Companies are treating CRA as a burden. That’s your opportunity.

Written By Meha Bouazizi

On May 25th, 2018, the EU General Data Protection Regulation (GDPR) became enforceable. It is by far the world's strongest, most unified data protection law. It replaced the outdated 1995 Data Protection Directive with stricter rules, higher fines, and broader extraterritorial reach for any organisation handling EU residents' personal data.

At the time, most businesses treated GDPR as a compliance checklist. In hindsight, it was a structural shift that raised the bar across the entire industry.

We're standing at the edge of a similar moment: the EU Cyber Resilience Act (CRA).

What the CRA Actually Means

Think of it as GDPR for connected things.

If your company manufactures, imports, or distributes products with digital elements, or anything that connects to a network, cybersecurity is no longer something you bolt on at the end. It becomes a legal prerequisite for EU market entry.

The practical implications are significant:

  • Manufacturers will be legally required to provide security updates for a minimum of five years, or the expected lifetime of the product.

  • The regulation is designed to shift cultural expectations around breaches: from "accidents happen" to "this was preventable."

  • Customers, partners, and regulators will increasingly read a breach as evidence of poor stewardship, not bad luck.

Where Breaches Actually Start

Here's what both the CRA's architects and our team at Spear recognise: sophisticated hardware exploits are rarely the entry point of a modern breach.

The more common pattern is far simpler. Compromised credentials. A phishing email that gets through to an admin account. A shared password reused one too many times. And increasingly, man-in-the-middle attacks, where an attacker intercepts traffic between a user and a legitimate service, silently harvesting credentials or session tokens in real time.

[We previously wrote about how these attacks work in practice on this blog post Man-in-the-Middle attacks.]

All of these vectors share the same root cause: shared secrets that can be stolen, replicated, or intercepted.

Phishing-resistant authentication removes that root cause entirely. No passwords, no shared credentials, no session tokens worth stealing. Attackers lose their most reliable foothold, and the MITM interception model stops working because there's nothing useful to capture. It's an approach that maps directly onto what the CRA expects: protection that holds up in the field, not just in a lab environment.

A Competitive Opportunity, Not Just a Compliance Exercise

This is the part that tends to get lost in regulatory conversations: the CRA creates genuine competitive differentiation for companies that treat it seriously.

Stronger requirements mean your partners and customers are less exposed to preventable incidents. It means supply chain expectations rise in step with your own. And it means that demonstrating built-in, well-considered access controls becomes a credibility signal not a box ticked on a form.

European companies that move early, build security in from the start, and can clearly articulate their approach will have an advantage that's hard to replicate once it's established.

GDPR taught us that the companies who treated compliance as a floor, not a ceiling, were the ones that came out ahead. The CRA is offering the same opening.

Meha Bouazizi
Next

Mikä ihmeen AitM hyökkäys ja miten FIDO2 liittyy tähän?