Earlier this month, I had the opportunity to participate in the second meeting of the European Commission’s CRA Expert Group - an experience that not only reaffirmed the magnitude of what lies ahead but also offered a clearer glimpse into the evolving regulatory fabric behind the Cyber Resilience Act (CRA).
Stepping into the meeting felt less like attending a typical stakeholder update and more like joining an architectural session for Europe’s digital future. Around the virtual table: policy makers, Member States, standardization bodies, and industry experts - each bringing a vital piece of the cybersecurity compliance puzzle.
Setting the Scene: Where Strategy Meets Urgency
The Commission opened the session with a candid acknowledgment: interest in the CRA remains high, and many are eager to observe or contribute. But this is not just about inclusion - it’s about function. To keep the process agile and meaningful, ad hoc participation will replace permanent observership. This careful balancing act - openness vs. operability - is a recurring theme in CRA’s implementation.
Then came the roadmap. With legal deadlines looming in December 2025, several legislative instruments are on fast-forward:
- An Implementing Act to define what qualifies as an “important” or “critical” product.
- A Delegated Act on how CSIRTs may withhold vulnerability information.
- A new wave of guidance documents—not bulky manuals, but precise, timely tools like FAQs and Commission Communications.
Each of these is a moving part in a regulatory machine that’s as complex as the threats it seeks to counter.
Remote Data Processing: The Foggiest Frontier
But the real tension surfaced during discussions on Remote Data Processing (RDP). Where does a product end and a service begin? When does a manufacturer remain responsible, and when is the ball in someone else’s court?
The Commission listened. It didn’t have all the answers - but it recognized the need for clarity, boundaries, and above all, practical use cases. A suggestion to split RDP into operational functions (CRA-relevant) and configuration tasks (possibly NIS2) gained traction. It’s a reminder that regulation is not just about theory - it’s about real-world architecture, from microservices to managed services.
A New Language for Cyber Risk
Another theme that echoed through the session was terminology. The CRA references “functions” - essential, basic, security-related - but stakeholders are still speaking different dialects of the same language. The Commission confirmed that new definitions won’t come via guidance, but promised practical interpretation instead.
The consensus? If we want regulatory certainty, we need linguistic harmony - especially as we transition from abstract legal texts to actionable engineering decisions.
Spotlight on Certification: EUCC & CRA - Friends or Foes?
As a Conformity Assessment Body, Red Alert Labs is deeply invested in the intersection between CRA and the EU Common Criteria scheme (EUCC). The meeting brought encouraging news:
- The EUCC scheme, while voluntary, is seen as a candidate for presumption of conformity with CRA essential requirements.
- ENISA’s mapping study confirms partial alignment - especially where updated Protection Profiles are used.
- A series of pilot projects starting this July will help stress-test this synergy.
But there are caveats. EUCC certifies subsystems, CRA targets whole products. Cloud services? Often out of EUCC scope. Cost and certificate dependencies? Still hurdles. The message was clear: alignment is possible, but it will require more than technical adjustments - it will require regulatory innovation.
RED DA to CRA: A Silent Handover
Another layer of complexity: the quiet but firm transition from the RED Delegated Act to the CRA. While both are legally coherent, they’re not interchangeable. Until December 2027, manufacturers will need to maintain dual documentation - one for RED, one for CRA.
Some suggested a "gentleman’s agreement" to reduce redundancy. But for now, the rule is clear: no legal mutual recognition, even if the technical requirements overlap.
Standards and the Shape of Compliance
Finally, standards. The Commission encouraged sectors - from railway to medical - to step forward with Type C standards under the CRA’s umbrella. It emphasized that presumption of conformity isn’t automatic - it must be earned through targeted, essential requirement-driven content.
And what about small players? SME voices were heard. The Commission acknowledged the need for accessible, open standards - especially for software vendors who don’t have armies of compliance engineers.
Looking Ahead: A Living Framework
The CRA is not a static regulation - it’s a living framework. That means standards, guidance, and even the very definitions we use will evolve. The Commission hinted that even the New Legislative Framework (NLF) may undergo revision to better reflect the digital era.
From our perspective at Red Alert Labs, this shift toward dynamic, risk-based conformity is an opportunity. As a CAB, we’re not just preparing for new evaluation criteria - we’re also contributing to the very structure that will define how products are trusted across the EU.
Closing Thoughts
The second CRA Expert Group meeting was more than an update. It was a blueprint in motion, where regulation, technology, and trust converge. For those of us on the frontlines of cybersecurity assurance, this is a unique moment - one that demands both rigor and imagination.