TL;DR: The EU Cyber Resilience Act pushes cybersecurity obligations into the infrastructure layer, where identity, access, encryption, and audit determine whether products with digital elements can actually resist compromise, according to Teleport’s analysis of CRA and ENISA guidance. Static credentials, fragmented toolchains, and weak auditability now look like compliance liabilities, not just security debt.
NHIMG editorial — based on content published by Teleport: How to Meet EU Cyber Resilience Act (CRA) Requirements
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams make CRA compliance part of identity architecture?
A: They should treat identity, authorization, device trust, encryption, and audit as one architecture question rather than separate controls.
Q: Why do static credentials create problems for CRA-aligned infrastructure?
A: Static credentials keep access alive after the task, which directly conflicts with the CRA’s push for unique, cryptographic identity and reduced reuse after compromise.
Q: What do teams get wrong about audit evidence for CRA readiness?
A: They often collect logs without correlating them to identity and access decisions.
Practitioner guidance
- Map CRA obligations to identity control points Trace every Annex I obligation back to the infrastructure layer that enforces identity, authorization, encryption, device trust, and audit.
- Eliminate durable secrets from product and pipeline paths Prioritise SSH keys, service account passwords, API tokens, and CI/CD credentials that can survive beyond a single task.
- Unify identity-linked audit evidence Correlate authentication, authorization, session, and resource events into one record that survives across SSH, database, cloud, and admin workflows.
What's in the full article
Teleport's full article covers the operational detail this post intentionally leaves for the source:
- A line-by-line explanation of which CRA Annex I requirements map to identity, access, encryption, and audit controls.
- The before-and-after infrastructure examples showing how short-lived certificates replace static credentials in practice.
- The ENISA Secure by Design and Default Playbook references that expand the CRA discussion into implementation detail.
- The product and platform architecture guidance for teams deciding how to unify authentication, authorization, and audit.
👉 Read Teleport's analysis of CRA compliance through infrastructure identity →
CRA-ready infrastructure identity: what IAM teams need to change?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
CRA readiness is really infrastructure identity readiness. The article is right to place identity, access, encryption, and audit at the centre of CRA compliance. Those are the controls that decide whether a product can enforce least privilege, prove activity, and contain blast radius when something goes wrong. For practitioners, the implication is that CRA work belongs in the identity architecture programme, not as a late-stage compliance overlay.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own CRA identity controls across product and platform teams?
A: Ownership should sit with the team that governs access architecture, usually IAM, platform security, or identity engineering, with product security as a partner. The reason is simple: CRA outcomes depend on how access is issued, constrained, observed, and revoked. If no single team owns that lifecycle, the control design will stay fragmented.
👉 Read our full editorial: EU Cyber Resilience Act compliance hinges on infrastructure identity