SECURITYSQUAD
Back to the blog

Cyber Resilience Act (CRA): What manufacturers need to know now

2026-07-17 · by SECURITYSQUAD

The Cyber Resilience Act (CRA) is the first EU regulation to impose horizontal cybersecurity requirements on products with digital elements – that is, on nearly all connected hardware and software. Anyone who manufactures, imports or distributes such products in the EU must demonstrably ensure security across the entire lifecycle. This article outlines the scope, core obligations and the current timeline.

What is the Cyber Resilience Act?

The CRA (Regulation (EU) 2024/2847) establishes binding, EU-wide cybersecurity requirements for products with digital elements. Unlike NIS2, which targets operators, the CRA addresses the product itself: from smart door locks and industrial controllers to operating systems, libraries and mobile apps. The goal is that products sold in the EU are "secure by design" and kept secure throughout their entire period of use.

As a regulation, the CRA applies directly in all member states – without national transposition. Compliance is documented via the familiar CE marking: without meeting the cybersecurity requirements, an affected product may no longer be placed on the market.

Scope: products with digital elements

The CRA covers both hardware and software whose intended use involves a direct or indirect data connection to a device or network. It differentiates by criticality:

  • Standard products (the large majority): conformity assessment mostly through self-assessment by the manufacturer.
  • Important products (class I and II, e.g. password managers, network components, operating systems, industrial firewalls): stricter assessment, in some cases involving a notified body.
  • Critical products: highest requirements, potentially European certification.

Areas with their own sector-specific regulation – such as medical devices, motor vehicles or civil aviation – are excluded. Pure software-as-a-service generally falls outside the CRA but may be regulated under NIS2.

The core obligations at a glance

The CRA does not require a one-off measure but continuous processes:

  • Security by design and by default: products must ship without known exploitable vulnerabilities and be configured with secure default settings.
  • Vulnerability management across the lifecycle: manufacturers must identify and document vulnerabilities and remediate them without delay via security updates – over the expected period of use, but at minimum over the defined support period.
  • Software Bill of Materials (SBOM): a structured inventory of the included components (in particular open-source dependencies) must be created and maintained.
  • CE marking and technical documentation: evidence of conformity with the essential requirements (Annex I) must be produced and kept on file.
  • Reporting obligations: actively exploited vulnerabilities and severe security incidents must be reported via the ENISA reporting platform to the relevant CSIRT and ENISA – as an early warning within 24 hours, a detailed notification within 72 hours, and a final report no later than 14 days after a corrective measure becomes available.

Timeline: as of July 2026

The CRA entered into force on 10 December 2024. The obligations take effect in stages:

  • 11 June 2026: the rules on notifying conformity assessment bodies (notified bodies) apply.
  • 11 September 2026: the reporting obligations for actively exploited vulnerabilities and severe incidents apply. From this date the ENISA Single Reporting Platform is operational. Importantly, this reporting obligation also covers products already on the market.
  • 11 December 2027: the bulk of the obligations take effect – in particular the essential security requirements, conformity assessment and CE marking.

The 11 September 2026 date is therefore the first hard deadline on the horizon: by then, manufacturers must have processes in place to detect and report exploited vulnerabilities within the required timeframes.

Who is affected?

The CRA addresses all economic operators along the supply chain:

  • Manufacturers carry the main burden: they are responsible for security by design, vulnerability management, SBOM, documentation and reporting.
  • Importers may only place compliant products on the market and must verify conformity.
  • Distributors must act with due care and may not supply products that are obviously non-compliant.

Anyone who sells third-party products under their own brand or substantially modifies a product is generally regarded as a manufacturer themselves – with all associated obligations.

How the CRA differs from NIS2

The CRA and NIS2 complement each other but address different levels. NIS2 obliges operators of essential and important entities to implement risk management and reporting at the organisational level. The CRA starts one level earlier – at the product – and governs its manufacture and maintenance. A company may be subject to both regimes: as an operator (NIS2) and at the same time as a manufacturer of digital products (CRA). The CRA reporting obligations run through the ENISA platform with 24/72-hour deadlines comparable to those known from NIS2.

Practical preparation

The good news: much of this builds on established security practices. Sensible first steps:

  1. Clarify product inventory and applicability: which products fall into which category?
  2. Build an SBOM: make components and dependencies transparent – the foundation for fast vulnerability management.
  3. Secure development and hardening: secure defaults, a minimised attack surface, verified update mechanisms.
  4. Establish a vulnerability and update process: from detection to deployed patch – documented and on time.
  5. Have security tested: penetration tests uncover exploitable vulnerabilities before attackers do – and provide evidence for the technical documentation.
  6. Prepare reporting and response processes: align responsibilities, detection and deadlines (24/72 hours) to 11 September 2026.

How SECURITYSQUAD supports you

SECURITYSQUAD supports manufacturers and software vendors on their path to CRA compliance in a hands-on way. With offensive security and penetration testing we identify exploitable vulnerabilities in your products – a central building block for security by design and the conformity evidence. Through system hardening we reduce the attack surface and establish secure baseline configurations. In our advisory work we help build vulnerability management, reporting and response processes and align them with existing ISMS requirements under ISO 27001 and BSI IT-Grundschutz.

As a partner founded in 2022 with an ISO 27001 and ISO 9001 orientation and a member of the Alliance for Cyber Security, we help you treat the CRA not as a compliance chore but as a measurable security gain.

Read more: NIS2 for mid-sized companies · Penetration testing · System hardening with CIS benchmarks · Expertise & Services