Why CRA Compliance Is So Challenging for Manufacturers

The EU CRA reporting and compliance is particularly challenging for these manufacturers for kind of two reasons. The first is experience. Coming out of OT, cybersecurity, an electric utility, an oil and gas utility, they are used to having regulators at their door all the time. Auditors, they have a compliance department. And that compliance department lives in the psyche of a SOC analyst or just an engineer who's installing a new firmware upgrade on a device that no one's ever seen except for two people who live in that plant. All of a sudden, there are brand new verticals that the CRA are introducing to the concept of being audited, the concept of being regulated, and they don't have compliance teams and they don't have a security culture inside of their organization. So that's point one is the experience factor. So without experience in doing just this type of security planning, it becomes very difficult for organizations to plan ahead, even though they need to kind of handle things that are already in the wild. So that brings up point two. Point two is the actual scope of what needs to be protected and reported on is quite large. And that large scope produces a very difficult to scale set of problems for organizations that are already running pretty lean. The economic impact of adding a security layer to a lot of these organizations is not insignificant. So you're looking at kind of multiple layers of difficulty that a manufacturer may need to overcome just to meet this particular regulatory hurdle. I think it's a little bit overlooked how complex it can be. But at the same time, it it is going to advance the security posture of twenty seven nations plus the UK. So I think it's a worthwhile effort, but they need to no longer ship and forget. They now need to continue to maintain situational awareness and active live reporting on that continuous monitoring. So that's point three is, let's say you accomplish points one and two, you get a compliance team in place, you figure out what you need to do. You don't just have to do it once. You have to keep doing it for a long time. So you have to keep doing a hard thing for a long time, which really kinda takes a specific set of people who do. So inexperience, difficulty that is difficult to scale, and then you couple that with Couple that with with with actually being able to continue to do it, and you find yourself in in kind of a difficult situation. So that continue the the continuation of the monitoring for many years of a product life cycle can be very difficult.