The EU Cyber Resilience Act (CRA) establishes essential cybersecurity requirements for technology manufacturers. If your company produces hardware or software sold in Europe, it’s crucial to prepare for compliance deadlines starting in 2026.
👓 Click here to check whether your product is in scope
What the Cyber Resilience Act Demands
The CRA requires manufacturers to embed security throughout the product lifecycle:
Security-by-design obligations:
- Implement cybersecurity from initial development
- Deliver products with secure default settings
- Provide security updates for the product’s lifetime or for a minimum of five years minimum
Vulnerability management requirements:
- Report actively exploited vulnerabilities within 24 hours
- Notify ENISA of severe incidents within 72 hours
- Maintain processes for handling security issues throughout the support period
Documentation and transparency:
- Create a Software Bill of Materials (SBOM) for all components
- Publish clear vulnerability disclosure policies
- Maintain security documentation accessible to users
What Products Does the EU CRA Affect
The CRA applies to manufacturers placing digital products on the EU market. Three risk categories determine your obligations:
Default category — Most digital products, including standard software and connected devices
Important category — Products managing critical functions like identity management, network management, or privileged access
Critical category — Products in essential sectors of infrastructure, including industrial firewalls, secure elements, and smart meter gateways
Key Compliance Deadlines
Manufacturers face a staged rollout:
- 2026: Conformity assessment bodies receive accreditation; vulnerability management requirements start to apply (notifications, etc.).
- 2027: Full CRA requirements take effect for products on the EU single market.
- Transition period: Existing products receive extended compliance timelines based on category.
Products in important and critical categories require third-party conformity assessment before CE marking. Default category products qualify for self-assessment.
What Non-Compliance Costs
Penalties scale with revenue and violation severity. The Commission can impose fines reaching millions of euros. More immediately, non-compliant products lose EU market access.
Taking Action
Begin with a product portfolio review. Classify each product by risk category. This determines assessment requirements and compliance costs.
Manufacturers in important and critical categories should identify qualified notified bodies for third-party assessment. The accreditation process for these bodies runs through 2026.
All manufacturers need updated development processes incorporating security-by-design principles. This represents a fundamental shift for organisations accustomed to adding security as a late-stage concern.
The CRA changes how digital products reach and are sold on European markets. Early preparation reduces compliance costs and protects market access.
