EU Cyber Resilience Act (CRA) Training Sessions

The Applus+ Laboratories CRA training provides a structured, practical introduction to the EU Cyber Resilience Act, beginning with its policy context, scope, and key principles such as lifecycle security and risk-based assessment. Participants learn how products with digital elements are categorized and which conformity assessment routes may apply to them and what the cybersecurity requirements are.

The training also clarifies the legal obligations of manufacturers, importers, and distributors, including documentation, reporting duties, vulnerability disclosure processes, and user-information requirements. It concludes with an overview of current standardization efforts, the role of EU cybersecurity certification schemes, and the CRA’s relationship with other EU regulations such as NIS2, the Machinery Regulation, and the Radio Equipment Directive.

What will you learn with the EU Cyber Resilience Act (CRA) Training Sessions?

The basic parts are the following:

• Part I - Introduction to the CRA: The training opens with an overview of the EU’s drive toward a secure digital ecosystem, explaining how the CRA fits within the EU Digital Strategy, NIS2, and product-safety frameworks. It clarifies which products fall under the CRA and how they are categorized. It also introduces the available conformity assessment routes and the key principles of lifecycle security and risk-based evaluation, providing the foundation for the rest of the training.
• Part II - Essential Requirements: This section covers the core cybersecurity requirements that products with digital elements must meet across their lifecycle, including secure-by-design principles, secure default settings, vulnerability management, and update processes. It also provides an update on harmonized standards and Annex I requirements, explaining the public status of ongoing standardization work and how these developments will help manufacturers demonstrate compliance.
• Part III - Obligations for Stakeholders: This part of the training explains the legal obligations of manufacturers, importers, and distributors under the CRA. It covers requirements for technical documentation, structured vulnerability disclosure processes, and responsibilities throughout the product’s supported lifetime. It also covers incident and vulnerability reporting duties and the need to provide clear cybersecurity information to users, while outlining the due-diligence steps distributors and importers must take before products enter the EU market.
• Part IV - Standardization & Conformity: This section provides an overview of the evolving standardization landscape, including future harmonized standards, possible common specifications, and how these align with EU cybersecurity certification schemes under the Cybersecurity Act. It also places the CRA within the wider regulatory ecosystem, such as the Machinery Regulation, NIS2, and the Radio Equipment Directive, highlighting key overlaps and interactions relevant for companies.

For more information on training sessions and CRA evaluation services, see CRA Compliance Services. Applus+ Laboratories remains available to support your CRA readiness journey.