The CRA or Cyber Resilience Act regulation marks a turning point in cybersecurity regulation in the European Union. This cyber resilience law establishes, for the first time, a uniform legal framework for the introduction of products with digital elements into the European market, from enterprise software and IoT devices to critical infrastructure components.
And the deadlines are closer than many companies realize. Vulnerability reporting obligations will apply starting on September 11, 2026, while the full implementation of the cyber resilience regulation will arrive on December 11, 2027. All operators involved in the value chain of products with digital elements must know and prepare to comply with their obligations before time runs out.
What does this mean in practice for your company? Who exactly is bound by the European cyber resilience law? And how can you structure compliance without it becoming an unmanageable burden for your teams?
This is where Kartos comes in, Enthec’s cyber-surveillance platform based on a Continuous Threat Exposure Management model. Kartos allows you to proactively identify, monitor, and manage your organization’s and your suppliers’ external exposure, aligning directly with the requirements of the CRA regulation.
What is CRA regulation?
The CRA regulation, or cyber resilience regulation, is a legislative proposal of the European Union that seeks to ensure the safety of products with digital components throughout their life cycle.
This horizontal regulation affects all types of devices connected to the internet, from business management software to smart home appliances. The objective is clear: prevent security flaws from becoming entry points for attackers.
This cyber resilience law requires manufacturers, distributors, and importers to comply with a series of security requirements, including:
- Risk assessment before launching the product.
- Active vulnerability management.
- Transparency about security incidents.
- Security updates throughout the product’s life.
According to a report from the European Union Agency for Cybersecurity (ENISA), over 50% of attacks in Europe originate from known vulnerabilities that remain unpatched.
Who is affected by the CRA regulation?
Although it may seem that only technology companies should be concerned, any organization that markets products with digital elements in the EU is subject to this regulation.
That includes:
- Software manufacturers.
- Companies that integrate digital systems.
- Connected hardware distributors.
- To a lesser extent, business users are obliged to demonstrate good practices in the digital supply chain.
In this sense, if your company integrates third-party software into its processes, you should check that these suppliers are aligned with the standards of the CRA regulation. If they fail, the problem can also reach your business. Under our third-party license, you will be able to manage these relevant issues.
You may be interested→ Keys to carrying out supplier evaluation: how to manage third parties in your company.
CRA regulation deadlines: what you need to know in 2026
The European cyber resilience law came into force on December 11, 2024. From then on, the phased implementation schedule is as follows:
- September of 2026: The obligations to report incidents and vulnerabilities to ENISA become applicable.
- December 2027: Full application of the regulation. All products with digital elements must comply with all applicable requirements to be marketed with a CE marking.
Companies that have not yet begun their adaptation process are, in practice, at significant regulatory risk.
How to achieve compliance with CRA regulations?
Compliance with CRA regulations is not a one-day task, but a continuous process that requires planning, resources, and strategic vision. Here are some keys to tackling it successfully:
1. Map your external attack surface
Before taking action, you need to know what’s exposed. The CRA regulation requires manufacturers to understand and manage the risks associated with their products. The first step is to conduct a thorough inventory of digital assets, including domains, subdomains, IPs, exposed services, leaked credentials, and third-party dependencies.
With Kartos, you can get an up-to-date, automated view of your external exposure, without manual intervention or false positives.
2. Establish a vulnerability management process
The cyber resilience law requires manufacturers to identify, document, and correct vulnerabilities throughout the product’s lifecycle. This implies having a formal vulnerability management process that includes prioritization by criticality and recording of actions taken.
3. Implement a CTEM strategy
One of the best ways to comply with CRA regulations is to adopt a Continuous Threat Exposure Management model(CTEM). This strategy is based on:
- Constantly identify new threats
- Validate the effectiveness of your security controls.
- Automate detection and response processes.
Through Kartos, we offer precisely a CTEM-based approach that perfectly fits this need.
4. Establish incident reporting processes
The cyber resilience regulation establishes strict notification obligations; actively exploited vulnerabilities and serious security incidents must be reported to ENISA within 24 hours of the manufacturer becoming aware of them.
Having the processes and tools in place to detect, classify, and report incidents on time is not optional; it is a legal requirement starting in December 2026.
5. Document and audit
The cyber resilience regulations require transparency. Therefore, it is essential to document security actions, to implement controls, and to record incidents. This way, if an audit occurs or a decision needs to be justified, you’ll have all the necessary documentation.
Benefits of complying with the CRA regulation
Although it may seem like just another obligation, the truth is that compliance with the CRA regulation can become a competitive advantage:
- Improves your brand reputation.
- Increases the confidence of customers and partners.
- Reduces the risk of sanctions and economic losses.
- Prepares you for future similar regulatory frameworks.
Plus, keeping your digital exposure under control minimizes the risk of cyberattacks, which cause billions of euros in annual losses, according to data from Cybersecurity Ventures.
Kartos: your ally in compliance
You are not alone in this process. Enthec offers solutions designed to help you address all of these challenges. With Kartos, you can:
- Continuously detect external threats.
- Prioritize corrective actions.
- Comply with the requirements of the cyber resilience regulation more simply.
Adapting to the CRA regulation should not be seen as a burden but as an opportunity to improve your company’s cybersecurity posture.. The sooner you start, the better prepared you will be to face the digital challenges that lie ahead.
At Enthec, we know security is not static. That’s why we offer tools that evolve with your company.
Do you want to see how Kartos can help you comply with CRA regulations simply and effectively? Contact us to start working together.
