From December 2027, any company that develops, manufactures, imports or distributes products with digital elements on the EU market must comply with the Cyber Resilience Act (CRA). The regulation sets binding cybersecurity requirements across the full product lifecycle and ties compliance to CE marking. Products that fall short cannot legally be sold in the EU.
Many smaller companies have the technical knowledge CRA requires. The harder task is turning that knowledge into documented, structured processes that hold up to external scrutiny. In 2025, T2 Data, a Kista-based software security company, did exactly that.
Tested from the outside
T2 Data has been developing security tools and providing cybersecurity consultancy since 2005, holding patents in integrity and identity, including secure boot. But that knowledge had been carried largely by individuals rather than embedded in formal processes or certification frameworks. As regulatory requirements tightened that needed to change.
Through Sweden Secure Tech Hub, T2 Data worked with Secure State Cyber and Orange Cyberdefence on two structured assessments:
The first was a NIST Cybersecurity Framework gap analysis, conducted by Secure State Cyber. It mapped T2 Data’s current security posture against established standards, identifying what was already working well and where processes and documentation needed strengthening. It gave T2 Data a structured baseline for the compliance work ahead.
The second was a penetration test of T2 Data’s SaaS service, carried out by Orange Cyberdefence. It confirmed that the company’s core security architecture holds up, while surfacing specific improvement areas that T2 Data expects to address within the coming months.
The cost of waiting
Coming out of the assessments, T2 Data has a clearer picture of its security level and a concrete path forward, including the first steps toward ISO 27001 certification. Awareness of cybersecurity has grown across the organisation.
“The support gave us confidence in what we deliver, both as a company and as individuals,” says Peter Pennsäter, CEO, T2 Data.
T2 Data’s experience points to something wider. Companies that build security into their development processes early are better positioned to meet demands from customers, partners and authorities. Being able to demonstrate that products are tested and developed with security in focus is becoming a competitive advantage in its own right. The December 2027 deadline makes the cost of waiting concrete.
“For startups and innovation companies that want to sell their products after 2027, CRA should be integrated into processes from the start. Otherwise, the product will be unsellable,” says Ronny Engelin, CTO, T2 Data.
Sweden Secure Tech Hub is designed to help companies access exactly that kind of targeted expertise. By connecting SMEs with specialised providers and supporting structured security assessments, the hub helps build the resilience that compliance deadlines are forcing companies to confront.
Interested in strengthening your company’s cybersecurity? Reach out to Sakarias Strand at sakarias.strand@kistasciencecity.com
Companies looking to get up to speed on the regulation can also join CRA-dagen on 4 May in Kista — a free full-day seminar covering the legislation, harmonised standards and compliance steps. Learn more and register at sis.se
Sweden Secure Tech Hub is a national innovation hub working to strengthen SMEs’ capacity in cybersecurity. It is co-funded by the European Union and run in collaboration between Kista Science City, Blue Science Park, Linköping Science Park, Luleå Science Park, Ideon Science Park and Lindholmen Science Park.
Related news
-
Cybersecurity -
Cybersecurity, Defence technology
