The Cyber Resilience Act: What Belgian Businesses Need to Know

At Approach Cyber, we’ve been closely monitoring the CRA’s development and preparing our clients for what promises to be one of the most significant cyber security regulations in recent years. For Belgian manufacturers, importers, and distributors of digital products, the CRA represents both a compliance challenge and a competitive opportunity. Those who understand and prepare for these requirements early will find themselves better positioned in an increasingly security-conscious marketplace.

The regulation’s scope is remarkably broad, covering virtually any product that can connect to a network or process digital data. From consumer electronics to enterprise software, from IoT sensors to cloud services – if it has a digital element and is sold in the EU, it likely falls under the CRA’s purview. This isn’t just another regulatory checkbox; it’s a fundamental shift toward security-by-design that will reshape product development and go-to-market strategies across industries.  

Understanding the CRA: More than just another regulation

The Cyber Resilience Act represents the EU’s first comprehensive attempt to address cyber security at the product level. Born from the recognition that inadequately secured digital products pose systemic risks to the entire digital ecosystem. The CRA mandates that manufacturers embed security considerations throughout a product’s entire lifecycle – from initial design to end-of-life disposal¹.

The regulation’s objectives are straightforward but ambitious: ensure that products with digital elements are placed on the EU market with fewer vulnerabilities, require manufacturers to take security seriously throughout a product’s life cycle, and enable consumers and businesses to make informed security decisions when purchasing digital products ². Unlike sector-specific regulations, the CRA applies horizontally across all industries, creating a unified security baseline for the European digital marketplace.

The business case for the CRA is compelling. Hardware and software products are increasingly subject to successful cyber attacks. The regulation addresses two fundamental market failures: the low level of cyber security in many digital products, reflected by widespread vulnerabilities and insufficient security updates, and the lack of transparency that prevents users from making informed security decisions.

For Belgian businesses, the CRA’s horizontal nature means that companies across virtually all sectors will be affected. Manufacturing companies producing connected equipment, software developers creating business applications, importers of consumer electronics, and distributors of digital products all fall within the regulation’s scope. The key question isn’t whether your organization will be affected, but rather how extensively and in what capacity.

Timeline and implementation phases: What to expect

The CRA follows a phased implementation approach designed to give businesses time to adapt while ensuring meaningful progress toward enhanced cyber security. Understanding these timelines is crucial for business planning and resource allocation.

• Phase 1 (December 11, 2025): The European Commission will adopt implementing acts specifying technical descriptions for Class I, Class II, and critical product categories. This phase provides clarity on which products face the most stringent requirements, enabling businesses to assess their compliance obligations accurately ³.
• Phase 2 (September 11, 2026): Vulnerability and incident reporting obligations take effect. Manufacturers must begin reporting actively exploited vulnerabilities within 24 hours (early warning) and 72 hours (detailed notification), followed by final reports within 14 days for vulnerabilities or one month for severe incident ⁴. This represents a significant operational change requiring robust monitoring and response capabilities.
• Phase 3 (December 11, 2027): Full CRA compliance becomes mandatory. All cyber security requirements, conformity assessments, CE marking obligations, and life cycle management responsibilities come into effect. Products that don’t comply cannot be placed on the EU market ⁵.

From our consulting perspective, the 2026 reporting deadline is particularly significant. Organizations need monitoring systems capable of detecting when their products are being actively exploited, incident response procedures that can meet tight reporting deadlines, and coordination mechanisms with Computer Security Incident Response Teams (CSIRTs) across EU member states. These capabilities don’t develop overnight and require substantial preparation.

The three-year transition period may seem generous, but product development cycles, supply chain complexity, and the need for third-party assessments make early preparation essential. Companies that wait until 2026 to begin serious CRA preparation will find themselves facing compressed timelines and potentially higher compliance costs.

