Secure Product Development for the EU Cyber Resilience Act and IEC 62443

The challenge for product teams

Many organizations building connected or software-driven products understand that security expectations are changing.

Frameworks such as ISA/IEC 62443 and regulations like the EU Cyber Resilience Act (CRA) require security to be integrated throughout the product lifecycle, from design and development to vulnerability handling and updates.

But translating these expectations into concrete engineering practices is often difficult.

Product teams frequently face questions such as:

• How do we integrate security requirements into an existing development process?

• What does Secure-by-Design actually mean for our architecture and backlog?

• How do IEC 62443 requirements translate into specific development activities?

• How do we prepare our products for CRA compliance without disrupting engineering teams?

• What evidence will regulators or customers expect to see?

Security standards and regulations rarely describe how development teams should actually implement them.

As a result, organizations often end up with:

• security requirements that are difficult to apply in practice

• compliance initiatives disconnected from engineering teams

• uncertainty about whether implemented measures will hold up under audit or regulatory review

How I support product teams

I typically work with product organizations that want to strengthen the security of their software-driven or connected products and prepare for increasing regulatory expectations such as the EU Cyber Resilience Act.

My focus is on translating security standards and regulatory requirements into practical engineering activities that fit existing development processes.

Typical engagements include the following areas.

CRA Readiness and Product Scope Assessment

Preparing products for the EU Cyber Resilience Act requires more than documentation. It requires understanding which products are in scope and how current development practices align with regulatory expectations.

I support organizations with:

• identifying which products fall under CRA scope

• assessing current development and security practices against CRA requirements

• conducting structured gap analyses

• defining a realistic implementation roadmap for engineering teams

The goal is to create a clear and prioritized path toward CRA readiness without disrupting ongoing product development.

Secure Development Lifecycle
(Secure-by-Design)

Secure-by-Design means integrating security into the development process from the earliest stages of product design.

I work with development and architecture teams to embed security into existing engineering workflows, including:

• structured threat modeling during architecture and design

• defining security requirements based on risk analysis

• integrating security into development processes and design reviews

• supporting teams in implementing secure development practices

The focus is always on solutions that are practical for engineering teams, not theoretical frameworks.

IEC 62443 Implementation for Product Development

For manufacturers of connected or industrial products, ISA/IEC 62443 provides a structured foundation for secure product development.

I help product organizations translate these requirements into concrete development activities, including:

• gap analysis against IEC 62443-4-1 and 62443-4-2

• defining development lifecycle practices aligned with 62443-4-1

• deriving technical security requirements from 62443-4-2

• supporting product teams in implementing and documenting security practices

This helps organizations align their development processes with widely recognized security standards while keeping engineering work manageable.

Product Security Architecture and Risk Analysis

Security architecture decisions made early in development often determine how resilient a product will be over its entire lifecycle.

I support product and architecture teams with:

• security architecture reviews

• structured threat and risk analysis

• defining security concepts and protection mechanisms

• aligning architecture decisions with security requirements and compliance expectations

This helps ensure that security is built into the product architecture rather than added later as an afterthought.

Typical situations where organizations bring me in

Organizations usually reach out when they face questions such as:

• A product team needs to prepare for the EU Cyber Resilience Act but is unsure where to start.

• Development processes exist, but it is unclear whether they meet IEC 62443 or CRA expectations.

• Security requirements exist at a high level, but teams struggle to translate them into engineering work.

• Product architects need support in integrating security into an existing architecture without disrupting development.

• A company wants to introduce structured threat modeling and Secure-by-Design practices into its development lifecycle.

In these situations, my role is typically to work closely with product managers, architects, and development teams to translate security expectations into practical development activities and technical decisions.

Engagements are typically advisory or project-based and can range from short assessments to longer-term support during implementation.

I am based in Brazil and typically work remotely with product organizations across Europe, with occasional on-site visits where useful.

Why Work With Me

Bridging engineering and security

My background combines more than 15 years of software development and architecture with deep cybersecurity expertise.

This allows me to work directly with development and architecture teams and translate security expectations into practical engineering decisions.

Focus on implementation, not theory

Security frameworks and regulatory requirements often remain abstract.

My focus is on turning these expectations into concrete development activities, technical requirements, and verifiable implementation steps that fit existing engineering processes.

Pragmatic collaboration with product teams

Successful product security cannot be imposed externally.
I work closely with product managers, architects, and development teams to integrate security practices in a way that supports product development rather than slowing it down.

About me

I am a cybersecurity specialist focused on secure product development for software-driven and connected products.

My work centers on helping product organizations integrate security directly into their development lifecycle — from threat modeling and security architecture to structured Secure-by-Design development practices.

A core part of my work is translating security standards and regulatory requirements such as ISA/IEC 62443 and the EU Cyber Resilience Act into concrete engineering activities that development teams can realistically implement.

Professional experience

Recent roles include:

• Product and Solution Security Expert — Siemens AG
  Responsible for product security in industrial software products, including threat and risk analyses, security architecture, and preparation for the EU Cyber Resilience Act.

• Cybersecurity Consultant — evosoft (Siemens subsidiary)
  Supporting development organizations with IEC 62443-based product security, Secure Development Lifecycle improvements, and security architecture

• Independent Cybersecurity Consultant
  Supporting product organizations with Secure-by-Design development practices, IEC 62443 implementation, and CRA readiness.

Certifications

My work is supported by certifications across product security, architecture, and risk management:

• ISA/IEC 62443 Cybersecurity Expert

• Information Systems Security Architecture Professional (ISSAP)

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• Certified Information Security Manager (CISM)

• Certified in Risk and Information Systems Control (CRISC)

• Offensive Security Certified Professional (OSCP)

Articles / Insights

I regularly write about secure product development, the implementation of ISA/IEC 62443, and the practical implications of the EU Cyber Resilience Act for product organizations.

My focus is on translating security frameworks and regulatory expectations into practical engineering approaches for development teams.

EU Cyber Resilience Act: What Product Teams Should Do Now

A practical roadmap for CRA readiness covering scope assessment, gap analysis, vulnerability handling, and SBOM implementation

→ Download the article

CRA Presumption of Conformity: What It Means and Why IEC 62443 Is the Right Implementation Path

A detailed breakdown of the CRA's presumption of conformity mechanism, how IEC 62443 maps to Annex I, where the gaps are, and what the EN adaptation work is doing to close them. For product security professionals preparing for the December 2027 deadline.

→ Download the article

Engineering Security for CRA Readiness

A perspective on why traditional “test-and-fix” security models are no longer sufficient and how secure product development must become part of engineering practice. The article discusses how frameworks such as IEC 62443 help translate regulatory expectations into structured development processes.

→ Download the article

Secure by Design vs Secure by Default

A short explanation of two concepts that are often confused in product security. The article explains why Secure-by-Design focuses on the development process, while Secure-by-Default concerns the configuration of the final product.

→ Download the article

If these topics are relevant to your work, feel free to connect with me on LinkedIn, where I regularly share insights on product security, IEC 62443, and the EU Cyber Resilience Act.

Let's connect

If your organization is working on secure product development, IEC 62443 implementation, or preparation for the EU Cyber Resilience Act, feel free to reach out.

Happy to talk through your specific situation and explore practical approaches.
Initial conversations are informal and typically focused on understanding your current challenges.

→ Contact me
→ Connect on LinkedIn
→ Book a 30 minute appointment