As cybersecurity regulations tighten across Europe and the UK, the introduction of the Cyber Resilience Act (CRA) in the EU, and the Product Security and Telecommunications Infrastructure (PSTI) Act in the UK, is bringing new layers of responsibility to tech companies.
While these two measures aim to improve consumer safety and reduce systemic risk, they also open a timely opportunity for women in tech—specifically women in security—to not only participate in compliance efforts but also lead them.
I will explore both of these new IT security-related frameworks, here and exclusively for Women in Tech.co.uk, starting with the most recent one to come into force, writes Evane Alexandre, associate and tech lawyer at Gerrish Legal.
The CRA explained: What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act, which entered into force in December 2024 and will apply fully by 2027, establishes cybersecurity requirements for any ‘Product with Digital Elements (PDE) sold in the EU.
The CRA applies broadly to connected hardware and software, excluding sectors already governed by other frameworks – such as automotive or medical devices and excluding online-only services like SaaS (Software as a Service), which fall under the NIS2 directive.
The CRA introduces harmonised rules for bringing digital products to market, essential cybersecurity obligations throughout the product lifecycle, and requirements for vulnerability management.
Under the CRA, products must be secure by design and default, support automatic updates, and allow users to safely erase or transfer data.
CRA: Risk, obligations and non-compliance penalties
Further under the CRA, products are categorised by risk, from “default” to “critical,” with more stringent obligations depending on their potential impact.
Non-compliance with this new framework could lead to fines of up to €15 million or 2.5% of global turnover, and more serious breaches may even lead to market withdrawal.
PSTI explained: What is the Product Security and Telecommunications Infrastructure (PSTI) Act?
In force since April 2024, the PSTI act applies a similar logic to consumer smart products in the UK, such as connected home devices, wearables, and internet-enabled toys.
The PSTI Act covers hardware and essential supporting software, including apps and cloud services. And it applies not just to manufacturers but also to importers and distributors.
PSTI: Key obligations – and how much in penalties for ignoring them
Under the PSTI Act, key obligations include banning default passwords; stating the minimum duration of security support; and publishing a vulnerability disclosure policy.
In the event of non-compliance, the UK’s Office for Product Safety and Standards (OPSS), can issue recall or stop-sale notices.
The OPSS can also impose fines of up to £10 million or 4% of global turnover, along with daily penalties for continued non-compliance.
CRA and PSTI: my top takeaway as a technology lawyer
As the potentially swingeing penalties tied to both frameworks hopefully signal, these new and now in-force laws mark a big shift toward regulatory accountability in cybersecurity.
Both the Cyber Resilience and Product Security and Telecommunications Infrastructure Acts are big on setting new expectations for product integrity and long-term risk management.
What do CRA and PSTI mean for women in IT or security?
The need to interpret and implement these new regulations is already generating demand for cross-functional expertise.
CRA compliance, in particular, requires close coordination between developers, security teams, legal counsel, product managers, and risk professionals.
At the same time, the PSTI Act is triggering a similar shift in the UK consumer tech space.
The regulatory pivot underway in both Europe and the UK represents a real opportunity to step into strategic, high-visibility roles across technical, legal, and leadership functions.
Fancy shaping how tech organisations build secure, trusted products?
For women in tech, whether working in engineering, cybersecurity, compliance, or product strategy, CRA and PSTI represent a potentially lucrative chance to play a central role in shaping how companies build secure and trusted technologies.
As security becomes more central to product success and reputation, the ability to lead on compliance and governance will be increasingly valued. And not only as a support function but also as a key driver of innovation and long-term growth.
CRA and PSTI offer a competitive edge for tech company founders and developers
The rise of ‘compliance’ as a market differentiator is also good news for women who build products or found start-up companies.
Why? Well, a product that meets CRA or PSTI requirements is more likely to:
- Win procurement contracts;
- Attract enterprise clients, and/or;
- Earn long-term consumer trust.
For early-stage companies, particularly in sectors like consumer IoT (Internet of Things), embedding security and regulatory readiness from the start is becoming a competitive advantage.
We believe this creates a meaningful opening for women entrepreneurs to lead by example and establish a culture of secure and responsible design.
Finally, what CRA/PSTI-related job role will you play as a woman in tech?
The Cyber Resilience and Product Security and Telecommunications Infrastructure Acts are more than regulatory frameworks — they are indicators of where the tech security industry is heading.
These two frameworks reflect the growing expectation of companies to take real responsibility for the security of the digital products they sell.
For women in tech, this irreversible sea-change represents a concrete opportunity to take on roles that influence how companies manage risk and build secure, resilient products. As compliance becomes a core business function for IT and tech companies, the question is no longer just how to meet regulatory standards, but who gets to define them.
Evane Alexandre
Evane Alexandre is a trainee lawyer at Gerrish Legal, a digital law firm spanning Paris, Stockholm, and London. With dual degrees from France and the United States, Evane has acquired valuable knowledge and expertise in business law, with a specialised focus on digital law.
Evane currently assists companies across the globe to help them navigate legal complexities and achieve compliance seamlessly and promoting legal innovation and global business collaboration. Proficient in commercial law, contracts, intellectual property, and data privacy, Evane will qualify and register at the Paris bar in 2024.
