TIOZ Howest

Howest Logo

The CRA Is Coming: Four Lessons for Hardware and Software Makers

On 17 June 2026, Howest Cyber3Lab welcomed over 50 participants at the Howest Campus in Bruges for the afternoon seminar "CRA in de Praktijk". The seminar was held in Dutch, but this report is in English so more people can use it. The goal of the day was simple: we wanted to move from the legal text of the Cyber Resilience Act (CRA) to the daily reality of building, selling and supporting products with digital elements (PDEs).

Four experts each took one part of the story. Together they covered the law, the shop floor, the engineering team and the long years of product support that come after launch. If you could not attend, here is what you missed and the heart of each talk.

Get in Touch with Our Experts

Cover image

Quick facts

  • /

    The CRA entered into force on 10 December 2024

  • /

    The reporting duty for serious incidents starts on 11 September 2026

  • /

    Full application follows on 11 December 2027

  • /

    The product support period must last at least 5 years

  • /

    Four experts shared the legal, OT, engineering and lifecycle view

Four Experts, Four Views on the Same Law

1. Demystifying the CRA, by Wout Platteau (Timelex)

Wout Platteau opened the afternoon by laying out the legal frame and the timeline. He made the dates clear, because many people still mix them up. These are the dates you should know: CRA entered into force in December 2024. The reporting duties start on 11 September 2026. Full application follows on 11 December 2027. Bottom Line: Don't wait, start now!

The core message: the CRA applies to "Products with Digital Elements" (PDEs). That covers both hardware and software, and also remote data processing solutions. Wout walked through the strict duties before and after an incident. One example stood out. A company must send an early warning about an actively exploited vulnerability within 24 hours. He also showed the cost of getting this wrong. Fines can reach 15 million euro, or 2.5% of worldwide annual turnover. Big discussion here: "What does becoming aware mean?" and "When do you need to send out an early warning?". Obviously, your team will still be figuring out the size and impact of the incident, so it is not easy to answer that question. We hope that the answer becomes a bit clearer as we approach the reporting deadline (September 11th, 2026) but in the meantime, you could read this blog article. It is clear that your incident reporting team must be able to separate noise from fact in hours, not weeks, and report vulnerabilities in days, not weeks.

2. Pitfalls in Practice, an OT View, by Wout De Ceuninck (Spinae)

Wout De Ceuninck brought the talk into the world of Operational Technology (OT). He shared seven common pitfalls that companies hit when they start with the CRA.

The core message: compliance is not a job for IT or Legal alone. It needs real teamwork across R&D, Operations, Quality and Management. He warned about two big traps. The first is not knowing how your own product portfolio is classified. The second is the hard task of patching devices that are already out in the field. His clear advice was similar to that of the other Wout: "Don't wait. Start now!" He also reminded the room that the CRA is product specific. What works for one maker will not always work for another.

3. Pragmatic CRA Compliance, by Maxim Baele (Toreon)

Maxim Baele moved the focus to the engineering floor. He showed how to use the OWASP Software Assurance Maturity Model (SAMM) as a compass for CRA work.

The core message: the CRA is result oriented. It asks for secure outcomes, but it does not hand you a step by step technical manual. So risk assessment and threat modelling become the base of everything. Maxim advised teams to set realistic, middle level target scores for their security maturity, instead of aiming for a perfect score in every area at once. He closed with a useful shift in mindset. The goal is not to "become CRA compliant", the goal is to build secure products. Compliance then follows.

4. Activities During the Support Period, by Stijn Muylle (Cingulum)

Stijn Muylle gave a sober look at what happens after a product reaches the market. He focused on the support period that the CRA requires, which lasts at least 5 years.

His core message: under the CRA, engineering effort stays high after launch. The model starts to look much more like a continuous service than a one time build. Companies enter a steady cycle of Find, Fix, Document and Report, with hard deadlines such as a 14 day final report window for exploited vulnerabilities. Stijn also gave a clear budget warning. He estimated that this recurring support work could cost a company around 143,000 dollar, or roughly 119 person days, every single year. You can find his cost estimator and calculator at PracticalCRA.com.

What This Means for Your Company

The afternoon made one thing very clear. The CRA is a large shift for any company that makes hardware or software. It is not a paperwork exercise that you can park with one department. Four points came back again and again:

  • Start now. The first deadline in September 2026 is close, and field devices take time to fix.
  • Align across teams. Legal, R&D, Operations, Quality and Management all carry part of the work.
  • Use a maturity based approach. Set realistic targets and grow step by step with a model like OWASP SAMM.
  • Plan a recurring budget. Support does not end at launch. It runs for at least five years.

We want to thank our four speakers and everyone who joined us in Bruges. The seminar was part of the VertiPorts project, supported by VLAIO, POM West-Vlaanderen and co-funded by the European Union.

Do you have questions about the CRA, or about what it means for your products? Reach out to us at Cyber3Lab@howest.be. We are happy to help and pass on your questions to our friends if we can't answer them.

The better links to CRA information:

Authors

  • /

    Patrick Van Renterghem, AI, CyberSecurity, Web3, Immersive Tech, Quantum, ... Community Builder & LLL Coordinator

Want to know more about our team?

Visit the team page

Last updated on: 7/1/2026

/

Related articles