9 May 2025

Cyber Resilience Act: Time to take action

The Cyber Resilience Act (CRA) is the first European law to introduce mandatory cybersecurity requirements for all digital products entering the EU internal market. A national consultation was recently concluded in the Netherlands to determine how this law should be implemented Dutch legislation. In the meantime, manufacturers, importers and distributors of products covered by the CRA can already start preparing for what’s to come.

The European rules concerning the cybersecurity of digital products have already been established (see the official EU website for legislation and regulations). These define the security requirements that will soon apply. The Dutch national consultation aimed to determine how these rules will be applied in practice in the Netherlands, to answer questions such as: who will ensure that companies comply? And how will enforcement be organized? In short, the consultation was not about the rules themselves but about how they will be enforced in the Netherlands.

Technical measures

Although European standards for the technical requirements (as listed in Annex III of the CRA) have not yet been finalized, manufacturers would be wise to start implementing technical measures now that align with the obligations under the law. A good starting point is Annex I of the CRA, which outlines the essential cybersecurity requirements. Manufacturers who already integrate and document these requirements in their products will be able to comply with the new rules more quickly and efficiently.

User documentation

In addition to technical measures, the CRA also requires clear information for users of the products it covers. This is set out in Annex II and forms part of the mandatory technical documentation (Annex VII). Manufacturers and suppliers can already begin working on, among other things:

A clear explanation of what the product does and what it is intended for;
Instructions for installation, use and maintenance;
Information on how long the product will be supported;
How and when security updates will be made available;
How users can report vulnerabilities.

By organizing this documentation in a timely manner, manufacturers and suppliers will meet the requirements of Article 31 and be prepared for the conformity assessments in Article 32. This is a crucial step in demonstrating that products meet the new European cybersecurity standards.

Preparing for the CRA with Kiwa

By proactively working on both technical and user-oriented measures, organizations can avoid having to act under pressure later on. The first obligations, such as reporting vulnerabilities, will already apply from 11 September 2026. From 11 December 2027, the law will be fully in force. Kiwa supports organizations in preparing for the CRA with testing, inspection, certification and training services that help minimize cyber risks and contribute to CRA compliance.

Cyber Resilience Act: Time to take action

Technical measures

User documentation

Preparing for the CRA with Kiwa

Kiwa: We create trust

Services

Contact

Follow us: