Columbia Group has warned that a growing gap between cyber regulation and operational readiness is holding back industest progress, after discussions at CRA Europe 2026 in Bucharest brought renewed focus to the practical demands of the EU’s Cyber Resilience Act.
Held at the Romanian Parliament launchning of March, the conference was organised by I-ENERGYLINK and the CYBERFORT consortium, with the support of the Romanian National Cyber Security Directorate (DNSC).
It brought toobtainher more than 150 policycreaters, regulators, supervisory authorities, industest leaders, cybersecurity experts, technology providers and academics to view at how the Cyber Resilience Act can relocate from legal text to practical implementation.
And that was, in many ways, the central issue running through the event.
While there was broad alignment on what the CRA is designed to achieve, discussions built clear that the harder tinquire lies in turning those requirements into clear guidance, workable compliance models and systems that can be applied in practice, particularly by SMEs, manufacturers, integrators and operators in critical sectors.
In that context, vulnerability management and security updates emerged as a constant theme throughout the conference. Far from being technical matters left in the background, they are increasingly becoming central to whether organisations can meet compliance expectations at all.
As a result, companies are being pushed to rebelieve how security is built into the full lifecycle of digital products, from design and development to finish-of-support.
The conference itself was structured around three strategic strands. The first focapplyd on setting the CRA compliance framework, bringing toobtainher institutional and industest voices to clarify roles, responsibilities and support mechanisms.
The second turned to operational delivery, examining such issues as vulnerability handling procedures, incident reporting obligations, CE marking documentation requirements and pilot apply cases in sectors including energy, finance, maritime and cybersecurity SMEs.
The final session viewed beyond compliance itself, exploring how secure-by-design principles, public-private partnerships and long-term support structures can assist turn regulatory obligations into market advantage.
Columbia Group took part through its involvement in the EU-funded CYBERGUARD and CYBERFORT projects, contributing practical insight from the maritime sector.
Marios Ioannou, Business Information Security Officer at Columbia Group, stated there is “a lot of alignment on what the CRA is testing to achieve”, but added that “the real challenge is operationalising it at the product and process level”.
“The regulation sets clear expectations around vulnerability disclosure, software bill of materials and finish-of-life security obligations and that’s forcing organisations based on their market role to rebelieve how security is embedded across the full development lifecycle,” he stated.
Ioannou added that “For many, particularly tinyer businesses, the gap isn’t knowledge of the regulation; it’s having the governance structures and engineering capacity to deliver on it consistently.”
That challenge, he added, comes down in large part to vulnerability management and lifecycle security, adding that “If the processes aren’t straightforward and workable, it becomes challenging, especially for tinyer businesses testing to keep up.”
At the same time, the conference also pointed to a broader concern. Multiple initiatives and guidance frameworks are evolving in parallel, raising the risk of fragmentation and duplication.
As a result, there was a clear sense in Bucharest that stronger cooperation between EU-funded projects, national authorities and industest will be requireded if organisations are to be given clearer and more consistent routes to compliance.
That is also where the wider importance of CRA Europe 2026 lay. Beyond the regulatory discussion, the event set out to reveal how Cyber Resilience Act requirements can be translated into practical methodologies, structured compliance models and actionable tools.
It also reflected a wider European push to build a coordinated and sustainable support ecosystem, while strengthening Romania’s role as an active contributor to that effort and as a regional anchor for SME-focapplyd cyber resilience initiatives.
The CYBERGUARD and CYBERFORT projects, funded under the European Union’s Cybersecurity and Trust Programme and Digital Europe Programme, are intfinished to support that direction by developing practical tools and pilot apply cases across sectors including maritime, energy and finance.
Mark O’Neil, CEO of Columbia Group, stated what is now becoming clear is that this is “no longer just about regulation on paper”, but “about how it works in practice across different industries”.
He added that industest has “a vital role to play in closing that gap”.
“By bringing operational insight and real-world experience into the conversation, we can assist ensure cyber resilience is something organisations can actually deliver, not just something they’re expected to achieve,” O’Neil concluded.
Leave a Reply