Who’s affected: Scope and obligations

The CRA’s scope is deliberately broad, covering any hardware or software product that can connect directly or indirectly to a device or network. This includes consumer devices (smartphones, smart home appliances, connected toys), enterprise equipment (IoT sensors, network infrastructure, industrial control systems), software applications (mobile apps, cloud services, embedded firmware), and cloud-based services that process data for connected products ⁶.

The regulation distinguishes between different types of economic operators, each with specific obligations:

• Manufacturers bear the heaviest compliance burden, responsible for cyber security by design, conformity assessments, technical documentation, vulnerability reporting, and life cycle management. This includes entities that design, manufacture, or have products manufactured for placement on the EU market under their name or trademark ⁷.
• Importers must ensure that non-EU manufacturers have fulfilled their obligations, maintain relevant documentation, and verify that products carry required conformity markings. They serve as the primary point of contact for EU market surveillance authorities when dealing with non-EU manufacturers ⁸.
• Distributors have lighter obligations but must ensure they don’t place non-compliant products on the market, verify CE markings and declarations of conformity, and cooperate with market surveillance authorities. They also must inform manufacturers or importers if they become aware of non-compliance ⁹.
• Open Source Software (OSS) stewards represent a new category created specifically for the CRA, acknowledging the unique nature of open source development while ensuring appropriate security oversight ¹⁰.

Product categorization determines the level of scrutiny and assessment required. Non-critical products undergo manufacturer self-assessment and internal conformity procedures. Important products (Class I and II, such as password managers, VPNs, and endpoint detection systems) require third-party conformity assessment. Critical products(including smart meters, smart cards, and certain industrial control systems) must obtain European cyber security certification at “substantial” assurance level ¹¹.

Essential requirements: Security by design in practice

The CRA establishes comprehensive essential requirements that products must meet before being placed on the EU market. These requirements represent a shift from reactive security patching to proactive security design, fundamentally changing how products are conceived, developed, and maintained.

Core cyber security requirements include:

Products must be designed with appropriate cyber security levels based on assessed risks, without known exploitable vulnerabilities, and with secure default configurations. They must minimize negative impacts on other services, limit attack surfaces, and employ exploitation mitigation mechanisms ¹².

Operational requirements mandate that products provide security-related monitoring and logging capabilities, offer secure data removal mechanisms, and ensure secure data transfer when migrating to other systems. These requirements recognize that security is not just about preventing attacks but also about maintaining visibility and control throughout the product life cycle ¹³.

Vulnerability handling represents a critical operational component. Manufacturers must identify and document vulnerabilities, handle them without undue delay, and implement coordinated vulnerability disclosure policies. They must also ensure timely deployment of security updates and, where automatic updates aren’t feasible, provide clear guidance on manual update procedures ¹⁴.

From a business perspective, these requirements necessitate fundamental changes to product development processes. Companies must integrate security assessments into design reviews, implement secure coding practices, establish vulnerability management programs, and create incident response capabilities. These aren’t just technical challenges but organizational transformations requiring executive commitment and cross-functional coordination.

For Belgian businesses, the practical implications extend beyond compliance. Organizations that embrace these requirements early often find that security-by-design principles improve overall product quality, reduce long-term support costs, and create competitive advantages in security-conscious markets. Conversely, those that treat security as an afterthought face higher compliance costs and potential market access restrictions.

Market surveillance and enforcement: Real consequences

The CRA includes robust enforcement mechanisms designed to ensure meaningful compliance rather than mere paperwork exercises. Market surveillance authorities in each EU member state have broad powers to investigate non-compliance, require corrective measures, and impose significant penalties.

Non-compliant products cannot be placed on the EU market, and authorities can order product withdrawals or recalls. Administrative penalties can reach €15 million or 2.5% of global annual turnover, whichever is higher ¹⁵. These penalties apply to manufacturers, importers, and distributors, though notably exclude non-commercial open source developers.

Beyond financial penalties, the business implications of non-compliance are severe. Product recalls damage brand reputation, disrupt supply chains, and create customer service burdens. Market access restrictions can eliminate revenue streams and require costly product redesigns. Perhaps most significantly, cyber security incidents involving non-compliant products expose organizations to liability claims from affected customers and partners.

