Maximilian Heck

Maximilian Heck

Head of Regulatory & Security @ Think Ahead Technologies

Maximilian Heck is Head of Regulatory & Security at Think Ahead Technologies GmbH and is responsible for the strategic direction of Kunnus, the all-in-one platform for CRA compliance. He holds a Master of Arts in Business Development from Euro-FH Hamburg and a Bachelor of Science in Business Information Systems from DHBW. Before joining Think Ahead, he served as Chief of Staff and Spokesperson for a member of the German Bundestag and worked as an IT Solution Engineer at OBI Switzerland. As a CRA expert, he helps manufacturers of connected products understand and systematically implement the requirements of the EU Cyber Resilience Act.

View LinkedIn Profile

Articles by Maximilian Heck

CRA Friday Facts: Machinery Regulation and CRA, Two Duties, One Opportunity

Machinery Regulation certified ≠ CRA compliant. Why robot manufacturers must meet both frameworks and where the real synergies lie.

CRA Friday Facts: Product End-of-Life Is Not the Finish Line

Discontinuing a product does not get you out of the CRA. Information duties, documentation retention, and secure data deletion guidance carry on.

CRA Friday Facts: Collective Redress, Manufacturers in the Crosshairs

The CRA gives consumer protection organisations the right to sue manufacturers directly. Why regulators are not the only enforcement layer, and what that means in practice.

Per-Unit Alarm: Why Inventory Manufactured in 2026 Becomes a CRA Compliance Risk in 2028

The EU CRA applies per individual unit at the moment of placing on the market. For Swiss manufacturers with 12 to 24 month inventory cycles, every serial number needs its own up-to-date patch status.

CRA Friday Facts: No Grandfathering, the Production Date Doesn't Count

There is no CRA grandfathering by production date. What counts is placing on the market, the day a unit actually reaches the EU market.

CRA Friday Facts: Why Your Supplier Can't Shield You From Liability

The CRA knows no liability delegation. Whoever places the product on the market is liable, even if suppliers develop and manufacture it.

CRA Friday Facts: Why SMEs Are Fully Affected Too

The CRA applies to every manufacturer with digital elements, 8 employees or 17,000. SME relief reduces bureaucracy, not the security standard.

CRA Friday Facts: CE Marking Done. Compliance Is an Ongoing Obligation

The CRA makes cybersecurity a continuous obligation. Without ongoing monitoring, documentation, and updates, conformity is lost, even after the EU declaration of conformity is signed.

CRA Friday Facts: Why Your Logo Makes You the Manufacturer

"We're just an importer." Wrong, the moment your logo is on the product. The CRA turns white-label vendors into manufacturers, with all the obligations.

CRA Friday Facts: When the CRA Hits Legacy Devices Too

Existing products aren't off the hook. From 11 Sept 2026, reporting obligations apply to all products on the market. And substantial modifications trigger the full CRA.

CRA Friday Facts: Why a Single USB Port Hits the Offline Device

"Our machine runs offline." One USB port, an SD slot, or a service interface is enough to bring the product into CRA scope. Offline doesn't protect you.

EU Cyber Resilience Act and SMEs: Every Relief Measure Available to Smaller Manufacturers

The CRA includes targeted SME relief measures — but they are unevenly distributed. Which measures apply, who benefits, and where medium-sized enterprises are left out.

Cyber Resilience Act and Switzerland: What Swiss Manufacturers Need to Know for EU Exports

The EU Cyber Resilience Act applies to Swiss manufacturers exporting to the EU — and Switzerland is preparing its own equivalent regulation via Motion 24.3810. Obligations, deadlines and concrete steps at a glance.

February 12, 2026

Why Manual EU CRA Compliance Fails (and Automation Is the Only Way)

EU Cyber Resilience Act manual compliance breaks at scale: SBOM upkeep, 24h ENISA reporting, vulnerability response — automation is the only path.

February 11, 2026

Vulnerability Management Under the CRA: Obligations, Processes, and Tools for Manufacturers

The Cyber Resilience Act makes vulnerability management mandatory. Learn what processes manufacturers must build – from detection through reporting to coordinated disclosure.

February 5, 2026

20 Products You Didn't Expect – Why the Cyber Resilience Act Could Disrupt Your Business

RFID chips, plush toys, coffee machines – the CRA affects far more than the IT industry. 20 surprising product examples and what manufacturers need to know now.

February 1, 2026