Preparing for the Cyber Resilience Act: Is the EU the Most Regulated Cyber Market?

Diana Nitescu’s editorial on Cyber Ressilience Act first appeared in The Recursive’s report State of defense and cybersecurity tech in CEE. For more details on the topic, check the full report.
______

Digital trust is the new capital. It’s no longer enough to write smart code or build an innovative product. The real differentiator is: How “secure-by-design” is your digital environment? The Cyber Resilience Act, through a European cybersecurity certificate and label, raises the bar for every product, process, and team – from development and testing to delivery and post-market support.

Who will benefit and who will bear the cost of this cybersecurity reconfiguration into an integrated product and business architecture? With the CRA setting the highest cybersecurity standards globally, we explore how EU institutions, companies, and ecosystems are responding.

Is the EU the most regulated cyber market?

Cybersecurity regulation in global markets began as early as 2002 with the introduction of the first ISO standards (ISO/IEC 62443), which have since evolved into a comprehensive framework of six cybersecurity standards covering a wide range of products, transportation, and customs control systems (ISO 27001, ISO/IEC 27002, ISO 28000, ISO/IEC 27036, ISO/IEC 20243, ISO/IEC 27019).

Over the years, regulations have become increasingly stringent, bolstered since 2015 by the adoption of region-specific frameworks: in the United States (CISA, NIST, Security America’s Supply Chains), the United Kingdom (Product Security and Telecommunications Infrastructure Act), China (Cybersecurity Law, Data Security Law) and Singapore (Cybersecurity Act).

The European Union stands out from other markets by establishing a cohesive and interconnected package of six mandatory cybersecurity regulations applicable to targeted companies across member states. The EU regulatory framework aims to build a European cybersecurity shield through the collective effort of its 27 member states, covering:

• • Data protection (GDPR)
  • Critical infrastructure (NIS Directive)
  • Financial and banking sector resilience (DORA)
  • Cybersecurity of digital products (Cyber Resilience Act – CRA)
  • Governance of artificial intelligence in operations and products (AI Act)

The EU’s approach to ensuring a robust cybersecurity shield is outlined in the Cyber Solidarity Act (CSA) and implemented through the European Cybersecurity Competence Centre (ECCC), headquartered in Romania. The ECCC coordinates three Cross-border Security Operations Centres (SOCs), including the ENSOC Consortium (Spain, Italy, Luxembourg, Austria, Portugal, Romania, Netherlands) and the ATHENA Consortium (Bulgaria, Greece, Malta).

Understanding the trade-offs: Short-term strain, long-term strength

The CRA introduces significant changes that will initially strain EU economies and businesses:

• • High technical compliance thresholds;
  • Increased documentation and reporting;
  • Higher operational costs;
  • Legal liability assumptions;
  • 24-hour incident reporting obligations;
  • Complexity in adapting legacy and open-source products.

Yet, these challenges are expected to yield meaningful medium- and long-term benefits:

• • 30–50% increase in cybersecurity by 2029;
  • 90% of EU products more cyber-resilient:
  • Stronger market trust and user protection (B2B, B2G, B2C);
  • Greater board confidence in digital investments;
  • A safer, unified EU digital market.

So, are EU countries ready for full CRA implementation by 2027? As of now, no. But the next 18 months are critical.

How are EU countries preparing for the CRA implementation?

EU member states have one and a half years until the full implementation of CRA standards. During this time, public-private partnerships are being established to reduce short-term impacts and maximize the opportunities brought by the CRA.

One of the outstanding initiatives is OSCRAT, an EU-funded project under the Digital Europe Programme, designed to provide SMEs with a free, open-source toolkit to facilitate compliance with the CRA. SECURE is another EU-funded initiative aimed at enhancing the cyber resilience of SMEs. Coordinated by Italy’s National Cybersecurity Agency (ACN), the project aims to provide financial support and resources to SMEs, helping them comply with the CRA.