The CRA’s enforcement approach emphasizes prevention over punishment. Market surveillance authorities are expected to work with businesses to achieve compliance, particularly for small and medium enterprises. However, this collaborative approach shouldn’t be mistaken for lenient enforcement. The regulation includes specific provisions for supporting SMEs, including dedicated communication channels and guidance materials, but compliance obligations remain non-negotiable.

Belgian businesses benefit from the Centre for Cyber security Belgium’s (CCB) proactive approach to cyber security regulation, as demonstrated in NIS2 implementation. The CCB has committed to supporting CRA compliance through awareness campaigns, guidance materials, and coordination with European authorities. This creates opportunities for early engagement and clarification of compliance requirements.

Preparing for compliance: A strategic approach

• Successful CRA compliance requires a strategic, long-term approach that integrates cyber security into core business processes. Based on our experience helping organizations prepare for complex regulatory requirements, we recommend a structured approach that addresses immediate needs while building sustainable capabilities.
• Assessment and gap analysis form the foundation of effective preparation. Organizations must first determine which of their products fall under CRA scope, classify them according to risk categories, and assess current security practices against essential requirements. This assessment should examine not just technical capabilities but also organizational processes, documentation standards, and vendor relationships.
• Product development processes require fundamental review and often substantial modification. Security must become an integral part of design reviews, with threat modeling, secure coding practices, and vulnerability assessment embedded throughout development life cycles. Many organizations find this requires both technical training and cultural change management to shift from reactive security patching to proactive security design.
• Vulnerability management capabilities need strengthening across most organizations. The CRA’s reporting requirements demand monitoring systems that can detect when products are being actively exploited, incident response procedures that meet tight deadlines, and coordination mechanisms with multiple CSIRTs across EU member states. These capabilities require investment in both technology and specialized expertise.
• Documentation and quality management systems must evolve to support conformity assessments. Technical documentation, user instructions, conformity declarations, and software bills of materials (SBOMs) become regulatory requirements rather than optional best practices. Organizations need processes that maintain accurate, up-to-date documentation throughout product life cycles.

At Approach Cyber, we help organizations navigate these complex requirements through our comprehensive cyber security consulting services. Our team combines deep technical expertise with practical regulatory experience, enabling us to develop compliance strategies that serve both regulatory obligations and business objectives. We understand that cyber security isn’t just about avoiding penalties – it’s about building sustainable competitive advantages in an increasingly digital marketplace.

The Belgian advantage: Building on existing strengths

Belgium’s approach to cyber security regulation provides unique advantages for organizations preparing for CRA compliance. The country’s successful NIS2 implementation demonstrates both regulatory competence and business-friendly execution, creating a foundation of trust and collaboration that benefits CRA preparation.

The CCB’s role extends beyond enforcement to include education, awareness, and support for compliance efforts. As the designated national cyber security authority, the CCB will coordinate vulnerability reporting, provide guidance materials, and serve as the primary interface between Belgian businesses and EU-level CRA administration ¹⁶. This centralized approach reduces complexity and provides clear channels for questions and guidance.

Belgium’s cyber security ecosystem offers robust support for organizations preparing for CRA compliance. The Cyber Security Coalition provides knowledge-sharing opportunities and industry coordination. Established consulting firms like Approach Cyber offer specialized expertise in regulatory compliance and security-by-design implementation. Academic institutions contribute research and training capabilities that support workforce development.

The country’s strong technology sector provides additional advantages. Belgian companies have extensive experience with complex regulatory environments, from GDPR to NIS2 to sector-specific requirements. This regulatory literacy accelerates CRA adoption and reduces compliance costs. The presence of EU institutions in Brussels creates opportunities for early engagement with regulatory developments and policy clarification.

