by David Soto Dalmau (ERNI Spain)
A strategic perspective on cyber resilience. Change is constant. In technology, it’s systemic.
The Cyber Resilience Act (CRA) is not just another regulation – it’s a structural shift that redefines how connected products must be designed, built and maintained. The deadline is 2027. But readiness starts now.
Cybersecurity as strategy, not obligation
Compliance isn’t about ticking boxes. It’s about embedding resilience into every phase of the product lifecycle. Approaching cybersecurity with intentionality enables not only protection but also trust, operational continuity and long-term product viability.
Connected systems, everyday impact
Connected products are no longer isolated endpoints. They are part of ecosystems – homes, hospitals, factories and transport networks.
- Smart homes rely on secure interfaces to maintain privacy and comfort.
- Medical devices must communicate reliably to safeguard lives.
- Industrial systems depend on secure automation to prevent downtime.
- Vehicles exchange data to enable real-time safety on the road.
In all these contexts, trust is implicit – until security fails. The CRA seeks to make security visible, measurable and maintainable across the product lifecycle.
What resilience looks like in practice
Design with security in mind.
Resilience begins with understanding potential threat vectors. Effective design includes threat modelling, well-defined security requirements and early alignment with industry standards.
Integrate security into development workflows.
Secure-by-default frameworks, SBOM automation and CI-integrated vulnerability scanning enable teams to treat security as part of the development process – not a late-stage constraint.
Plan for secure deployment and long-term maintenance.
Security doesn’t stop at release. Observability, patch management, and monitoring infrastructure are essential for operational integrity.
Test continuously, not occasionally.
Red teaming, penetration testing and proactive vulnerability assessments build real-world confidence. Risk becomes visible, manageable and, ultimately, reduced.
Assessing your readiness
Even with strong practices in place, organisations often ask: Are we truly prepared for the CRA? To provide clarity, we developed the CRA Readiness Test – a focused self-assessment that maps your current posture against four readiness categories:
- Advanced – Mature practices, strong momentum.
- Intermediate – Solid progress, but critical gaps remain.
- Basic – Foundations exist; acceleration needed.
- Critical – High risk of non-compliance; urgent action required.
This tool is not about judgement – it’s about insight. In just a few minutes, it offers clear direction for your next steps.
Security as a differentiator
When implemented thoughtfully, compliance becomes more than a requirement – it becomes a competitive advantage. At ERNI, we work with organisations to embed security into the fabric of their products and systems – without compromising innovation. From embedded devices to large-scale platforms, we help teams design and deliver resilient, trustworthy solutions – not just compliant ones. The CRA is an opportunity to raise the standard. Let’s turn security into a strategic asset – clear, continuous and credible.
To discover the best practices for ensuring that your digital products are secure and compliant with regulations like the CRA, you can download our eBook.
