AIOTI WG Policy provided a response to the Cyber Resilience Act.
The document supports stronger EU cybersecurity rules and highlights the importance of building trust in digital products. It stresses that regulation should stay focused on the most critical issues to be effective, without creating unnecessary burdens. While the Cyber Resilience Act (CRA) helps clarify key areas like risk assessment, secure development, and vulnerability management, there are concerns that too much focus on paperwork and compliance processes could take attention away from real cybersecurity risks, which often arise at system level rather than from individual components.
At the same time, the text points out some remaining challenges. The rules may be complex, especially for SMEs, and there are still uncertainties around areas like cloud services and how different regulations interact. Harmonised standards are seen as a useful way to guide implementation, especially for identity and access management systems.
Overall, while the guidance is useful and gives clearer direction for companies and regulators, it is not legally binding and leaves some open questions unresolved. Businesses will still need strong internal processes, legal support, and active involvement in ongoing discussions to be fully prepared for the CRA requirements coming into force between 2026 and 2027.