The European Cyber Resilience Act, adopted on 10 October 2024 and applicable from October 2027, sets strict security requirements for digital products. What does this mean for you and how do you ensure that your company is 'cyberproof' in time? We asked Business Director Cybersecurity Michiel van der Veen of TNO. He is a keynote speaker at the Design Automation & Embedded Systems event, on 15 April in Den Bosch.

Register for the lecture and event  

“Many companies are struggling with the CRA,” Michiel begins. “As of October 2027, the safety requirements will no longer be optional, but legally mandatory. Companies that do not comply with the CRA will no longer be allowed to market their products and also risk a fine of up to 15 million euros. That is the legal side of the story. What I want to emphasize during my lecture are the opportunities that the CRA offers to generate more turnover and stimulate innovation.”

Better, more reliable, safer
“Products become better, more reliable and safer if you take cybersecurity into account in the design process. They break down less quickly, which reduces maintenance costs. It is also easier to perform updates. This provides financial benefits and increases the confidence of customers in your products,” Michiel explains. “As a company, you are more attractive to potential customers and partners if you already meet the safety requirements. Resilience is high on the political agenda. Entrepreneurs who have their CRA affairs in order in time benefit from a competitive advantage.”

Innovative thinking

According to Michiel, the CRA works as an accelerator on the market. “It inspires companies to think innovatively about digital resilience. If they don't, they won't have a company in two years. In that sense, there is a compelling element, but that is inevitable because the CRA is only practically feasible if all partners in the supply chain hook up. Ultimately, everyone benefits from a safe and reliable product or semi-finished product. In practice, I notice that some entrepreneurs are still hesitant to take measures. They are afraid of the financial consequences in the short term: what if the competitor postpones taking measures and his products are cheaper as a result. Then I will lose my customers.”

Strong chain
That is why, according to Michiel, it is important that the entire chain gets on board at the same time. Michiel: “From suppliers to developers and from designers to testers: each party is an indispensable link in the creation of a successful and safe product. More and more companies realize this and are actually seeking cooperation. Great initiatives are emerging throughout the country, such as the Brabant House of Cyber. Government institutions, universities and commercial companies that think together about cybersecurity and that no longer see it as a 'burden' but as an opportunity to make rapid progress.”

Varying enthusiasm
But not everyone is enthusiastic. Michiel: “For some, cybersecurity is more relevant and necessary than for others. For manufacturers of medical electronics, for example, safety is of vital importance, so they welcome the arrival of the CRA. For companies that work with small electronics, that necessity applies less. We have to make more of an effort to get them on board.”

Process
Michiel wants to make his plenary lecture particularly practical. “What concrete steps do you need to take as a company to meet all legal requirements by the end of 2027? It starts with the basics, the cybersecurity-by-design. "We then look at the development process, from idea to end product, and the total life cycle of a product. The CRA encompasses the entire ecosystem and is not something you just add on."

To keep costs under control, Michiel discusses the use of AI in automating cybersecurity processes. “Smart software recognizes threats and takes preventive action to take the right action.” patch. Instead of fixing a problem after the fact, which is often the case now, we secure the product at the front end. The old principle of 'prevention is better than cure'. That is also part of the CRA.”

Register for the presentation
Are you curious about Michiel's lecture and do you want to know how you can benefit from the CRA? Then sign up for the presentation and the event via the website.

Read further

The CRA in a nutshell
The CRA legislation imposes strict requirements on digital products throughout their entire life cycle. Some important characteristics:

  • Cybersecurity by design
    Companies are integrating cybersecurity into their digital products from the very first stage of the design process.
  • Lifelong responsibility
    Manufacturers, importers and distributors are responsible for the safety of their products throughout their entire life cycle.
  • Fine
    Companies that fail to comply with CRA requirements may be fined up to 2.5 percent of global turnover.
  • Updates and reporting obligations
    There is a minimum 5-year obligation to provide security updates and report vulnerabilities.
  • Documentation and risk management
    Maintaining extensive documentation is mandatory, including a Software Bill of Materials (SBOM).
FHI, federatie van technologiebranches
nl_NLNederlands