Co. KG ist eine auf Cybersicherheit und Cyberresilienz spezialisierte Beratungsunternehmen mit Sitz in Essen. Das Leistungsspektrum verbindet zwei essenzielle Welten: strategische Compliance und dem Schutz vor Cyberangriffen. Mit einem klaren Fokus auf agile Sicherheitsprozesse unterst\u00fctzt carmasec Kunden branchenneutral und herstellerunabh\u00e4ngig. Das interdisziplin\u00e4re Team integriert langj\u00e4hrige Beratungserfahrung mit modernen Arbeitsweisen, um komplexe Anforderungen \u2013 von ISMS und Risikomanagement bis hin zu Cloud Security und Offensive Security \u2013 effizient umzusetzen. Zu den Kunden z\u00e4hlen der gehobene Mittelstand sowie internationale Konzerne, insbesondere aus Finanz- und Versicherungswesen, Fertigungsindustrie, Automotive sowie Kritischen Infrastrukturen. Mit der etablierten Veranstaltungsreihe \u201efriends of carmasec\" schafft das Unternehmen eine zentrale Plattform f\u00fcr den Branchen-Dialog und vernetzt regelm\u00e4\u00dfig Entscheidungstr\u00e4ger:innen und Expert:innen aus der Security-Community. carmasec bef\u00e4higt Organisationen, Risiken ganzheitlich zu managen und digitale Infrastrukturen proaktiv zu sch\u00fctzen.","legalName":"carmasec GmbH & Co. KG","foundingDate":"2018-12-18","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"11","maxValue":"50"},"telephone":[],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"17:00"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carmasec.com\/en\/security-knowledge\/case-study-product-security-and-cyber-resilience-act\/#local-main-organization-logo","url":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/02\/logo-carmasec.svg","contentUrl":"https:\/\/www.carmasec.com\/wp-content\/uploads\/2026\/02\/logo-carmasec.svg","width":299,"height":40,"caption":"carmasec GmbH & Co. KG"}]}},"_links":{"self":[{"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/knowledge-center\/3638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/knowledge-center"}],"about":[{"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/types\/knowledge-center"}],"author":[{"embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/users\/4"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/media\/3625"}],"wp:attachment":[{"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/media?parent=3638"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/content-type?post=3638"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/industry?post=3638"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/persona?post=3638"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.carmasec.com\/en\/wp-json\/wp\/v2\/topic?post=3638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}