Romania is also building two CRA platforms for SMEs: the CRACY platform, a partnership between Belgium, Romania, Greece, and Estonia, coordinated by the Romanian Authority for Digitalization and the CYBERFORT platform, a Romania–Cyprus partnership, developed under the coordination of the National Cyber Security Directorate of Romania. These platforms aim to enhance the cybersecurity and compliance readiness of European SMEs with the CRA by providing advanced technological solutions, compliance tools, and tailored training programs. Through a collaborative approach, both platforms will support SMEs in strengthening their cyber resilience and aligning with CRA requirements as well as other relevant standards such as ISO 27001, PCI DSS, and NIS2.

Many CEE countries are setting up training modules and guides for the implementation, keeping an open-line with the private sector for the feedback. For example, in the Czech Republic, NÚKIB (the Czech national CERT) began formal consultations with hardware/software vendors already in June 2024. In the meantime, Czech suppliers are providing feedback on the draft list of “important” vs “critical” products so they know early whether third-party certification will apply. In March 2025, Croatia released the “CRA Guidelines for SMEs”: a 35-page guide with fill-in templates for vulnerability policies and CE technical files.

We anticipate that public-private efforts will accelerate across all EU Member States in order to meet the two key deadlines: 2026 (implementation and launch of vulnerability reporting for connected digital products) and 2027 (full implementation CRA) provisions in all companies that manufacture, import, distribute, or purchase hardware and software within the EU single market.

For a successful start, the Cyber Resilience Act Expert Group (CRA Expert Group) is being set up. The expert group will assist and advise the Commission on issues relevant to the implementation of the Cyber Resilience Act (CRA).

How should EU companies prepare?

CRA will affect various entities. Corporations, small and medium-sized enterprises, startups, non-governmental organizations, government entities… No matter which, those entities are either affected by the CRA because they are developing and providing the technology that falls under the CRA, or they are buying and using it.

Companies should be also aware that some products do not fall under the scope of the CRA, as they are regulated by other cybersecurity laws or ISO standards: vehicles, aviation systems, medical devices, SaaS products, MVP/test-phase products, open-source software, military/defense systems, and applications developed for internal use.

CRA as opportunity for the startup ecosystem?

Even though the CRA puts unusual pressure on startups, they are still at an advantage compared to SMEs or well-established corporations in the ICT manufacturing, import, and distribution industry.

Imagine a startup in the early stages of product development – it can gain a competitive edge by adopting the “Secure by Design” model faster and more effectively.

Additionally, the startup business ecosystem is expected to develop fast-track solutions such as:

1. CRA Compliance as a Service

An integrated platform offering: security audits, automated documentation generation, attack simulations, testing and validation of CRA requirements.

2. CRA-ready marketplaces

App Stores / IoT Markets where users can search for CRA-certified products.

3. Automated system for cross-border conformity recognition

Recognition of CRA certifications by other jurisdictions (e.g., USA, UK, Canada).

4. CRA sandbox for innovators

Controlled environments where startups can test new products without CRA restrictions.

5. CRA Bug Bounty (crowdsourced security testing)

Programs supported by governments / the EU through which ethical hackers help identify vulnerabilities in digital products subject to the CRA.

6. Reuse of NIS2 and GDPR infrastructure

Many companies already have procedures and compliance teams in place for GDPR and NIS2. CRA requirements can be integrated into these existing workflows.

7. CRA Verified (digital labeling system)

Companies that adopt CRA early could gain benefits such as: priority access to public tenders, bonus points in innovation scoring / EU funding, etc.

∞. Other innovation we have yet to imagine

In 2025, cybersecurity will become the game-changer of digital transformation

Businesses no longer just sell products – they cultivate digital trust. Laws no longer constrain – they evolve into living architectures for emerging markets and dynamic governance.

Time no longer flows… it compresses, it accelerates, and it calls us to jump.

Be digital enough to unlock new connection points. Shape the future. Become a Cyber STAR. Jump and lead the shift.