Overview

The EU Cyber Resilience Act (CRA) is landmark legislation that sets mandatory cybersecurity requirements for all Products with Digital Elements (PDEs) sold in the EU market. It applies to hardware and software, and requires manufacturers to embed security from the earliest design phase through the entire product lifecycle.

This one-day workshop provides a structured, practical introduction to CRA compliance, following the regulation’s six-step workflow:
Applicability, Economic Operator Role, Product Criticality, Risk Assessment, Conformity, and Post-Market Monitoring.
Each step is introduced in the context of the EU regulatory landscape that drove the CRA into law.

The workshop is conducted as a classroom session. Participants work in groups of three to four people – approximately three groups in total – applying the concepts directly to their own products or to a provided representative case study. Each group exercise is followed by a plenary debrief at the whiteboard.

Goal

After completing this workshop, participants will understand the legal obligations imposed by the EU Cyber Resilience Act and how they apply to their products and organisation.

The workshop covers:

• The EU policy background and the regulatory drivers behind the CRA

• How to determine whether a product is subject to CRA requirements

• The obligations that follow from each economic operator role

• How to classify products as Default, Important (Class I/II), or Critical PDEs

• How to conduct a structured cybersecurity risk assessment using STRIDE and a risk scoring model

• Secure-by-design principles and their application across the product development lifecycle

• How to select and execute the correct conformity assessment module

• How to operate a vulnerability handling and incident reporting process that satisfies CRA

• How to maintain a Risk Register and the required technical documentation on an ongoing basis

Participants will gain sufficient knowledge and practical experience to lead or contribute to a CRA compliance programme immediately after the workshop.

Participants

This workshop is intended for professionals in organisations that develop, manufacture, import, or distribute products with digital elements that are placed on the EU market.

The workshop is especially suitable for:

• Product managers and technical leads responsible for EU market compliance

• Embedded software engineers and hardware designers working on connected products

• Security engineers and architects involved in product cybersecurity

• Quality assurance professionals managing product certification processes

• Business strategists and decision makers assessing CRA risk and opportunity

• Engineers and technical specialists from any discipline who design, develop, or maintain products with digital elements sold in the EU

Previous Knowledge

No prior knowledge of EU cybersecurity regulation is required. Participants should have a general understanding of product development processes.

Basic familiarity with the following is beneficial:

• Software or hardware product development

• General concepts of IT security or risk management

• Product lifecycle from design through to market release

Familiarity with embedded systems or connected devices is advantageous, but not mandatory.

Practical Exercises / Tools

Each module of the workshop is followed by a structured group exercise in which participants apply the concepts directly to their own products or to a representative case study. The workshop runs with approximately three groups of three to four participants each.

The exercises introduce participants to the full set of CRA documentation artefacts and the practical workflow for producing them.

The practical environment includes:

• Product Registry Entry template – for recording applicability, role, and criticality

• Security Context and Threat Model template – for structured risk assessment

• Security Analysis for Product Interfaces template – for secure-by design review

• Security Verification and Validation Testing template – for conformity evidence

• Vulnerability Handling Process template – for post-market vulnerability management

• Risk Register template – for ongoing monitoring and compliance tracking

Plenary debriefs are held after each module, using the whiteboard for shared discussion and synthesis.

Room Requirements

The workshop requires a classroom with the following setup:

• Tables arranged for group work, seating groups of 3–4 participants

• Projector and screen for presentations

• Whiteboard for group discussions and plenary debriefs

• Printed or digital copies of all workshop templates for each participant

Content

CRA in the EU

• The European Green Deal and the Digital Decade 2030 programme

• The escalation of cyberattacks on critical infrastructure from 2020 onwards

• EU Regulation 2024/2847: structure, scope, and key dates

• The CRA timeline: entry into force, reporting obligations, and full enforcement in December 2027

• The four objectives of the CRA: secure design, lifecycle security, transparency, unified framework

• Key EU actors: ENISA and national market surveillance authorities

Applicability

• Definition of a Product with Digital Elements (PDE)

• Products and sectors excluded from CRA scope

• The applicability decision tree: a step by-step guide

• Documenting the applicability decision in the Product Registry Entry

• Group exercise: applying the decision tree to participant products

Economic Operator Role

• The four roles: Manufacturer, Importer, Distributor, Authorised Representative

• Obligations and responsibilities attached to each role

• Situations where one organisation holds multiple roles

• Group exercise: defining role and key responsibilities

Product Criticality

• The three CRA product categories: Default, Important (Class I/II), and Critical

• Annex III and Annex IV classification criteria and examples

• How criticality determines the conformity assessment route

• Group exercise: classifying products and justifying the decision

Risk Assessment

• The mandatory cybersecurity risk assessment: what CRA requires

• Security Context: documenting operating environment and assumptions

• Severity (Se), Likelihood (Li), and Security Risk Score (Sr = Se × Li)

• STRIDE-based threat modelling: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

• Building the Asset / Threat / Vulnerability table

• Generating the Security Requirements list

• Group exercise: risk scoring for participant products

Compliance & Conformity (Optional – not included in 1-day workshop)

• Secure-by-design requirements: what CRA mandates in the development process

• Conformity assessment Module A (self-assessment), Modules B/C (type examination), Module H (full QA)

• Declaration of Conformity (DoC)

• Software Bill of Materials (SBOM): purpose and content

• Security user documentation: lifecycle guidelines, secure updates, secure disposal

• Group exercise: selecting the assessment module and reviewing secure-by-design checklist

Post-Market Monitoring (Optional – not included in 1-day workshop)

• The mandatory support period and ongoing monitoring obligations

• Vulnerability handling process: identification, evaluation, backlog, release, user notification

• Incident handling and ENISA notification: 24 h early warning, 72 h notification, 1 month final report

• The Risk Register: structure, maintenance, and role in market surveillance

• Group exercise: sharing biggest risk, biggest challenge, and one action

Summary

This workshop provides a practical introduction to the EU Cyber Resilience Act, structured around the six compliance steps every manufacturer must complete before placing a product on the EU market.

Through a combination of structured presentations and hands-on group exercises – conducted in groups of three to four, with plenary debriefs at the whiteboard – participants gain a thorough understanding of what CRA requires, from the initial applicability decision through risk assessment and conformity assessment to ongoing post-market monitoring.

After completing the workshop, participants will be equipped to lead or contribute to a CRA compliance programme, supported by a set of ready-to-use templates. They will also understand the competitive opportunity: organisations that achieve early compliance gain market access advantages and a differentiated security credential in the EU market.