The new EU Cyber Resilience Act (CRA) will quietly reshape how many franchise and distribution networks design, deploy and support their digital products. While the CRA is drafted as a product-regulation instrument, it will be very relevant for franchisors that provide point of sale software, apps, cloud tools or connected devices to their networks.
What is in scope?
The CRA applies to most “products with digital elements” – in simple terms, hardware or software that is directly or indirectly connected to a network (for example, POS systems, loyalty apps, self service kiosks, IoT devices used in stores). Certain sectors already heavily regulated by EU law (for example, medical devices, vehicles) are carved out.
If a franchise system offers its own branded software, white label hardware or a bundled “digital toolkit” for outlets, those products will likely fall under the CRA.
Who is the “manufacturer” in a franchise setting?
The CRA works with classic product law roles:
- Manufacturer – means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge (Article 3 (13) CRA)
- Importer – means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union (Article 3 (16) CRA)
- Distributor – means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties (Article 3 (17) CRA)
In many networks, the franchisor (or group company) will qualify as manufacturer for its proprietary software platform or branded devices. A master franchisee or regional distributor may become importer when sourcing from outside the EU. Individual franchisees acting as sales outlets will often be distributors. This mapping matters: each role carries its own set of obligations and exposure.
Key obligations
In a nutshell, the CRA requires:
- Cybersecurity by design and by default
Manufacturers are required to design, develop, and manufacture products in accordance with the essential cybersecurity requirements set forth in Annex I (Article 13 (1) CRA).
- Vulnerability handling and updates
Manufacturers must identify, report, and eliminate vulnerabilities within their systems in accordance with the requirements set forth in Part II of Annex I (Article 13 (3), (6) CRA). They also must provide security updates and support for the expected product lifetime as referred to in Part II, point (8), of Annex I (Article 13 (9) CRA).
- Conformity assessment and CE marking
Before placing a product on the market, manufacturers must carry out a conformity assessment, draw up the technical documentation and affix the CE marking (Article 13 (12) CRA).
- Obligations for importers and distributors
Importers and distributors must verify that only CRA compliant products (with CE marking, documentation, manufacturer information) are made available on the market (Articles 19 (1), 20 (2)). They and must cooperate with authorities if they have reason to believe that a product with digital elements does not comply with the obligations laid down in this Regulation (Articles 19 (8), 20 (6) CRA).
For franchise networks, this translates into concrete governance questions: Who owns the vulnerability management process? Who pushes security updates to outlets? How do you ensure that franchisees do not use non compliant hardware or modified software?
Timeline and what franchise networks should do now
The CRA will apply from 11 December 2027. However, relevant for manufacturers, Article 14 with its incident reporting (on actively exploited vulnerabilities) shall apply from 11 September 2026. There is only a short window for networks that rely heavily on digital tools.
Franchisors and brand owners should start to:
- Map their role(s) under the CRA for each product with digital elements used or supplied in the member states.
- Review contracts (franchise agreements, master franchise, distribution and IT supply agreements) to align responsibilities for cybersecurity, updates, incident handling and recalls with the CRA roles.
- Update manuals and policies to include clear rules on use, maintenance and updates of digital products at outlet level.
- Set up an internal CRA governance connecting legal, IT security, product and franchise operations.
Practical advice
For many systems, the CRA will not be a purely technical topic. It will become a core element of how they structure their franchise and distribution relationships – and of how risk and liability are allocated across the network. Therefore, it is essential to develop a system that will enable all obligations to be met before the CRA will fully apply in December 2027.
