EU Cyber Resilience Act (CRA): What Every Manufacturer Needs to Know Before September 2026

If your company makes anything that contains software — a smart lock, an industrial sensor, a mobile app, a router, or even a connected toy — the European Union has a new law that directly affects you. It’s the Cyber Resilience Act (CRA), and its first mandatory deadline falls on 11 September 2026.

Overlooking it could cost you up to EUR 15 million.

This guide explains what the CRA is, who it applies to, what you need to do, and how much time you really have.

What Is the Cyber Resilience Act?

The Cyber Resilience Act is an EU regulation that introduces mandatory cybersecurity requirements for all products with digital elements sold on the European market. It was signed on 10 December 2024.

In simple terms: if your product contains software or firmware and you sell it in the EU, you now have to prove it is secure — not just at launch, but throughout its entire lifecycle.

Before the CRA, cybersecurity for most products was voluntary. Manufacturers could ship devices with known vulnerabilities, skip security updates, and face no legal consequences. The CRA changes that. It makes product cybersecurity a legal obligation — much like the CE marking already ensures physical safety.

Who Is Affected?

The CRA covers every company that manufactures, imports, or distributes products with digital elements on the EU market. This also applies to non-EU companies selling to European customers.

Companies that ARE in scope:

• IoT and smart device manufacturers — smart locks, security cameras, thermostats, smart speakers, connected toys, fitness trackers
• Software companies — desktop and mobile apps, operating systems, firmware, password managers, VPNs, browsers
• Network equipment manufacturers — routers, modems, switches, firewalls, access points
• Industrial hardware and IIoT — industrial sensors, PLC controllers, building automation, smart meters
• Consumer electronics with software — smart TVs, home appliances, Bluetooth speakers, dash cams
• Non-EU companies selling to the European market — an authorized representative in the EU is required

Companies that are NOT in scope:

• Pure SaaS companies (may fall under NIS2)
• Non-commercial open-source projects
• Medical devices (MDR)
• Automotive (UNECE R155)
• Aviation and defence

Two Deadlines You Cannot Miss

Most companies assume they have until December 2027 to prepare. That is a dangerous mistake.

Deadline 1: 11 September 2026 — Vulnerability Reporting Obligation

From that day, all manufacturers must report:

• Actively exploited vulnerabilities in their products — within 24 hours
• Serious security incidents affecting their products — within 24 hours

Deadline 2: 11 December 2027 — Full Compliance

• Products must be shipped without known exploitable vulnerabilities
• Security-by-design must be followed
• Free security updates throughout the product lifecycle (minimum 5 years)
• Complete technical documentation retained for 10 years
• Conformity assessment must be completed

What Exactly Does the CRA Require?

1. Product Security (13 requirements)

• Cybersecurity proportionate to the risks
• No known vulnerabilities in the shipped product
• Secure default settings
• Proper access control and authentication
• Encryption of data at rest and in transit
• Data minimisation
• Protection against DoS attacks
• Security updates, including automatic ones
• Logging and activity monitoring

2. Vulnerability Handling (8 requirements)

• Create and maintain an SBOM — in CycloneDX or SPDX format
• Fix vulnerabilities and deliver free patches
• Regular security testing
• Public disclosure of fixed vulnerabilities
• Coordinated disclosure policy
• Vulnerability reporting channel
• Secure distribution of updates

The 24-Hour Reporting Obligation — How Does It Work?

Product Categories

Default Category (~90% of products)

Most products — Bluetooth speakers, smart home gadgets, general software. Compliance through self-assessment.

Important — Class I

Smart home security devices, routers, VPNs, password managers, connected toys. Requires third-party lab certification or compliance with a harmonised standard.

Important — Class II

Operating systems, hypervisors, containers, industrial firewalls. Requires mandatory third-party assessment.

Critical

Smart meter gateways, smart cards, hardware security modules. Requires EU cybersecurity certification (EUCC).

Penalties

What You Should Do Now: A Practical Checklist

1. Check whether the CRA applies to you. Does your product contain software or firmware? Is it sold on the EU market?
2. Classify your products. Determine the category: Default, Important (Class I/II), or Critical.
3. Generate an SBOM for every product. CycloneDX or SPDX — a complete list of components.
4. Set up continuous vulnerability monitoring. NVD, CISA KEV, GitHub Advisories, OSV.
5. Prepare an incident reporting procedure. 24h/72h/14-day templates. Assign roles. Test the procedure.
6. Document everything. Risk assessments, security architecture, SBOM records — retention for 10 years.

Conclusion

The Cyber Resilience Act is the most significant cybersecurity regulation for product manufacturers in EU history. It transforms product security from a voluntary best practice into a legal requirement with serious financial consequences.

Companies that prepare early will not only avoid penalties — they will gain a competitive advantage. In a market where buyers increasingly demand evidence of security, CRA compliance becomes a trust signal.

The first deadline is 11 September 2026. The time to act is now.

Sources

1. European Commission — Cyber Resilience Act
2. European Commission — CRA Reporting Obligations
3. ENISA — Single Reporting Platform
4. European Commission — CRA and Open Source Software
5. Hogan Lovells — EU CRA: Key Milestones 2026