There’s a lot of noise around compliance. New regulations seem to pop up every year, each promising to fix the ever-growing list of security problems that come with the digital age. However, the EU’s Cyber Resilience Act (CRA) takes a different approach. Instead of focusing just on data protection, like GDPR, the CRA expands the conversation to every connected device and service out there.
CRA vs. GDPR: A Broader Mandate
The General Data Protection Regulation (GDPR) was a game-changer in its own right. When it came into effect in 2016, it forced organizations to take data privacy seriously, establishing clear guidelines on how personal data should be collected, processed, and stored. But as far-reaching as GDPR was, it had a specific focus: protecting personal data.
The Cyber Resilience Act is a different beast. Where GDPR honed in on data privacy, the CRA zooms out to address a much larger threat landscape that includes every connected device, service, and software component. It’s not just about data; it’s about the integrity of the systems that process that data. GDPR was about protecting people’s privacy, and the CRA is about protecting everything from IoT devices to critical infrastructure from cyberattacks.
This distinction is crucial. GDPR meant setting up frameworks for handling and processing data, but the CRA goes deeper. It requires organizations to consider security as part of the core product, not just a compliance checkbox for customer data. For developers, engineers, and business leaders, it means enabling a mindset shift from “How do we protect personal data?” to “How do we ensure the entire product ecosystem is secure?”
Why the CRA Matters Now
The CRA directly impacts day-to-day operations for DevOps teams. While GDPR primarily concerns legal and compliance teams, the CRA pressures developers and engineers to secure their systems from the start. This legislation is relevant because it places square responsibility on those building and deploying software.
As businesses increasingly rely on cloud services, SaaS products, and IoT, the CRA forces teams to ensure that each component (internally developed or third-party) is secure. Let’s say you’re deploying an IoT solution for a smart home system. Under the CRA, it’s not enough to just encrypt user data. You need to ensure the device itself is resilient against attacks, including the network it communicates with, the cloud services that store its data, and the APIs that connect everything together.
Will development teams ever operate the same again? Under the CRA, there’s no room for waiting until after deployment to start thinking about security. Compliance requires security to be built into every phase of the development lifecycle, from initial design to ongoing updates.
The CRA is A Lesson in Proactivity
A key area where the CRA and GDPR overlap is protecting sensitive information, but the CRA takes this further by focusing on how systems handle secrets. We’ve all seen stories of API keys or credentials being accidentally exposed in public repositories or configuration files. With GDPR, this could lead to fines if personal data was compromised. Under the CRA, any exposed credential becomes a compliance issue.
Another area where the CRA diverges from GDPR is in its treatment of shadow data. While GDPR focuses on ensuring proper handling of personal data, the CRA cares about all data, even the kind that gets forgotten or neglected. Shadow data includes logs, temporary files, backups, and other unmonitored data. It’s information that accumulates in the background of systems and applications—data that can easily contain sensitive information but often isn’t subject to the same scrutiny as primary datasets. The CRA holds businesses accountable for this, too.
Shifting Security Left: Where the CRA Leaps Beyond GDPR
The concept of shifting security left is now a requirement under the CRA. In practice, this means security testing needs to be baked into your CI/CD pipeline. Vulnerabilities need to be caught as early as possible, and code reviews must consider potential risks, not just functionality. Many teams have been talking about shift left for years, but the CRA makes it non-negotiable.
For businesses, this impacts everything from how teams are structured to the tools they use. Handing security concerns to a separate department is no longer sufficient, as developers and DevOps teams are now at the front line of ensuring compliance. The CRA forces businesses to invest in security tooling, automate vulnerability scanning, and rethink how they approach development.
Does the CRA Signal A New Era of Cybersecurity
Whether you’re developing IoT devices, deploying cloud services, or managing critical infrastructure, the CRA is pushing you to rethink how you build, deploy, and maintain your systems. And while the journey might be challenging, the end result will be a more secure digital world.
About the Author
Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. Dotan was the Co-Founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.) Dotan can be reached online at [email protected] and https://twitter.com/jondot and at our company website https://spectralops.io/