Overview
The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements, fundamentally changing how connected products are developed, maintained, and placed on the European market. As products become increasingly software-defined and connected, cybersecurity is no longer simply a best practice—it is a regulatory requirement.
This one-day training provides engineers and technical leaders with a practical understanding of the Cyber Resilience Act from an engineering perspective. Participants will explore how the CRA applies to connected products, how products are classified, the responsibilities of manufacturers and other economic operators, conformity assessment pathways, essential cybersecurity requirements, vulnerability handling, technical documentation, and lifecycle compliance obligations.
Rather than focusing solely on regulatory text, the course emphasizes how the CRA translates into practical engineering activities and product development workflows for connected products, including robotics, industrial automation, IoT, and other products with digital elements. Led by experienced SRES practitioners with deep expertise in cybersecurity, functional safety, and safety-critical product development, the course helps organizations prepare products for successful compliance.
Intended Audience
This course is designed for engineers, cybersecurity professionals, product managers, and technical leaders involved in developing connected products intended for the European market. It is particularly relevant for:
- Systems, software, hardware, and cybersecurity engineers developing robotics, industrial automation, IoT, and other connected products.
- Engineering managers and technical leads responsible for product development, cybersecurity, and regulatory compliance.
- Product managers, quality professionals, and regulatory specialists supporting CE marking and product conformity.
- Organizations preparing products for compliance with the EU Cyber Resilience Act.
Objectives
By the end of this course, participants will be able to:
- Explain the scope, purpose, and implementation timeline of the EU Cyber Resilience Act (CRA)
- Determine whether a product falls within the scope of the CRA and identify its applicable product classification
- Identify the responsibilities of manufacturers, importers, distributors, and other economic operators under the CRA
- Navigate conformity assessment pathways and recognize when third-party assessment by a notified body is required
- Apply the CRA’s essential cybersecurity requirements to modern engineering and product development workflows
- Recognize lifecycle obligations for vulnerability handling, incident reporting, technical documentation, and ongoing product support
- Understand how the CRA aligns with broader European regulatory frameworks affecting connected products
Agenda
Below you will find a tentative schedule for this training course.
- Welcome & Objectives: Course overview, participant introductions, expectations, and discussion of connected products and development environments represented by attendees
- CRA Overview & Scope: Understanding products with digital elements, regulatory scope, implementation timeline, and the relationship between the CRA and other European regulatory frameworks
- Roles & Responsibilities: Responsibilities of manufacturers, importers, distributors, open-source stewards, and supply chain participants throughout the product lifecycle
- Product Classification: Understanding Default, Important Class I, Important Class II, and Critical products, including practical classification examples and engineering considerations
- Conformity Assessment: Navigating Annex VIII assessment modules, notified bodies, harmonized standards, CE marking, and Declarations of Conformity
- Essential Cybersecurity Requirements: Applying Annex I requirements including secure-by-default design, attack surface reduction, credential management, cryptography, software bill of materials (SBOM), and secure development practices
- Vulnerability & Incident Handling: Meeting ENISA reporting obligations, implementing coordinated vulnerability disclosure, security update processes, and product support-period requirements
- Technical Documentation: Developing Annex VII documentation, cybersecurity risk assessments, threat modeling, and maintaining compliance throughout the product lifecycle
- Wrap-Up & Q&A: Reviewing key takeaways, implementation considerations, and addressing participant questions

