With the adoption of the EU Cyber Resilience Act (CRA), cybersecurity is no longer just a matter of best practices or voluntary standards. It is becoming a legally enforceable requirement for manufacturers of digital products.

For companies developing software or connected systems, the CRA introduces new obligations related to secure product design, vulnerability management, transparency, and incident reporting. Organizations that fail to comply may face substantial penalties — up to €15 million or 2.5% of global annual turnover.

At ALPEIN Software, we are preparing our PassSecurium business password manager to meet these requirements well before the regulation reaches full enforcement.

This article explains what the CRA is, who it applies to, and how we are preparing PassSecurium to comply with its cybersecurity requirements.

What is the EU Cyber Resilience Act?

The Cyber Resilience Act (Regulation EU 2024/2847) is a European regulation that establishes mandatory cybersecurity requirements for products with digital elements that are placed on the EU market.

These include:

• Software products
• Network and security tools
• IoT devices
• Hardware with embedded software
• Business applications and enterprise systems

The goal of the CRA is to ensure that products sold in the EU are:

• Secure by design
• Secure by default
• Supported with security updates
• Transparent about vulnerabilities

The regulation introduces cybersecurity obligations throughout the entire lifecycle of a product, from development and release to vulnerability handling and user notification.

In practical terms, the CRA moves cybersecurity from recommendation to legal obligation.

Who the CRA applies to

The CRA applies to manufacturers, importers, and distributors of products with digital elements that are placed on the EU market.

This includes:

• EU-based companies
• Non-EU companies selling products to EU customers

For software vendors, the key point is simple:

If your product is distributed or sold within the EU, the CRA applies.

This means that Swiss software companies — including those selling enterprise security solutions — must also comply when serving EU customers.

Product classification under the CRA

The regulation classifies digital products into different categories based on cybersecurity risk.

Default category

Approximately 90% of products fall into this category.

Examples include:

• Standard software applications
• Consumer electronics
• Lower-risk IoT devices

These products typically undergo self-assessment for conformity.

Important products — Class I

Certain products that play a critical role in security or identity management fall into Important Class I.

Examples include:

• Password managers
• Browsers
• VPN solutions
• Identity management systems
• Network management software

PassSecurium falls into this category.

This classification reflects the fact that password managers store sensitive credentials and therefore require stronger cybersecurity guarantees.

Important Class I products may undergo:

Self-assessment using harmonized standards

or

Third-party conformity assessment

Important products — Class II

Higher-risk infrastructure software falls into this category, such as:

• Firewalls
• Intrusion detection systems
• Operating systems
• Hypervisors
• Public key infrastructure (PKI) systems (cryptography)

These products require mandatory third-party assessment.

Critical Products

Critical digital components include:

• Hardware security modules
• Smart cards
• Secure cryptoprocessors

These require European Union Cybersecurity Certification Scheme on Common Criteria (EUCC) certification at substantial or high assurance levels.

CRA implementation timeline

The CRA introduces a phased implementation timeline, giving manufacturers time to prepare.

Entry into force

10 December 2024

The regulation officially entered into force, and companies are expected to begin compliance planning.

Typical activities during this phase include:

• Product classification
• Gap analysis against CRA requirements
• Assigning internal compliance ownership
•  

Mandatory vulnerability reporting

11 September 2026

This is one of the most significant milestones.

Manufacturers must implement the ability to:

• Report actively exploited vulnerabilities
• Notify authorities via the ENISA reporting platform
• Provide structured incident reports

Full Enforcement

11 December 2027

From this date onward:

• All essential cybersecurity requirements must be met
• Technical documentation must be complete
• Conformity assessments must be finalized
• CE marking must be applied
• An EU Declaration of Conformity must be issued

Essential cybersecurity requirements

The CRA defines essential cybersecurity requirements in Annex I. These requirements form the core of the regulation and apply to software products such as password managers.

Below are some of the most relevant principles.

Secure by design and Secure by default

Products must be designed with cybersecurity as a core architectural principle.

For PassSecurium, this includes:

• risk-based security architecture
• hardened default configurations
• strong authentication mechanisms
• secure credential storage design

Users should not need to manually enable security features to achieve a safe configuration.

