Common Challenges in Cyber Resilience Act Preparation

Most manufacturers are aware that the Cyber Resilience Act is coming. Fewer are preparing in a way that will hold up under regulatory scrutiny. The gap between awareness and readiness remains significant.

Across assessments of CRA readiness, several recurring challenges can be observed. These are typically not a matter of capability, but of how requirements are interpreted and prioritised. Below are five common challenges, and how to approach them.

Challenge 1: Assuming existing certifications cover CRA

Manufacturers with CE marking, MID compliance, RED certification, or ISO 27001 often assume they are substantially covered. This is generally not the case.

Existing frameworks address specific domains:

• CE marking and sector regulations → performance and safety
• ISO 27001 → organisational security management

The CRA introduces product-level cybersecurity obligations that sit alongside, rather than within, these frameworks.

A specific note on RED: cybersecurity requirements under Articles 3.3(d), (e), and (f) became mandatory on 1 August 2025. For products using wireless communication, this may already represent a compliance gap.

Existing certifications provide a useful foundation. CRA introduces an additional layer of product cybersecurity evidence.

Challenge 2: Treating SBOM as a 2027 deliverable

The Software Bill of Materials (SBOM) requirement becomes fully enforceable in December 2027 and is therefore often positioned as a longer-term activity.

However, CRA obligations from 11 September 2026 include:

• Active vulnerability monitoring
• 24-hour reporting of exploited vulnerabilities to ENISA

Without visibility into software components, these obligations cannot be met.

SBOM development is therefore better understood as a prerequisite for meeting 2026 obligations, rather than a later-stage deliverable.

Challenge 3: Underestimating the evidence requirements for self-declaration

Self-declaration is a valid conformity route for many products. It is not necessarily a low-effort option.

A defensible Declaration of Conformity requires:

• Secure-by-design processes aligned to CRA Annex I
• Appropriate penetration testing and supporting documentation
• A maintained SBOM linked to monitoring processes
• A complete technical file suitable for regulatory review

In practice, organisations planning to self-declare may not yet have all of these elements in place.

The level of evidence required is comparable in rigour to third-party assessment.

Challenge 4: Delaying preparation pending further guidance

While additional guidance is expected, the core requirements are already defined:

• CRA Annex I obligations are stable
• Classification frameworks are established under Implementing Regulation (EU) 2025/2392

Future guidance is expected to clarify interpretation rather than fundamentally change requirements.

At the same time, conformity assessment capacity is finite. Testing laboratories, cybersecurity specialists, and Notified Bodies operate within practical limits.

Organisations that begin structured preparation earlier are generally better positioned to manage timelines and address findings before enforcement deadlines.

Challenge 5: Overlooking obligations for existing products

CRA preparation is often focused on new product development.

However, obligations from 11 September 2026 apply to all products already on the EU market, including:

• Vulnerability monitoring
• Incident reporting to ENISA

This is defined in CRA Article 69 and confirmed in European Commission guidance.

For manufacturers with connected products already deployed, this represents an operational requirement, not a future milestone.

The conversion timeline is also worth noting. Discussions from industry events and professional networks, including Battery Day NL last year, are now progressing into structured testing and certification scopes. The cycle is long by design: compliance engagements require trust, precise scoping, and internal alignment. That predictability makes early pipeline development more important, not less.

Where does your organisation stand?

These challenges are common across sectors, and there is still time to prepare in a structured way.

September 2026 introduces operational obligations. December 2027 marks full conformity requirements.

An initial step is to establish a clear view of current readiness and identify gaps relative to CRA requirements. A structured assessment, such as NMi’s CRA Scorecard, can provide this initial insight.