Turning CRA requirements into practical action – insights from the CRA & Cybersecurity Day

Last week, we had the opportunity to participate in the CRA & Cybersecurity Day hosted by B&R Industrial Automation in Malmö, Sweden. In the event, we shared insights and practical solutions related to the EU Cyber Resilience Act (CRA) and industrial cybersecurity challenges. The event brought together over 100 professionals and industrial machine builders from across Northern Europe to explore what the CRA means in practice and how organizations should prepare for it.

One of the clearest messages from the discussions was urgency. Although the CRA formally applies in full from 11 December 2027, preparation needs to start well in advance. The regulation will become part of the CE marking requirements for products with digital elements, making cybersecurity compliance a mandatory element of CE conformity in the EU.

Turning CRA requirements into practical action. We participate in the CRA & Cybersecurity Day hosted by B&R Industrial Automation.
Photo: Peter Klarskov Falkenvinge

In practice, the timeline is much tighter than it may first appear. Key obligations, including strict vulnerability management and incident reporting requirements, begin already on 11 September 2026. From that point onward, organizations are expected to have operational cybersecurity processes in place. This means that 2026 is not just a preparation phase, but the point by which cybersecurity operations must already be operational in practice. By 2027, full CRA compliance becomes a prerequisite for CE-marked products with digital elements placed on the EU market.

Another key realization was the full scale of the challenge. Individual machines may contain dozens of vulnerabilities that need to be continuously assessed, documented, and managed. Scaled across global fleets of hundreds or even thousands of machines, manual handling quickly becomes unrealistic. This is where AI-supported tools and automation will play a critical role in enabling compliance at scale.

Speed was another central theme. CRA reporting obligations can require action within 24 to 72 hours. When managing global installed bases while simultaneously responding to customers and authorities, efficient and automated processes become essential.

A common reflection throughout the event was: “This is when it really clicked how big and complex this actually is.”

The event offered a strong mix of perspectives from technology and compliance requirements to real-world implementation challenges, responsibilities, and risk management. Live demonstrations, open discussions, and expert panels made the conversations especially concrete and valuable.

A big thank you to B&R Industrial Automation, the speakers, and all participants for an excellent and highly relevant event.

Now it’s time to turn insights into action!
If you and your company need support with CRA compliance, contact us to learn more and continue the discussion.

Contact us!

Read also

12.5.2026

Lauri Naulapää starts as CTO of Fatman Oy

Read more

28.4.2026

Architect blog: AI-powered development ecosystem

Read more
Contact information fter.io

Interested?

Please leave a message and we will get back to you as soon as possible

Contact us

Contact request

This field is for validation purposes and should be left unchanged.