In less than 5 months from now, the first hard obligation under the EU Cyber Resilience Act takes effect. From 11 September 2026, every manufacturer of a product with digital elements placed on the EU market — meaning most of the software, firmware, and connected hardware built in this room — must be able to detect, assess, and report actively exploited vulnerabilities and severe incidents within 24 hours. By December 2027, the full regulation lands: secure-by-design obligations, vulnerability handling across the product lifecycle, conformity assessments, CE marking, and personal accountability at the management level. Most CRA conversations focus on the technical baseline. This workshop focuses on what happens when the baseline fails — and the decisions that follow are made not by engineers, but by the CEO, CTO, CFO, and CLO, under simultaneous pressure from regulators, customers, insurers, investors, and journalists. In teams of five, participants form a fictional fintech’s C-suite and work through five timed decision points across a 72-hour breach scenario tied to a CI/CD compromise and a CRA-reportable vulnerability. Each round forces a documented decision with a financial, contractual, and reputational cost. No technical fix saves a bad management call. Participants leave with a CEO/CTO Decision Playbook mapping the four clocks every leader must track (regulatory, contractual, insurance, reputational), a decision-rights matrix for CRA incidents, and pre-drafted notification template in English.