Co-Author: Christian Zander
The Cyber Resilience Act (CRA) is more than just another EU regulation. It is the first European law to establish binding minimum requirements for the cybersecurity of products with digital elements.
As such, it forms a central pillar of the European cybersecurity strategy and makes an important contribution to strengthening Europe’s digital sovereignty. The CRA aims to create uniform security standards throughout the European Union so that consumers and businesses are better protected against digital threats. High cybersecurity standards are intended to make the European internal market more resilient to criminal and terrorist cyberattacks. The distinctive feature of these cybersecurity standards is their broad scope: they apply in principle to all products with digital elements, regardless of the sector or area in which they are used. Thus, even the weakest link in the security chain must meet a mandatory minimum level of protection.
The CRA entered into force on 11 December 2024. Although most provisions will apply only from December 2027, key obligations – such as manufacturers’ reporting duties – will take effect earlier, in autumn 2026. Chapter IV, which contains provisions on the notification of conformity assessment bodies, will become applicable in June 2026.
This article provides a concise overview of the CRA’s key elements.
Scope: Who and what is covered?
The CRA imposes obligations on various so-called economic operators. The manufacturer of a product with digital elements is the primary duty bearer. Under Article 2 (1) CRA, products with digital elements include all software or hardware products and their remote data-processing solutions, including software or hardware components that are placed on the market separately. Consequently, the CRA covers nearly all hardware and software products that can be connected, directly or indirectly, to another device or network. Notably, the CRA’s broad definition of “product” also encompasses software itself.
The range of regulated products is therefore extensive – from smart thermostats, smart meters, and routers to connected industrial machinery or robots, as well as computer programs and apps. Importantly, the CRA focuses not on where a product is manufactured but on whether it is made available on the EU market, whether for remuneration or free of charge. In effect, the CRA has global reach: any manufacturer wishing to market a product in the EU must comply with European cybersecurity requirements.
However certain product categories are excluded because they are already regulated under other EU legislation - for example, medical devices, automotive components, or marine equipment (see Article 2 (2) to (4) CRA). The purpose is to avoid disproportionate administrative burdens. Likewise, open-source software developed without a profit motive falls outside the CRA’s scope.
Small and medium-sized enterprises (SMEs) and start-ups must also comply but may benefit from support measures such as guidance documents, helpdesks, and simplified documentation obligations.
Objectives: Enhancing security and trust in the Digital Single Market
The CRA pursues a clear, long-term goal: to raise the level of digital security in Europe. Given the increasing number of cyberattacks, vulnerabilities, and globally interconnected supply chains, the CRA seeks to ensure that digital products are secure by design, by default, and throughout their life cycle.
At the same time, the CRA reinforces manufacturers and providers accountability: anyone placing a digital product on the EU market will be responsible not only for its functionality but also for its cybersecurity throughout its entire lifecycle. This fosters reliability and transparency – for both consumers and businesses that rely on digital products. In 2022 the European Commission identified the lack of access to clear cybersecurity information as one of the main causes of damage from successful cyberattacks.
Obligations and Measures: What manufacturers must comply with
Article 6 CRA provides that products with digital elements may be placed on the market only if they meet the essential cybersecurity requirements set out in Annex I and can be operated securely.
Key obligations include:
- Cybersecurity by Design and by Default
- Continuous vulnerability management, including regular updates
- Technical documentation and a Software Bill of Materials (SBOM)
- Conformity assessment and CE marking
For certain critical products — such as network management systems or smart-meter gateways – additional or stricter requirements may apply (Articles 7 and 8 CRA).
These cybersecurity requirements will apply from 11 December 2027 to all new products placed on the market after that date. Products introduced earlier must be upgraded if they undergo substantial modification.
Reporting Obligations: Swift action in case of vulnerabilities
From 11 September 2026, manufacturers must report any actively exploited vulnerability they become aware of within 24 hours to both the competent national Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA). This product-related reporting duty complements existing frameworks such as the NIS-2 Directive, but it specifically targets manufacturers of products with digital elements, not only operators of critical infrastructure.
The reporting process consists of three stages:
- Initial notification (within 24 hours): preliminary information on the affected product, the nature of the vulnerability, and potential impacts.
- Follow-up report (within 72 hours): more detailed technical information as it becomes available.
- Final report (within 14 days): comprehensive analysis of root causes, implemented mitigation measures, and planned security updates.
ENISA will operate a central EU platform for such notifications. The compliance landscape will thus become more complex: depending on the type and extent of a security incident, a single event may trigger multiple reporting obligations under different legal frameworks with tight deadlines.
The European Commission is currently drafting a delegated act (as of 30 October 2025) to clarify Article 16 (2) CRA, specifying under which exceptional circumstances CSIRTs may delay the EU-wide transmission of vulnerability notifications. Such postponement is allowed only in extraordinary cases – for example, when highly sensitive information is involved, when a patch is imminent (within 72 hours), or when the reporting platform or a receiving CSIRT itself has been compromised. Feedback on the draft is invited until 13 November 2025, and adoption is expected in Q4 2025.
Sanctions: Substantial fines for non-compliance
Under Article 64 CRA, violations can result in fines of up to EUR 15 million or 2.5 % of the company’s worldwide annual turnover, whichever is higher. For less serious infringements, the cap is EUR 10 million or 2 % of turnover. In addition, market surveillance authorities may withdraw products from the market, prohibit their availability, or order recalls.
Market Surveillance: The BSI as Germany’s Competent Authority
Each Member State must designate a notifying and market-surveillance authority. Germany has appointed the Federal Office for Information Security (BSI), which will assume further responsibilities: from June 2026, the BSI will notify third parties authorized to act as conformity assessment bodies. The BSI will also have the power to inspect products for cybersecurity compliance and, if necessary, impose sanctions.
Implementation Support from ETSI, BSI & Others
To ensure legal certainty for manufacturers, several institutions are already providing guidance. The European Telecommunications Standards Institute (ETSI) published in September 2025 the first draft European Standards (EN) for public consultation. These drafts define technical standards and use cases for various product categories such as password managers, network interfaces, and operating systems.
In addition, the European Committee for Electrotechnical Standardization (CENELEC) and the European Committee for Standardization (CEN) will issue further European Standards. Together with ETSI’s technical specifications, these will establish a comprehensive European standardization framework.
The BSI is also preparing a technical guideline consisting of three parts: General Requirements – guidance for manufacturers and products aligned with the CRA’s articles and annexes, Software Bill of Materials (SBOMs) – formal and substantive requirements for SBOMs and vulnerability reports and notifications – procedures for handling incoming vulnerability disclosures.
Cybersecurity as a Legal Obligation – and a competitive advantage
The CRA represents a turning point: as the first horizontally applicable European cybersecurity regulation, it makes cybersecurity mandatory for all products with digital elements. While compliance may initially entail additional effort, it will ultimately foster trust and competitiveness. Companies that begin early to implement the CRA, especially its reporting processes, which apply from 2026, will not only ensure legal compliance but also position themselves as reliable providers of secure digital products.
