The countdown to the European Union’s Cyber Resilience Act (CRA) is underway. The new regulation lays out an extensive set of cybersecurity requirements throughout the lifecycle of products with digital elements (PDEs) sold in the EU market. This brings about a need for a fundamental shift for organizations from cyber security to cyber resilience.
Looking beyond the CRA Compliance
“Security by design is foundational to cyber resilience – it’s not something you tackle on at the end; it’s about building security into your product from day one,” says Öykü Işık, Professor of Digital Strategy and Cybersecurity at IMD Business School. “You need to think about cybersecurity during design and manufacturing, long before your product reaches the market.”
Işık speaking about the shift to cyber resilience at the Qt World Summit 2025.
You can also watch the recording in YouTube.
The EU’s Role in Setting a Cyber Resilience Standard
While some details of the CRA are still being finalized, Işık praises the fact that the EU has now taken steps to establishing a unified approach to cybersecurity.
Over the last two years, the volume, frequency, and impact of cyberattacks have increased. While there already are similar and partially overlapping legislative frameworks both within the EU, and globally, Işık points out that until now, the approach has mostly been about reactive breach reporting. The CRA, instead, emphasizes prevention. “It’s a level-up. It’s the EU setting a standard like it did with GDPR, saying that cyber resilience is not just about reacting. It’s about showing you’ve done everything you can to prevent breaches from the design stage.”
According to Işık, the first few enforcement cases will also be critical. “While still a few years away, they’ll show what situations lead to trouble and give everyone a sense of what to prioritize. That’s when you start to see a snowball effect.” Early penalties, she notes, are often necessary to drive real action. “Once a few high-profile fines come through, the guidance becomes more actionable and concrete.”
Why Organizational Culture Is Key to Cyber Resilience
Işık points out that there’s a value-driven approach to building up your cyber resilience. “To the extent that I exchange with the authorities and policy makers on the CRA, the dominant argument is always that we are already too late.” Taking responsibility on product cybersecurity is the right way in any case.
“This is not a technology change. It's not a pure process change, either. This is an entire cultural change in the organization,” Işık emphasizes. “Therefore, the earlier organizations start thinking about how to take a look into cybersecurity as a cross-functional responsibility, the better.”
Işık remarks that in many organizations, however, the connection between the needed cultural change and cyber resilience is not obvious. There may already be security experts, but often only looking at a part of, or the very end of, the product development process. Now, their work suddenly becomes very central to product manufacturers, pushing them to look into how they are organized as an organization. “It’s never easy,” Işık admits, “So, what organizations can already start discussing, is how to find the best way to handle the needed changes, given the resources they can dedicate to it.”
That is to say, achieving a good level of cyber resilience isn’t just about meeting technical requirements. It requires establishing collaboration across teams and departments. “Product developers, compliance teams, product managers, and security engineers need to come together from the earliest stages of product development and find the most efficient security processes,” Işık says.
How to Build Cyber Resilience for Long-Term Success
Despite concerns from manufacturers about the regulatory burden, Işık believes the CRA’s intent is clear: if manufacturers profit from their products with digital elements, they must also take the responsibility for their products’ security.
As the digital landscape evolves, cyber attackers and the methods they use are becoming ever more sophisticated. This, Işık believes, will add further impetus for manufacturers to secure themselves also through the CRA compliance and gain a competitive advantage. “Given the volume, frequency, and impact of increasing cyberattacks, improved cybersecurity and overall cyber resilience will become a decisive factor in consumers choosing to buy a product.”
Through the CRA comes greater transparency throughout the creation, manufacturing, and maintenance processes,” Işık adds. “This accelerates troubleshooting, and by maintaining an audit trail and the official documentation required by the CRA, you can also prove you’ve done your best, given the circumstances. There’s never 100% security, but clear documentation of mitigations builds trust.” And the work doesn’t stop at launch, she warns. “Manufacturers must uphold stringent security expectations at every phase, from initial concept through post-market support.”
To help manufacturers get moving, Işık offers three key recommendations:
1. Shift the Culture
Start embedding cybersecurity as a shared, cross-functional responsibility. Bring together compliance teams, security experts, product managers, and developers. As this is fundamentally a cultural transformation, the earlier you’re able to make this shift, the stronger your foundation for cyber resilience will be.
2. Invest in Talent Now
With a shortage of mid- to senior-level professionals, manufacturers serious about cyber resilience should begin hiring and training junior talent today. Building a capable, in-house team is crucial for long-term digital security.
3. Start Practicing
Even before formal requirements kick in, conduct self-assessments, whether internally or with external partners. The goal isn’t just to tick checklist boxes; it’s to develop operational maturity and readiness for what’s ahead.
The Time to Act is Now
Manufacturers acting early on CRA adoption will gain a first-mover advantage by positioning themselves as trustworthy partners with secure products, Işık observes. “Manufacturers will need to invest more and devote extra time to the security aspects of their digital components. Under the CRA, the ultimate responsibility stays with the product owner, even when there are third party components integrated into the product.”
“You can either prioritize being first to market, or you can be a risk-averse organization that mitigates risks from the start,” says Işık. The same principle applies to CRA compliance, and compliance to any other legislation, as well. Işık takes an example of a product that contains AI components, thus impacted by multiple regulations. Maybe it’s wiser to choose not to rush with the development, but instead, think about the security by design from the beginning and involve all the needed parties already from the design phase. “An organization must align its core values with what it builds. This mindset shift is how manufacturers transform compliance into a genuine strategic differentiator.”
Similarly, there are choices to be made about which risks to prioritize mitigating, as no organization is able to cover all the risks equally. “The objective with the regulation is to prioritize which one of these will cause the biggest damage in case of an attack, so that you can dedicate resources accordingly and prioritize mitigating them first. So, hopefully, the organizations do not start randomly addressing some of those risks, but instead, do a prioritization exercise first.”
As clear, detailed guidelines for achieving CRA compliance are still evolving, right now, the message from Işık is: “The CRA provides a baseline; start preparing.”
“Just start,” she urges. “Figure out how to self-assess your starting point. Maybe you’ll do it internally, or maybe with a third party. But gaining experience from the assessments is never going to hurt.”
See also
