Cyber Resilience Act (CRA) – What It Means in Practice and How Remion Integrates It into Software Development

Key Takeaways

  • The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market.
  • Vulnerability reporting obligations begin in September 2026, with full compliance required from December 2027.
  • Responsibility lies with the entity placing the product on the EU market — compliance must be demonstrable and documented.
  • CRA requires risk-based secure design, structured vulnerability management, SBOM transparency, and security updates throughout the support period.
  • Technology partners must be able to prove compliance through documented development processes and traceable controls.
  • Remion is strengthening its Secure Software Development Lifecycle (SSDLC) to embed CRA-aligned cybersecurity into architecture, development, CI/CD, and update processes.
  • The result for customers: reduced regulatory uncertainty, improved resilience, and clearer shared responsibility across the supply chain.

The EU Cyber Resilience Act (EU 2024/2847) introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market.

The first obligations, including vulnerability reporting requirements, apply from 11 September 2026. Full compliance will be required for products placed on the market from 11 December 2027.

Under CRA, the responsibility lies with the party that places a product with digital elements on the EU market. This entity must ensure that the product is developed and maintained in accordance with risk-based cybersecurity requirements, properly documented, and supported with security updates throughout the defined support period.

At Remion, we have assessed the impact of CRA both on our own solutions and on our customers’ operating environments. We are strengthening our development practices to ensure that regulatory requirements are systematically embedded into our solutions.

Remember These Dates

11 September 2026

  • The first obligations, including vulnerability reporting requirements, apply from

11 December 2027

  • Full compliance will be required for products placed on the market from

Risk-Based Cybersecurity

A central principle of CRA is risk-based implementation. Cybersecurity measures must be aligned with identified risk scenarios. Controls must correspond to documented risk assessments and realistic threat models.

Manufacturers must be able to demonstrate:

  • Risk-based secure design and development
  • Documented cybersecurity risk assessments
  • Structured vulnerability management
  • Security updates throughout the defined support period
  • Transparent reporting processes

This raises a practical question for our customers: Can our technology partners demonstrate compliance if required?

Compliance requires a structured and documented development model aligned with applicable standards.

Strengthening Our Secure Software Development Lifecycle

We are strengthening our Secure Software Development Lifecycle (SSDLC) and related development practices across projects.

Our focus is on ensuring that implemented cybersecurity measures are directly derived from risk assessments and that their rationale is documented and traceable.

Our Focus Areas

Unified Secure Development Practices

Security requirements are integrated already in the specification phase. Security acceptance criteria are defined to ensure implemented controls, such as code scanning, manual testing, and review processes correspond to identified risks.

Risk-Based Security Measures and Threat Modeling

We evaluate attack surfaces, trust boundaries, and critical components during product design and architecture planning. Early identification and prioritization of risk scenarios help ensure that cybersecurity measures remain proportionate and appropriate to the actual risk landscape.

SBOM and Vulnerability Management

We are implementing Software Bill of Materials (SBOM) practices and continuous CVE monitoring to maintain visibility into third-party components. Combined with a documented vulnerability management process, this supports faster response times and improved traceability.

Integrated DevSecOps Controls

Static (SAST), dynamic (DAST), and dependency scanning are embedded into our CI/CD pipelines. This supports continuous security verification and auditability.

Secure Update and Patch Management Processes

CRA requires security updates throughout the product’s support period. We are strengthening release and OTA processes to ensure secure, controlled, and documented updates.

What This Means for Our Customers

Our CRA-aligned development work provides clear benefits:

  • Reduced regulatory uncertainty
  • Demonstrable compliance readiness
  • Clear shared responsibility
  • Improved long-term resilience
  • Better supply chain transparency

In industrial and connected environments, structured and risk-based cybersecurity practices are essential.

At Remion, cybersecurity is integrated into product quality and lifecycle management. Our objective is to deliver secure, maintainable, and regulation-aware solutions that support long-term business continuity.

About The Author –Jesse Ikola

Jesse is passionate about building resilient and secure software solutions that meet both business and regulatory requirements. With hands-on experience in application development and complex technical environments, he focuses on practical cybersecurity and secure software development in industrial and connected systems.

Ready to take the next step?

Let’s explore how data can improve your operations, unlock new revenue, and drive smarter decisions.

Get in touch
Jussi Rajamäki Sales Lead +358 46 923 5277
Jussi Laaksonen Key Account Manager ‭+35844 792 2691‬