Cyber Resilience Act: Insights on the draft CRA guidance

The Cyber Resilience Act establishes a common framework for improving the cybersecurity of products with digital elements across the EU. With the recent publication of the draft Commission guidance on the application of the CRA, organisations are gaining clearer insight into how the Regulation is expected to be interpreted and applied in practice. The guidance also highlights the breadth of the CRA’s scope and the importance of consistent implementation across product portfolios.

The draft guidance clarifies key concepts such as products with digital elements, software and lifecycle responsibilities, while making clear that CRA compliance cannot be addressed by individual teams or products alone. Achieving compliance requires coordinated organisational effort, clear accountability and alignment between technical, legal, commercial and management functions. Without this, organisations risk inconsistent interpretations and uneven compliance across their products.

In this webinar, we will explore the Commission’s newly released interpretations in draft CRA guidance and their implications for driving company-wide alignment and structured change. The session focuses on highlighting how interpretations in draft CRA guidance will impact an average company’s typical interpretation of CRA scope and applicability.

The applicability of CRA on maritime products will also be discussed.

Key takeaways:

  • How the CRA applies to products with digital elements, including maritime components and systems
  • Key interpretations from the draft Commission guidance
  • Implications for software, including SaaS, digital services and web portals
  • How the guidance supports consistent, portfolio‑wide compliance in complex system products, including the management of cloud‑related cybersecurity risks

Our speaker Antti Tolvanen is a compliance specialist at DNV Cyber, with extensive experience in EU product safety and cybersecurity regulations in the context of connected and software-driven products. He works closely with organizations across industries to interpret emerging regulatory requirements and translate them into practical, implementable product security strategies.

We look forward to seeing you there.