After explaining how MBSE can support cybersecurity efforts in the context of the NIS2 directive, in this new article, I explore the benefits of MBSE for another key cybersecurity regulation: the Cyber Resilience Act.
The Cyber Resilience Act, a product-centric shift in cybersecurity regulation
Following the growing number of cyber threats targeting connected products, the European Union adopted the Cyber Resilience Act (CRA) in 2024. This regulation introduces mandatory cybersecurity requirements for all products with digital elements, covering both hardware and software placed on the EU market. Products that do not meet CRA requirements may be denied access to the EU market or withdrawn from it. In addition, manufacturers may face significant financial penalties and reputational risks.
Unlike NIS2, which focuses on organizations and their ability to manage cyber risks, the CRA targets the products themselves. Its objective is clear: ensure that digital products are secure by design and remain secure throughout their lifecycle.
The scope is intentionally broad. It includes IoT devices, industrial equipment, embedded systems, applications, and any product with connectivity or programmable components.
This marks a major evolution. Cybersecurity is no longer only an operational concern. It becomes a condition for accessing the EU market, enforced through mechanisms such as CE marking and conformity assessments.
Scheduled to be progressively applied firstly on June 11, 2026 (assessment procedure with notified bodies), then on September 11, 2026 (notification obligations of Manufacturers) and finally on December 11, 2027 (full entry into force), it gives manufacturers a limited window to adapt how they design, develop, and maintain their products.
CRA introduces strong requirements across the product lifecycle
The CRA goes beyond high-level principles and introduces concrete obligations that directly impact engineering practices:
- Products must be designed with security in mind from the outset. This includes minimizing attack surfaces, avoiding known exploitable vulnerabilities, and ensuring secure default configurations.
- Security must then be maintained throughout the product lifecycle. Manufacturers are required to provide updates and patches, handle vulnerabilities, and ensure long-term support for their products.
- Transparency is another key requirement. Organizations must document their products, including dependencies and components, and provide upon request a Software Bill of Materials (SBOM).
- The CRA also introduces strict obligations for vulnerability and incident reporting. Actively exploited vulnerabilities and severe incidents must be reported within tight timelines, typically within 24 hours.
- Finally, responsibility is clearly assigned across the value chain. Manufacturers, importers, and distributors all have defined roles in ensuring compliance.
Compared to NIS2, the CRA is therefore much closer to engineering practices. It directly impacts how systems are specified, designed, built, and maintained.
From system cybersecurity to product cybersecurity
As highlighted in a previous article on MBSE and cybersecurity by Stéphane Lacrampe, addressing cyber risks requires a system-level understanding. The other article that I recently wrote about NIS2 and MBSE further emphasized the need for continuous risk management across organizations.
The CRA introduces a complementary perspective. It brings cybersecurity inside the product itself, with requirements that apply from design to end-of-life.
This creates new challenges:
- Products are increasingly complex and often part of larger cyber-physical systems. They integrate software, hardware, third-party components, and external services. Ensuring compliance means understanding not only the product itself, but also its dependencies and interactions.
- In addition, the lifecycle dimension becomes critical. Vulnerabilities must be tracked, impacts assessed, and updates managed over time.
- Finally, organizations must demonstrate compliance. This requires structured documentation, traceability, and the ability to justify design decisions.
Similar to NIS2, these challenges call for approaches that go beyond traditional document-based engineering.
How MBSE supports CRA compliance
Model-Based Systems Engineering (MBSE) is particularly well suited to address the product-centric and lifecycle-oriented requirements of the CRA.
By structuring system knowledge into models, MBSE provides a clear and consistent representation of the product. Architecture, components, interfaces, and dependencies are explicitly captured, including third-party elements and software components. This is essential to understand attack surfaces and manage complexity.
MBSE also supports secure-by-design approaches by integrating security requirements directly into system models and linking them to architectural elements. This ensures that cybersecurity is addressed early and consistently throughout the design process. At the same time, it provides end-to-end traceability between requirements, design choices, risks, and verification activities. This level of traceability is essential for demonstrating compliance with CRA requirements and supporting conformity assessments.
The lifecycle dimension is equally important. With MBSE, vulnerability assessment and analysis become more efficient. When a vulnerability is identified, the model enables teams to perform impact analysis, allowing them to quickly determine which components are affected and how risks propagate across the product.
MBSE also facilitates the management of product documentation. Information required for compliance, such as system structure or component relationships, can be derived directly from the model, reducing inconsistencies and manual effort.
Finally, MBSE enables better collaboration between engineering, cybersecurity, and compliance teams. This is critical in the context of the CRA, where legal, technical, and operational perspectives must be aligned.
From this perspective, solutions like Capella, an open-source MBSE solution, offer a concrete way to apply these principles by structuring product architectures, requirements, and lifecycle activities to meet CRA expectations.
Conclusion
The Cyber Resilience Act represents a major evolution in how cybersecurity is regulated in Europe.
By focusing on products with digital elements, it brings cybersecurity requirements directly into engineering practices and throughout the product lifecycle. This complements directives such as NIS2, which focus on organizational resilience.
In this context, MBSE emerges as a key approach to bridge the gap between engineering and compliance. It provides the structure, traceability, and system-level understanding required to design secure products and demonstrate compliance.
Combined with the perspectives shared in my previous article on cybersecurity and NIS2, MBSE offers a consistent foundation to address the growing complexity of cyber-physical systems and the regulatory landscape that governs them.
If you would like to learn more about the CRA directive and its impact on system design, feel free to contact us.