No known exploitable vulnerabilities

Products must not be released with known exploitable vulnerabilities.

This requires:

• security review before release
• vulnerability testing
• controlled software release processes

Access control

Products must prevent unauthorized access through appropriate authentication and authorization mechanisms.

For a password manager, this includes:

• multi-factor authentication
• role-based access control
• least-privilege access models
• secure integration with identity providers

Confidentiality, integrity, and availability

Products must ensure the protection of data:

• Confidentiality through encryption
• Integrity through tamper protection
• Availability through resilient system architecture

Minimizing the attack surface

The CRA requires products to limit exposure to unnecessary interfaces and external access points.

This includes:

• restricting external interfaces
• minimizing exposed services
• carefully controlling APIs

Security logging and monitoring

Products must record security-relevant events to enable monitoring and incident analysis.

For enterprise products such as password managers, logging capabilities are essential for:

• auditability
• incident investigation
• compliance reporting

Secure update mechanisms

Manufacturers must provide mechanisms for distributing security updates securely.

This includes:

• update integrity verification
• authenticated update delivery
• rollback capabilities

Vulnerability handling requirements

Annex I also defines requirements for how vendors handle vulnerabilities.

Software bill of materials (SBOM)

Manufacturers must maintain a machine-readable inventory of software components. SBOMs improve supply chain transparency and help identify vulnerable components.

Vulnerability remediation

Vulnerabilities must be:

• identified
• assessed
• fixed without undue delay

Security updates must be distributed to affected users.

Coordinated vulnerability disclosure

Manufacturers must establish a public vulnerability disclosure process.

This includes:

• a public contact for reporting vulnerabilities
• documented internal processes
• responsible disclosure procedures

Incident and vulnerability reporting

Manufacturers must report actively exploited vulnerabilities to ENISA through the CRA Single Reporting Platform.

This ensures faster cross-border cybersecurity coordination.

Standards supporting CRA compliance

The CRA allows manufacturers to demonstrate compliance with the essential cybersecurity requirements through harmonized European standards (Article 27).

Until CRA-specific harmonized standards are formally published, widely adopted international standards such as IEC 62443 (Secure product development lifecycle), ISO/IEC 27001 (Information security management systems), ISO 31000 (Risk management methodology), and ISO/IEC 29147/30111 (Vulnerability disclosure and handling) can serve as supporting frameworks for implementing secure development, vulnerability handling, and risk management practices.

Compliance with harmonized standards can create a presumption of conformity under the regulation.

Our CRA preparation roadmap

Preparing for CRA compliance is a multi-year process.

Our internal roadmap includes several key steps.

Phase 1 – Compliance planning

• Appoint CRA compliance owner
• Inventory products and components
• Classify products under CRA categories
• Perform gap analysis against Annex I requirements

Phase 2 – Security infrastructure

• Implement SBOM generation
• Establish vulnerability tracking processes
• Develop incident reporting procedures
• Prepare technical documentation

Phase 3 – Reporting and testing

• Register on the ENISA reporting platform
• Implement 24-hour vulnerability reporting capability
• Test vulnerability reporting workflows
• Establish coordinated vulnerability disclosure processes

Phase 4 – Conformity assessment

• Identify appropriate conformity assessment bodies
• Complete technical documentation
• Perform final security testing
• Prepare CE marking and EU Declaration of Conformity

The final compliance deadline is 11 December 2027.

Conclusion

The Cyber Resilience Act represents a fundamental shift in how cybersecurity is regulated in Europe.

Instead of relying on voluntary standards, the CRA introduces mandatory security requirements for digital products.

For cybersecurity vendors, this regulation reinforces a principle that should already be standard:

Security must be built into the product lifecycle — from architecture and development to vulnerability management and transparency.

At ALPEIN Software, we are preparing PassSecurium for CRA compliance through a structured implementation roadmap aligned with international security standards.

Our goal is not only regulatory compliance, but also maintaining a high level of security, transparency, and trust for our customers in Switzerland and across Europe.

Sources:

https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act