The European Cyber Resilience Act (CRA) represents one of the most significant regulatory shifts in product cybersecurity to date—particularly for operators and manufacturers of operational technology. This talk provides a practical, experience‑driven exploration of what the CRA means for OT environments and the emerging landscape of product security regulation.

Attendees will gain a clear understanding of the CRA’s objectives, lifecycle‑oriented security requirements, vulnerability reporting obligations and conformity assessment pathways. The session will map CRA requirements to existing frameworks highlighting both areas of alignment and critical gaps that OT manufacturers and integrators must address.

The talk will also examine the CRA’s timeline, expected industry impact, and how organisations can turn regulatory pressure into opportunities by strengthening SDLC processes, maturing vulnerability handling (including SBOM and coordinated disclosure), and building scalable security testing capabilities.

Finally, the session offers insights into preparing for the next 24 months of uncertainty and rapid change, including the role of harmonised standards, CE marking challenges, and strategic considerations for both internal teams and clients navigating compliance.

This presentation provides OT security professionals with a roadmap for readiness—grounded in regulatory expertise, industrial experience, and a focus on enabling secure‑by‑design products in a fast‑evolving European regulatory landscape.