- What: This Master's thesis investigates how small and medium-sized enterprises (SMEs) in Germany currently handle cybersecurity compliance in their product development processes β with a specific focus on the EU Cyber Resilience Act (CRA). The thesis is embedded in the funded research project CRA-COMPASS, a collaboration between the TUM Chair for Strategy and Organization and Fraunhofer AISEC.
- When: Start anytime. Applications are open!
- How to apply: Send your CV, transcript of records, and a short motivation statement (details below).
Please note: There is a German language requirement for this Thesis, as you need to be able to conduct interviews with SMEs.
π‘ Background
The EU Cyber Resilience Act (CRA) obliges manufacturers of products with digital elements to meet stringent cybersecurity requirements along the entire product lifecycle β with full compliance required by December 2027. For SMEs, this represents a particular challenge: studies show that only 12.3% of SMEs are even aware of the CRA, compared to 83.5% of large enterprises. Many lack the internal expertise, financial resources, and established processes needed to prepare for compliance.
The CRA-COMPASS research project, jointly conducted by the TUM Chair for Strategy and Organization (CSO) and the Fraunhofer Institute for Applied and Integrated Security (AISEC), aims to support German SMEs systematically in implementing CRA requirements. The project develops both formal compliance process guidelines and an AI-powered, open-source CRA compliance tool.
Your contribution to this project will be to design an interview guide and conduct qualitative expert interviews with SME employees to analyse their status quo compliance process in digital product development. Based on the interviews you will then identify gaps in the current process for CRA compliance. Depending on progress and interest, the thesis may additionally develop a first proposal for a target compliance process.
π¦Ύ Who We Are
As Chair for Strategy and Organization we are focused on research with impact. This means we do not want to repeat old ideas and base our research solely on the research people did 10 years ago. Instead, we currently research topics that will shape the future such as Quantum/Deep Tech, (Generative) Artificial Intelligence, Digital Transformation and Business Model Innovation, Diversity, Education Technology and Performance Management, Leadership, and Teams. We are always early in noticing trends, technologies, strategies, and organisations that shape the future, which has its ups and downs.
This thesis will be jointly supervised by Marie Klotz and Joe Yu, both PhD Students at the Chair of Strategy and Organisation.
π― Topics of Interest and Potential Outcomes
The thesis addresses the following research questions drawn from the CRA-COMPASS project:
- How do compliance processes currently operate in German SMEs developing (partially) digital products?
- What awareness exists regarding CRA requirements among SME employees (e.g., product developers, IT/security staff)?
- What structural barriers prevent SMEs from implementing CRA-compliant processes?
- (Optional) What would a formal target process for CRA compliance look like in an SME context?
Concrete outputs of the thesis include:
- A structured interview guide for semi-structured expert interviews with SME representatives
- Qualitative data from approx. 10β18 interviews with cybersecurity officers and product developers in German SMEs
- Status quo process analysis incl. gaps of current SME compliance practices
- (Optional) A first draft of a formal target process for CRA compliance
π Profile
- Native or fluent German speaker (interviews are mostly conducted in German)
- Strong interest in cybersecurity, regulatory compliance, and/or digital transformation
- Background in management, information systems, or a related field
- Experience with or willingness to learn qualitative research methods (semi-structured interviews, qualitative content analysis)
- Reliable, structured, self-driven working style and ability to work independently
- Ideally: familiarity with process modeling (e.g., ARIS, eEPK) β not required, but a plus
π How to Apply
If you are interested, please send a mail to Joe Yu (joe.yue@tum.de) & Marie Klotz (marie.klotz@tum.de) with the subject line βCRA Compass Master thesis | Application [ Your Name]β together with:
- Your CV
- Current transcript of records/ grade report
- Preferred starting date
- A short motivation statement (why this topic, what relevant background do you bring)