CRA Explained: What the Cyber Resilience Act Means for Device Manufacturers

In this episode of "Nerding Out with Viktor," host Viktor Petersson sits down with Sarah Fluchs, CTO and OT cybersecurity expert, to unpack the EU's Cyber Resilience Act and what it means for anyone building connected devices. Sarah shares her journey from engineering into the world of OT security, and explains her involvement in the CRA expert group that's shaping how the regulation gets implemented. Together, they explore what CRA compliance looks like in practice—from the requirement to provide five years of vulnerability support, to the constraints around over-the-air updates, and the rising importance of Software Bills of Materials (SBOMs) in embedded systems. The conversation dives into the practical challenges facing device manufacturers, including how to structure security workflows, manage firmware lifecycles, and prepare for regulatory scrutiny. Sarah offers clear, grounded insights into the timeline, scope, and enforcement mechanisms of the CRA, helping listeners understand what's required and what's still being defined. Viktor and Sarah also discuss the broader implications of the CRA for the embedded and IoT ecosystem, exploring how the regulation intersects with existing standards and what it means for both large enterprises and smaller hardware teams. They examine common misconceptions about compliance and share strategies for teams looking to get ahead of the requirements. Whether you're managing firmware, building security workflows, or navigating hardware compliance, this episode offers a practical guide to understanding the CRA and preparing your organization for what's ahead.