The Cyber Resilience Act (CRA) introduces a new layer of requirements for products with digital elements, with the goal of improving cybersecurity across the EU market.
For many companies, the structure of CRA will feel familiar. It places responsibility on manufacturers to manage risks, maintain documentation, and ensure ongoing control throughout the product lifecycle.
In that sense, it reflects a broader regulatory shift. Where MDR focuses on patient safety, CRA focuses on cybersecurity. The underlying logic is similar: risks must be identified, controlled, and monitored continuously.
A familiar structure in a new context
At its core, CRA introduces requirements that are structurally similar to other regulated frameworks.
Risk management is central. Manufacturers are expected to identify cybersecurity risks, assess vulnerabilities, and ensure that appropriate controls are in place throughout the lifecycle. This includes development, updates, monitoring, and incident handling.
Technical documentation is also a key requirement. Manufacturers must maintain structured documentation covering design decisions, risk assessments, security measures, and lifecycle management.
While a formal Quality Management System is not explicitly required, the expectations are difficult to meet without one. In practice, a QMS provides the structure needed to manage processes, maintain documentation, and demonstrate compliance.
As your internal notes highlight, the organisational-level requirements are very similar to MDR.
Does CRA apply to medical devices?
A key question for many companies is whether CRA applies directly to medical devices.
In general, products that are already regulated under MDR or IVDR are excluded from the scope of CRA.
However, this does not mean that CRA is irrelevant for MedTech companies.
Many organisations develop software, connected systems, or supporting digital components that may fall under CRA. In addition, the expectations introduced by CRA are closely aligned with those already familiar from medical device regulation.
In practice, companies often find that the same organisational structures, processes, and documentation approaches can be extended to address both.
Where companies typically face challenges
Despite this familiarity, CRA introduces areas that are not always fully covered by existing systems.
Cybersecurity-specific risk management is one of them. Many organisations already have risk processes in place, but identifying vulnerabilities, managing them over time, and reporting them to authorities requires additional structure.
Lifecycle responsibility is another. CRA places clear expectations on manufacturers to maintain security beyond initial release. This includes managing updates, defining support periods, and monitoring vulnerabilities continuously.
Documentation requirements also extend further than expected. Technical files, software archives, and records of modifications must be maintained in a way that supports traceability and regulatory review.
Starting with a structured gap analysis
For most organisations, the most effective starting point is a structured gap analysis.
Rather than approaching CRA as a completely new framework, gap analysis allows companies to assess their current processes against the new requirements and identify where adjustments are needed.
In many cases, the foundation is already in place. This is particularly true for organisations working under ISO 13485, ISO 9001, or ISO 27001. The task then becomes one of alignment and extension.
At the same time, gap analysis helps identify where new capabilities are required, especially in areas such as vulnerability handling, secure development practices, and post-market monitoring.
Extending existing quality and documentation systems
Although CRA does not mandate a QMS, it is most effectively implemented through one.
Existing systems can often be extended to cover CRA requirements. Risk management processes can be adapted to include cybersecurity aspects. Documentation structures can be expanded to include software lifecycle and vulnerability tracking. Change control processes can be aligned with requirements for updates and modifications.
This approach reduces duplication and supports a more coherent way of working across regulatory frameworks.
From requirements to implementation
Implementing CRA in practice requires connecting multiple elements.
Secure development processes must be defined and followed. Vulnerabilities must be identified, documented, and addressed throughout the lifecycle. Products must support secure updates and clear identification.
At the same time, documentation must be maintained in a structured and controlled way. This includes technical documentation, records of changes, and evidence of compliance.
Equally important is the ability to respond to changes in requirements and standards, which are still evolving.
Supporting CRA readiness in practice
At MDS, CRA readiness is approached as a structured and practical process.
Work typically begins with a gap analysis to assess the current state and identify priority areas. From there, the focus moves to aligning processes, strengthening documentation, and integrating cybersecurity requirements into existing systems.
Rather than building separate structures, the aim is to connect CRA requirements with existing quality and regulatory frameworks. This supports both compliance and efficiency.
Looking ahead
The Cyber Resilience Act introduces a new level of expectation for cybersecurity across the EU market.
For companies, the challenge is not only understanding these requirements, but implementing them in a way that supports development and long-term product management.
For those already operating in regulated environments, much of the foundation is already in place. The key is to identify the gaps and extend existing systems in a structured way.
Want to learn more?
If your products fall under the Cyber Resilience Act, MDS supports your team in assessing current readiness, aligning quality and documentation processes, and implementing practical solutions for compliance. You can contact us at Kristian@mdsdenmark.dk or via Book a Meeting.