The impact of the Cyber Resilience Act is still often underestimated in practice. The questions we are frequently asked:
- Who must comply with the CRA?
- We do not manufacture anything. Why does this concern us?
- We are not subject to NIS2. Why is this still relevant for us?
- How can I assess whether a supplier takes its CRA responsibilities seriously?
- Why might a manufacturer not have this properly in place?
The bottom line:
The way a system is designed determines the risk, not just whether it functions. This applies to all products with digital components, and in particular to systems that are an integral part of physical security, such as access control.
Frequently Asked Questions About the Cyber Resilience Act (CRA)
Who must comply with the CRA?
The Cyber Resilience Act primarily targets manufacturers of products with digital elements placed on the EU market. This includes producers of hardware and software, including suppliers of access control systems, controllers, and embedded systems. The formal compliance obligation therefore lies with the manufacturer.
We do not manufacture anything. Why does this concern us?
The CRA places the compliance obligation on manufacturers. For your organization, this means that the cybersecurity quality of purchased products is no longer optional. The way a product is designed and maintained directly affects your operational and security risks. For organizations that fall under NIS2, supplier risk is a legal component of the duty of care. For other organizations, this is increasingly becoming part of governance, insurance requirements, and contractual obligations.
We are not subject to NIS2. Why is this still relevant for us?
The cybersecurity quality of the products you purchase directly determines your operational risk.
An access control system without structured maintenance, a controlled update policy, or with unnecessary network exposure can lead to disruption of business processes, data loss, and reputational damage. When biometric data is processed, this may also have implications under the GDPR.
How can I assess whether a supplier takes its CRA responsibilities seriously?
The CRA responsibility and the associated documentation form the basis for evaluating a product in a substantive manner. If the answer remains vague or consists only of general statements without technical substantiation, the necessary transparency is missing.
Why might a manufacturer not have this properly in place?
If such systems were not designed from the outset with lifecycle security and controlled update management as core principles, adapting them afterward can be technically complex or costly.
What does this mean for you as a user?