Small and medium enterprises, which form the backbone of Belgian industry, benefit from specific CRA provisions designed to ease compliance burdens. The European Commission has committed to publishing SME-specific guidance, and each member state must establish dedicated communication channels for micro and small enterprises ¹⁷. Belgium’s collaborative regulatory approach suggests these provisions will be implemented effectively.

Looking ahead: CRA in the broader regulatory landscape

The CRA doesn’t exist in isolation but forms part of an evolving cyber security regulatory framework that includes NIS2, the Digital Operational Resilience Act (DORA), and emerging artificial intelligence regulations. Understanding these interconnections is crucial for developing efficient compliance strategies that avoid duplicated efforts and maximize synergies.

The relationship between CRA and NIS2 is particularly important for Belgian businesses. While NIS2 focuses on organizational security measures for critical infrastructure and essential services, the CRA addresses product security for digital elements used throughout the economy. Organizations subject to both regulations can leverage common elements like vulnerability management, incident response, and supply chain security to achieve efficient compliance.

Looking forward, the EU continues developing additional cyber security legislation addressing artificial intelligence, IoT devices, and critical infrastructure resilience. Organizations that view the CRA as part of a broader digital security transformation position themselves advantageously for future regulatory developments. Security-by-design principles, robust vulnerability management, and comprehensive incident response capabilities serve multiple regulatory frameworks while creating operational benefits.

The CRA’s global influence extends beyond EU borders, as major technology companies adapt their products to meet European requirements and other jurisdictions consider similar legislation. Belgian businesses that achieve early CRA compliance gain competitive advantages in global markets where security standards are rising rapidly.

Conclusion: Action steps for Belgian businesses

The Cyber Resilience Act represents both a compliance obligation and a strategic opportunity for Belgian businesses. Organizations that begin preparation now can spread costs over time, influence product development cycles effectively, and position themselves advantageously in an increasingly security-conscious marketplace.

Immediate action steps include:

Conducting comprehensive product assessments to determine CRA scope and classification requirements. This assessment should examine current product portfolios, development processes, and market strategies to identify areas requiring attention.

Engaging with cyber security experts who understand both technical requirements and regulatory implications. At Approach Cyber, we help organizations develop practical compliance strategies that serve both regulatory obligations and business objectives.

Building vulnerability management capabilities that can meet reporting deadlines and coordinate with multiple CSIRTs. These capabilities require both technological investment and process development.

Integrating security-by-design principles into product development processes, ensuring that cyber security becomes a core consideration rather than an afterthought.

The CRA’s three-year transition period provides sufficient time for thoughtful preparation, but early action creates significant advantages. Organizations that embrace security-by-design principles, invest in robust vulnerability management, and develop comprehensive incident response capabilities will find themselves well-positioned not just for CRA compliance but for success in an increasingly digital and security-conscious business environment.

The future of cyber security lies not in reactive compliance but in proactive security integration that serves both regulatory requirements and business objectives. Belgian businesses have unique advantages in achieving this integration, and the time to begin is now.

Looking for some help? Have a look at our Secure Developments Solutions.

References

1. Centre for Cybersecurity Belgium, “The Cyber Resilience Act (CRA)” ccb.belgium.be/regulation/cra
2. European Commission, “Cyber Resilience Act” digital-strategy.ec.europa.eu
3. Intertek, “What Manufacturers Need to Know About the EU Cyber Resilience Act” November 2024
4. TXOne Networks, “The Cyber Resilience Act: A Guide for Manufacturers” April 2025
5. Loyens & Loeff, “The EU Cyber Resilience Act” November 2024
6. Regulation (EU) 2024/2847, Official Journal of the European Union
7. Ibid., Article 13
8. Ibid., Article 15
9. Ibid., Article 16
10. Ibid., Article 3(14)
11. Ibid., Annexes III and IV
12. Ibid., Annex I, Part I
13. Ibid., Annex I, Part II
14. Ibid., Article 13(6)
15. Ibid., Article 53
16. Centre for Cybersecurity Belgium, CRA FAQ
17. European Commission, CRA implementation guidance