Columbia Group has raised concerns about the growing gap between cyber regulation and operational readiness slowing industry progress, following discussions at this year’s CRA Europe 2026 – Cyber Resilience in Action conference in Bucharest.
Held at the Romanian Parliament, the conference brought together more than 150 policymakers, regulators and industry leaders to explore how organisations are expected to meet the demands of the Cyber Resilience Act (CRA). While there was broad alignment on the direction of travel, conversations throughout the event highlighted a key challenge in turning regulatory intent into systems and processes that work in practice.
A consistent theme across the conference was the critical role of vulnerability management and security updates. These are no longer technical considerations operating in the background, but core requirements that will determine whether organisations can meet compliance expectations. That shift is forcing companies to rethink how security is embedded across the entire lifecycle of digital products, from initial design to end-of-support.
Columbia Group participated in the conference through its involvement in the EU-funded CYBERGUARD and CYBERFORT projects, sharing practical insight from the maritime sector.
Marios Ioannou, Business Information Security Officer at Columbia Group, said:
“There’s a lot of alignment on what the CRA is trying to achieve, but the real challenge is operationalising it at the product and process level. The regulation sets clear expectations around vulnerability disclosure, software bill of materials and end-of-life security obligations and that’s forcing organisations based on their market role to rethink how security is embedded across the full development lifecycle. For many, particularly smaller businesses, the gap isn’t knowledge of the regulation; it’s having the governance structures and engineering capacity to deliver on it consistently.”
A lot of this comes down to vulnerability management and lifecycle security. If the processes aren’t straightforward and workable, it becomes challenging, especially for smaller businesses trying to keep up.”
Discussions also pointed to growing fragmentation, with multiple initiatives and guidance frameworks evolve in parallel. There was a clear sense that stronger cooperation between EU-funded projects, national authorities and industry will be needed to avoid duplication and give organisations clearer, more consistent pathways to compliance.
The CYBERGUARD and CYBERFORT projects, funded under the European Union’s Cybersecurity and Trust Programme and Digital Europe Programme, are intended to address that challenge by developing practical tools and pilot use cases across sectors including maritime, energy and finance.
Mark O’Neil, CEO of Columbia Group, added: “What’s becoming clear is that this is no longer just about regulation on paper, it’s about how it works in practice across different industries. Industry has a vital role to play in closing that gap. By bringing operational insight and real-world experience into the conversation, we can help ensure cyber resilience is something organisations can actually deliver, not just something they’re expected to achieve.”
About Columbia Group:
For over 45 years, the Columbia Group has provided world-class ship management and crew management services to the global shipping industry. A global presence with more than 40 management and representative offices, crew agencies and training centres worldwide connects Columbia to its 20,000 employees on land and sea.
Moreover, the Group offers a fully transparent and integrated maritime services, energy, leisure and logistics platform, cooperating closely with its global partners to drive bottom line value and leverage economies of scale. Columbia’s services are cost-efficient and fully optimised to the individual client’s business scenario, resulting in the delivery of top-quality customisable and modular maritime solutions.
