CRA | Cyber Resilience Act

The Cyber Resilience Act: A major turning point for digital security in Europe

The Cyber Resilience Act (CRA) is the new European Union regulation that strengthens cybersecurity requirements for all digital products and connected services placed on the EU market.

An unprecedented regulatory framework

Indeed, faced with the increasing number of cyber threats and security incidents affecting consumers and businesses, the European Union has adopted a proactive and ambitious approach. Furthermore, the Cyber Resilience Act is part of this strategy to strengthen digital trust and protect European citizens. Thus, the objective is clear: to reduce cybersecurity risks in Europe and protect consumers and businesses.

WHO IS AFFECTED?

Manufacturers of digital and connected products
Digital service providers
Distributors and resellers
Importers of digital products in the EU

The LCIE, your partner of today and tomorrow for the CRA.

In the process of being notified by the CRA

LCIE Bureau Veritas is moving towards its official notification, guaranteeing recognized expertise for CRA assessment.

Member of standardization committees

We participate directly in the development of future CRA standards: a unique vision on upcoming requirements.

Support now and in the future

Testing, support, pre-audit: we guide you on current CRA requirements and those that will soon come into effect.

Timeline of a new regulation

Specifically, What are the requirements?

The Cyber Resilience Act (CRA) is the new European regulation that strengthens cybersecurity requirements for all digital products and connected services marketed in the EU.

Discover what these new obligations are and how they are transforming the European regulatory landscape:

Vulnerability Management
Configuration sécurisée
Secure configuration
Access control
Confidentiality
Integrity
Data minimization

What standards can we rely on?

PART: PROCESS, RISK ANALYSIS
AND VULNERABILITY MANAGEMENT

IEC 62443-4-1
prEN 40000-1-1 (horizontal standard to come)
prEN 40000-1-2 (horizontal standard to come)
prEN 40000-1-3 (horizontal standard to come)

SECTION TECHNICAL SAFETY REQUIREMENTS

Pending harmonized standards (expected by the end of 2026), the use of existing standards is recommended:

IEC 62443-4-2 with good coverage of requirements
ETSI EN 303 645 with good coverage of requirements
EN 18031 with less coverage

WHICH PRODUCTS ARE AFFECTED?

This directive applies to all digital products and services marketed within the European Union. It establishes a unified regulatory framework to govern digital offerings on the EU market, regardless of their nature or scope.

Software
Materials
Cloud services
Connected objects
Connected systems

product classification

		Default Category- self-assessment Examples: memory chips, mobile applications, smart speakers, video games...
		Important products : application of standards/third-party assessment Example: operating systems, antivirus software, routers, firewalls
		Critical Products : third-party evaluation (and potentially certification in the future) Examples: smart cards, secure elements, smart meters...
		Free and open source software (FOSS) : self-assessment (unless they are categorized as "critical products") Example: web development frameworks, operating systems, database management systems

our cybersecurity services

CLASSIFY YOUR PRODUCTS : Precisely determine the regulatory applicability and classification of your products according to the applicable regulatory frameworks. This foundational step ensures that you apply the correct requirements from the outset and avoids costly compliance errors.
TRAINING: We offer training courses led by professionals on cybersecurity for medical devices and industrial systems, the Cyber Resilience Act, and penetration testing.
Download our 2026 training catalogue in French to find out more.
STRUCTURE YOUR EVALUATION: Update or create a comprehensive and documented product risk assessment methodology tailored to your industry and specific needs. A structured approach allows for the systematic identification of hazards and the objective and traceable assessment of risks.
IDENTIFY THE DISCREPANCY: Conduct a thorough gap analysis between your current situation and the requirements of the selected standard. This comparative assessment highlights non-conformities, their criticality, and priority areas for improvement to achieve full compliance.
PLAN YOUR TRANSITION: Develop a realistic and progressive compliance roadmap, with clear milestones, defined responsibilities, and allocated resources. A structured plan facilitates project management and ensures controlled compliance within the given timeframe.
VALIDATE CONFORMITY : Formally and comprehensively assess your products' compliance with the requirements of the relevant regulatory authorities. This final validation demonstrates your commitment to quality and safety, and constitutes documented proof of your regulatory compliance.

CRA ROADMAP - STEPS TOWARDS COMPLIANCE

Why choose LCI?

Leader on IEC 62443
_{Leading position in the evaluation and certification
of cybersecurity product standards at the IECEE: IEC 62443, ETSI EN 303 645, EN 18031}

Experts ready to listen to you
_{Several hundred cybersecurity risk analyses have already been carried out.}

A committed team
_{Our team actively participates in TS 65 WG 09 for the drafting of standards.}

ALSO READ: EUCC – A NEW CYBERSECURITY SYSTEM FOR ICT PRODUCT CERTIFICATION IN EUROPE

The European Cybersecurity Certification (EUCC) represents a new approach to the certification of information and communication technology (ICT) products in Europe.

The EUCC is based on the Common Criteria (CC) certification system, which incorporates innovative concepts recognized internationally to meet the needs of stakeholders, including improved provisions for patch management, vulnerability management and vulnerability disclosure in certified products.

More information about the EUCC

Join the CRA movement and propel your business to the forefront of the European scene! Winning regulations for products that stand out.

Formulaire de contact

First Name *

Last Name *

Email *

Phone

Company *

Position

Region/Country *

Nature of request *

How can we help you?*

Do you agree to receive marketing communications from LCIE Bureau Veritas?* Yes No

Terms of use* By clicking the "Submit" button, I accept the terms of use of Bureau Veritas and its subsidiaries, their processing of my personal data and its transfer in France and worldwide, in order to respond to my request.

Personal data *
I understand and agree that Bureau Veritas and its subsidiaries may use my personal data to provide me with additional information and commercial offers regarding its services, events, and regulatory news.

Comments

IEC 62443 / Networks – Industrial products

Lire

UNECE / Automotive

Lire