Future

28.04.2025 | Blog Cyber Resilience Act: How companies can prepare early and effectively

From 2027, the EU’s Cyber Resilience Act will require companies to regularly demonstrate the cybersecurity of their digital products — a major challenge for many businesses. IT consultancy blueheads and enterprise search provider IntraFind show how manufacturers can prepare for these new requirements in a structured and timely way.

In October 2024, the European Union set a significant milestone in strengthening cyber security with the Cyber Resilience Act (CRA). From 2027, manufacturers of “products with digital elements” will have to regularly prove that their products meet the security requirements of the CRA - either through self-assessments or independent assessments by third parties.

What are products with digital elements?

The term “products with digital elements” refers to products that are directly or indirectly connected to a device or network and contain software that enables or influences data processing. This applies to a wide range of products used by both consumers and businesses — from devices like laptops, tablets or smartphones to browsers, operating systems, and content management systems.

While the CRA’s goal — increasing the security of digital products in the European single market — is clear, putting it into practice poses a major challenge for companies. This is also due to the fact that the CRA primarily formulates what needs to be achieved but leaves open how this is to be done in concrete terms.

Challenge: Implementing the CRA requirements

The basic requirements of the CRA include, among other things

  • Consideration of security from design through development to maintenance of digital products
  • Proof of appropriate risk management throughout the entire product life cycle
  • The establishment of processes for vulnerability assessment and remediation
  • Providing clear information for users on the safe use of products

How can companies position themselves efficiently to meet these requirements effectively and on time?

Structured approach based on OWASP SAMM

blueheads GmbH offers a corresponding solution. The IT security consulting company has developed a practical process that provides companies with targeted support in implementing and evaluating CRA requirements. This approach is based on the OWASP SAMM (Software Assurance Maturity Model) - an internationally recognized and open standard for evaluating and improving secure software development practices.

OWASP SAMM provides a structured framework for assessing cybersecurity maturity levels in the phases of software development. blueheads expands this standard with additional criteria based on the CRA requirements. The result is a practical assessment model that not only verifies compliance but also identifies specific measures for further development — tailored to each company’s individual needs.

Practical validation with established B2B software manufacturer

A practical example: IntraFind Software AG, manufacturer of the enterprise search solution iFinder, was involved with the CRA at an early stage and has been committed to a high level of information security for years. IntraFind is certified to ISO/IEC 27001 and has established additional measures for secure software development.

blueheads applied its process model to the development processes of the Munich-based software manufacturer and successfully validated it. This showed that IntraFind is very well positioned thanks to the measures it has already implemented. Gaps identified during the assessment are now a useful basis for IntraFind to prepare comprehensively and in good time for the CRA requirements that will apply from 2027.

Why start early?

Even if the CRA will not become mandatory until 2027, the following applies: the design, introduction and implementation of corresponding measures takes time. Processes need to be adapted, teams trained, and technical and organizational measures established. If you start early, you can implement these changes in a planned and efficient manner - and thus keep an eye on the long-term competitiveness of your digital products in the EU.

Conclusion

Cybersecurity is not a one-time project, but an ongoing process. Proactive measures can not only fulfill regulatory requirements but also strengthen the quality and trustworthiness of your own products. With professional advice, CRA requirements can be approached and implemented in a structured manner.

Contact blueheads: contact@blueheads.de

The author

Dagmar Stefanie Moser
Managing Director blueheads
Dagmar Moser holds a degree in Computer Science and is a consultant for information security specializing in ISMS, secure software development and cyber threat intelligence. She is a lead auditor for ISO/IEC 27001 and has many years of experience as a security and IT architect in international development projects. She also teaches as a lecturer in the Cyber Security Master's program at the Bavarian University of Business and Technology.