The EU Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for most products with digital elements placed on the EU market. It raises the baseline for secure-by-design/default engineering and, critically, makes post-market security support and evidence production a compliance obligation.

CRA timeline: 

Entered into force: 10 December 2024

Reporting obligations begin: 11 September 2026

Main obligations apply: 11 December 2027

Why the CRA was introduced

Connected products and software have become a primary entry point for cyberattacks, yet security quality across the market has been inconsistent. The CRA addresses this by harmonising requirements across EU Member States and shifting expectations from voluntary best practice to an enforceable, lifecycle-based security baseline for products placed on the EU market.

What changes for manufacturers

1) Security becomes a product requirement, not an optional feature

The CRA effectively makes cybersecurity a market access condition. Manufacturers must design products to reduce attack surface and prevent unauthorised access by default, and they must be able to demonstrate these measures through documentation and testing evidence.

2) Post-market responsibilities become explicit and time-bound

A major operational shift is the requirement to detect, handle, and report certain vulnerabilities and incidents quickly. This is a capability challenge as much as a governance challenge: teams need real-time insight into what is deployed, what is affected, and what corrective actions have been executed across fleets.

3) Evidence becomes part of compliance

CRA conformity is not only about implementing controls. Organisations also need credible, repeatable evidence trails for technical documentation, conformity assessment activities, and internal and external assurance. This elevates the importance of auditable security operations across the lifecycle.

The common challenge: security at fleet scale

For many product manufacturers, the hardest part of CRA readiness is operationalising security across thousands or millions of devices over years—often in constrained, intermittently connected, or unmanaged environments at the edge.

• Manual or inconsistent device provisioning and registration

• Inability to revoke or rotate credentials rapidly during incidents

• Update mechanisms that cannot reliably prove authenticity and integrity

• Incomplete visibility into what is deployed where, and with what identity posture

How Device Authority helps solve the CRA problem

Device Authority’s KeyScaler family provides an automation-first approach to machine identity, credential lifecycle management, policy enforcement, visibility, and secure updates—the operational controls that underpin secure-by-default and enable faster corrective actions when vulnerabilities emerge.

1) KeyScaler Platform: identity and Zero Trust control plane

KeyScaler standardises and automates secure device provisioning, onboarding, and access control using managed device identities. By enforcing policy consistently and at scale, it reduces human error and provides a practical mechanism for secure-by-default operation across distributed fleets.

• Secure provisioning and registration to reduce onboarding risk and configuration drift

• Automated certificate and credential issuance, renewal, rotation, and revocation at scale

• Policy enforcement aligned to Zero Trust principles, including least privilege and default-deny patterns

• Audit-ready logs to support conformity evidence and incident response timelines

2) KSaaS: fastest path to operational controls

For organisations constrained by time, skills, or operational overhead, KSaaS delivers KeyScaler outcomes as a managed service. This accelerates time-to-control and helps teams establish a robust identity and policy foundation well ahead of 2026 reporting obligations and the 2027 main compliance date.

• Rapid deployment of managed identity and PKI-backed device credentials

• Reduced infrastructure burden while maintaining consistent governance and audit evidence

• A practical approach for multi-site environments and distributed product lines

3) Code signing and secure updates: make corrective measures safe and provable

CRA readiness depends heavily on the ability to deliver security updates with integrity. Device Authority supports cryptographic assurance for updates so manufacturers can demonstrate that only authorised software is accepted by devices and that corrective measures can be deployed safely at scale.

• Signed update workflows that help prevent unauthorised or tampered firmware/software from being installed

• Identity-aware targeting to ensure the right devices receive the right artefacts

• Evidence trails that support internal assurance and compliance documentation

4) Discovery and visibility: you cannot secure (or report on) what you cannot see

When reporting windows are measured in hours, teams need rapid answers: what is deployed, where, and what is affected. Discovery supports faster scoping, prioritisation, and onboarding of assets into managed identity controls.

• Certificate posture insights to identify unmanaged or weak identity states

• A bridge from visibility into enforceable controls across the lifecycle

A pragmatic CRA readiness path

• Establish device identity and provisioning standards for new products and deployments

• Bring existing fleets under managed identity control, prioritising high-risk environments

• Operationalise corrective measures: credential rotation/revocation, policy controls, and signed update pipelines

• Build evidence and reporting workflows so you can meet reporting timelines with confidence

Conclusion

The CRA raises the bar on security outcomes and on the ability to demonstrate them. Manufacturers that operationalise identity, access control, secure updates, and audit evidence across the product lifecycle will be best positioned to meet CRA obligations and sustain customer trust.

Note: This article is for information only and does not constitute legal advice.