Cyber Resilience Act: What Swiss companies need to know

Do Swiss companies need to care about the new Cyber Resilience Act (CRA)? The short answer: yes! Any company selling digital products in the EU or operating as part of a supply chain must comply with the new security requirements—or risk heavy fines and loss of market access. Among other things, the CRA mandates a structured approach to disclosing software vulnerabilities, which can be effectively implemented through a Vulnerability Disclosure Policy (VDP). Forward-thinking companies are taking it one step further: Bug bounty programs help identify vulnerabilities before they can be exploited.

Cybersecurity as a regulatory requirement

Products with digital elements are everywhere—elevators, smart cameras, websites, and apps. But they also introduce new entry points for cyberattacks. The Cyber Resilience Act (CRA) aims to address this by requiring manufacturers and providers to detect and fix vulnerabilities early in the product lifecycle and comply with mandatory reporting obligations.

For Swiss companies outside the European Union, the key question is: Does this apply to us? The answer is a clear yes—any company selling products with digital elements or software in the EU must comply with the CRA. Moreover, like the GDPR, the CRA is likely to set an international standard.

Why is the CRA necessary?

Poorly secured products are among the biggest enablers of cyberattacks. The consequences? Security vulnerabilities that cost businesses millions—from ransomware to supply chain attacks. The CRA tackles this by introducing:

  • Cybersecurity-by-Design: Security vulnerabilities should be prevented as early as the development phase.
  • Minimum security requirements: Standardized security measures for IoT devices, software, and connected systems.
  • Clear accountability: Manufacturers remain responsible for security throughout the entire product lifecycle.
  • Faster response times: Companies must provide security updates and report vulnerabilities to a central EU authority.
GBF-Blog-CRA-reqts-EN.png

What does the CRA require in practice?

The CRA introduces four core requirements for companies:

  1. Cybersecurity-by-Design: Companies must minimize security risks early in the development process. This includes risk assessments, secure software architectures, and protection mechanisms against cyberattacks.

  2. Obligation to fix vulnerabilities: Security vulnerabilities must be addressed immediately. Manufacturers must provide regular security updates throughout the product’s lifecycle—at least five years after the product is discontinued.

  3. Coordinated Vulnerability Disclosure (CVD): Companies must establish a Coordinated Vulnerability Disclosure (CVD) policy, a key requirement of the CRA. This includes a structured Vulnerability Disclosure Policy (VDP) to ensure reported vulnerabilities are handled efficiently and transparently.

  4. Mandatory reporting of exploited vulnerabilities: If a security vulnerability is actively exploited by attackers, it must be reported to the EU Agency for Cybersecurity (ENISA) within 24 hours.

Any company selling digital products in the EU or operating as part of a supply chain must comply with the CRA - or risk heavy fines and loss of market access.

Why Does the CRA Also Affect Swiss Companies?

Although Switzerland is not part of the EU, the CRA also impacts Swiss businesses that interact with the EU market in any capacity. But what does this mean in practice? Here are the three main scenarios:

  1. Direct sales to the EU: Manufacturers of products with digital elements must be CRA-compliant to continue selling in the EU.

  2. Part of the supply chain: Suppliers and software providers may be required to demonstrate compliance with security requirements.

  3. Indirect market influence: EU customers may expect CRA-compliant security measures even from non-EU partners.

GBF-CRA-Blog-3-steps-EN.png

What should Swiss companies do now?

The CRA sets new cybersecurity standards—and Swiss businesses are not exempt. Implementing the CRA requires adjustments but also presents an opportunity for a more sustainable security strategy. Companies that take action now not only avoid regulatory risks but also strengthen their own resilience. So what needs to be done?

Conduct a risk assessment

Companies should analyze which of their products or processes are affected by the CRA. A detailed inventory helps identify security risks early. Two key aspects are:

Assess product security: Review existing and planned digital products for CRA relevance.

Establish regular security assessments: Where are vulnerabilities? How are reported security issues handled?

Implement VDP and bug bounty programs

A clear vulnerability management strategy is critical to effectively addressing security issues. Companies should proactively engage security researchers and create a structured reporting channel for vulnerabilities. Two key actions:

Set up a Vulnerability Disclosure Program (VDP): A VDP ensures reported vulnerabilities are handled systematically—a key CRA requirement. Companies that implement this effectively reduce security risks and legal uncertainties.

Bug-Bounty-Programme nutzen: Bug bounty programs complement a VDP perfectly—they activate a global community of ethical hackers to search for vulnerabilities before cybercriminals do. This allows businesses to detect security gaps before attackers can exploit them—helping them exceed the CRA’s minimum requirements.

Develop a Long-Term Compliance Strategy

The CRA is not just about one-time measures—it requires a sustainable security strategy. Companies should ensure their IT and compliance structures align with the requirements. Key steps:

Define clear responsibilities: Who is in charge of CRA implementation within the company? Clearly assigned responsibilities are essential.

Update security processes and policies: Existing security policies should be reviewed and aligned with new legal requirements. Are there already policies in place that meet CRA requirements? Where is further action needed?

Additionally, Switzerland’s mandatory reporting requirements for critical infrastructure come into effect on April 1, 2025. VDPs and bug bounty programs can help with early threat detection and prevention, identifying security gaps before they are exploited. They also support compliance, as structured vulnerability reporting makes it easier to meet regulatory reporting obligations.

Turning Compliance into an Opportunity: The CRA as a Competitive Advantage

The Cyber Resilience Act is more than just a regulatory hurdle—it’s an opportunity to rethink cybersecurity strategically. Companies that act now are not just compliant—they build trust, increase resilience, and gain a competitive advantage. Implementing the CRA requires strategic foresight, but companies that embed cybersecurity into their processes will benefit in the long run through greater resilience and customer trust.

Download VDP Whitepaper

Are your digital services CRA-ready?

The Cyber Resilience Act (CRA) demands stronger cybersecurity—but where do your systems stand? Get your digital services tested by experts to identify vulnerabilities early and improve your security strategy.

Contact us for more information about a VDP or bug bounty program

Get expert advice now!