How to make embedded systems and IoT products CRA-compliant: a step-by-step plan

23 March 2026
Branche
Industrial Electronics

The hack at Odido in early 2026 makes it clear once again how important cybersecurity is for the business world. In addition to the material damage, which likely runs into the millions, the reputational damage to Odido cannot be expressed in monetary terms. This could happen to your company too, warn Bram Blaauwendraad and Gaurav Raina of the cybersecurity consulting firm Veritas.

FHI spoke with both security experts about what companies can do now to get their cybersecurity in order and to be compliant with the Cyber Resilience Act (CRA) on time.

The CRA is aimed solely at increasing the cybersecurity of digital products and services within the European Union. Bram and Gaurav provide during the D&E event, on April 14 in Den Bosch, a keynote about this new law. They will zoom in on the practical application in the business world based on their experience with RED 3.3, the European directive regulating the security of radio equipment.

As a Senior Security Consultant Service Lead, Gaurav is well-versed in RED 3.3 and uses that knowledge to address the uncertainties surrounding the CRA. “RED 3.3 is, so to speak, the little sister of the CRA,” Gaurav begins. “But the approach of the CRA is broader. It is not just about the device – the software and the hardware – but also about the design of the backend and the interconnectivity. How do you ensure that devices communicate securely with each other, even in critical environments? And how do you test devices, apps, and backends in a secure manner?”

Take action

“The full CRA obligations for new products apply from December 11, 2027, but the advice is to start preparations now. Not only because it is 'nice' to be compliant, but also to prevent business damage like at Odido,‘ the security specialist continues. He gives another example: ’In 2021, an unsecured reset flaw in Western Digital's 'My Book Live' led to massive remote wipes of devices that were connected to the internet. The lessons learned, such as establishing support periods, securing default configurations, and performing post-market vulnerability management, are all matters that the CRA now mandates (with reporting starting September 11, 2026).”

The examples underscore the societal relevance of the CRA. “Companies are willing, but often don't know how to go about it. They are looking for practical tools, and that is exactly what Bram and I want to provide them during our presentation at the D&E event.”

Horizontal and vertical

A major challenge for the industry and Bureau Veritas is the fact that the technical standards have not yet been officially harmonized. Gaurav: “The CRA works with two types of standards: horizontal and vertical. Horizontal standards are broadly applicable and focus on general principles of cybersecurity. Vertical standards are specific to certain sectors or industries and take into account the unique characteristics and risks involved. The standards are still under development, but the CRA legal text has already been established. That text forms the basis for our policy.”

Insecurity

Companies find the uncertainty surrounding the harmonization of standards difficult, but according to de Gaurav, the biggest challenge lies in the supply chain. “CRA assigns responsibilities to manufacturers but demands end-to-end assurance throughout the entire supply chain. In practice, this means that you cannot comply with the rules if your suppliers are not compliant. As an entrepreneur, you must therefore consider not only your own company but also supplier compliance. Moreover, it is not always clear where the responsibilities lie.”

Secure by design

Gaurav's colleague Bram, working as a Senior Security Consultant, joins the conversation. “Companies need clear advice: how do we tackle this? We address this by developing practical documentation for our clients. For example: a requirement from the CRA is that every product is fundamentally 'secure by design'. We have written a plan in which we explain step-by-step how to create such a secure design and what a company needs to take into account.‘

“It is important that engineers can easily work with the guidelines and that they are part of the normal workflow. Think of tips and checks that automatically appear in IDEs, pipelines, and templates. Organizations that manage this well become CRA-compliant much faster than organizations that rely solely on policy.”

Customized solutions

Bram continues: “The CRA impacts the entire development process, so it is essential to start the preparations on time. For companies that deliver complete solutions consisting of multiple components, the risk lies in the connection between those components. If a customer wants to deviate from the standard architecture (engineering to order), ”I look at three things: what exactly is changing, what risk does that pose, and who is responsible for it. For the CRA, it is particularly important that the process is clear and traceable.”

Cooperation

“Compliance requires collaboration and involvement from all levels of the organization: from the engineer welding components onto a printed circuit board to the CEO,” Bram concludes. “It is often necessary to draft new policies or agree on different procedures. That is why it is important that everyone is on the same page and that everyone recognizes that the CRA, if applied correctly, yields significant benefits for the company.”

Are you curious about the lecture? Then register now for the event via our website. We look forward to meeting you in Den Bosch.

© FHI 2026
FHI, federatie van technologiebranches