Insights
The Cyber Resilience Act is Rewriting the Rules of Digital Products Safety
Nov 07, 2025The EU Cyber Resilience Act (Regulation (EU) 2024/2847) ("CRA") establishes mandatory cybersecurity requirements for products with digital elements, encompassing both hardware and software products that connect to networks or process data, with the intent of providing a more secure, transparent and responsive product ecosystem in the European market.
Central to the CRA is the establishment of a cascading chain of responsibility throughout the product lifecycle, whereby manufacturers bear primary obligations, whilst importers and distributors assume secondary duties including verification of compliance and reporting of non-conformities to competent authorities. Manufacturers must integrate cybersecurity from the design phase onwards, ensuring continued security throughout production, market placement, and post-market phases.
These requirements have raised significant concerns among economic operators of various size regarding implementation complexity and resource demands. Nevertheless, manufacturers must fundamentally rethink their development, production, and post-market processes to ensure compliance with the CRA for all future products placed on the European market.
WHICH ENTITIES ARE WITHIN SCOPE?
The Cyber Resilience Act applies to economic operators involved in the design, development, manufacturing, and distribution of products with digital elements. Its scope includes:
- Manufacturers: Entities that develop or manufacture products with digital elements. This encompasses manufacturers of:
- Hardware products with digital elements (e.g., IoT devices, routers, smart appliances, connected industrial equipment),
- Software products, including standalone software and firmware,
- Remote data processing solutions (e.g., cloud-based applications, web services, mobile applications).
- Importers
- Distributors
- Providers of Remote Data Processing Solutions: Entities offering software products that enable data processing at a distance, including:
- Software-as-a-Service (SaaS) platforms,
- Cloud-based applications and services,
- Web-based software solutions,
- Mobile applications with backend processing.
The CRA applies irrespective of where the manufacturer or other economic operator is established, provided that the products with digital elements are placed on the EU market or put into service within the EU. This extraterritorial application ensures that all products available to EU consumers and businesses meet the regulation's cybersecurity standards, regardless of their origin.
WHAT ARE THE KEY OBLIGATIONS OF PRODUCT MANUFACTURERS?
Under the CRA, manufacturers bear primary responsibility for ensuring products with digital elements meet essential cybersecurity requirements throughout their lifecycle. These obligations include:
Manufacturers must ensure that products with digital elements are designed, developed, and produced in accordance with essential cybersecurity requirements set out in the CRA.
Manufacturers must conduct comprehensive cybersecurity risk assessments identifying potential risks throughout the product's lifecycle and implement appropriate mitigation measures.
Depending on product classification, manufacturers must undergo appropriate conformity assessment procedures to guarantee compliance with cybersecurity requirements set out in the CRA.
Manufacturers must provide security updates for products for at least five years from the date of placing on the market, or throughout the expected product lifetime if shorter.
Manufacturers must provide clear, comprehensive instructions and security-related information to users.
Manufacturers must affix CE marking to compliant products before placing them on the market.
Manufacturers must establish and maintain processes to identify, handle and report vulnerabilities and incident.
Manufacturers must maintain records of non-conformities, vulnerabilities, and incidents for ten years after the product has been placed on the market, making these available to market surveillance authorities upon request.
Where manufacturers have reason to believe that products they have placed on the market are not in conformity with the CRA, they must immediately take corrective measures to bring the product into conformity, withdraw it, or recall it.
Unlike manufacturers, importers and distributors share similar obligations focused on verification and market surveillance, though importers bear more extensive responsibilities. Both must verify compliance before placing or making products available on the market, act on non-compliance by refusing market access, cooperate with authorities by providing documentation upon request, and report vulnerabilities to the manufacturer.
As an EU regulation, the CRA is directly applicable across Member States, with enforcement delegated to national market surveillance authorities.
Each Member State must establish effective, proportionate, and dissuasive penalties for infringements, with maximum fines reaching up to €15 million or 2.5% of the undertaking's total worldwide annual turnover for the preceding financial year, whichever is higher.
Non-compliance may result in product withdrawal orders, prohibition of market placement, financial penalties, and reputational damage, particularly where vulnerabilities lead to security incidents affecting users or critical infrastructure.
SHOULD YOU PREPARE FOR EARLY REPORTING OBLIGATIONS ?
Manufacturers are subject to vulnerability and incident reporting obligations that become applicable significantly earlier than the regulation's general requirements.
Whilst the CRA's substantive provisions take effect from 11 December 2027, reporting obligations apply from 11 September 2026, over a year earlier, requiring manufacturers to establish compliant processes well in advance. Reporting obligations will apply to any and all digital products falling into the scope of the CRA regardless of the time they are placed on the EU market.
The CRA establishes a three-stage reporting framework designed to enable ENISA and national CSIRTs (Computer Security Incident Response Teams) to monitor emerging cybersecurity threats and coordinate rapid responses to actively exploited vulnerabilities and severe incidents. The framework imposes strict timelines that manufacturers must observe.
WHAT IS THE COMPLIANCE TIMELINE?
The CRA entered into force on 10 December 2024, but its substantive provisions become applicable progressively to allow manufacturers and economic operators sufficient time to adapt their processes and products.
The CRA establishes the following compliance timeline:
- 11 September 2026: Vulnerability and incident reporting obligations become applicable to manufacturers of products with digital elements already placed on the market, requiring immediate operational readiness for the three-stage reporting framework.
- 11 December 2027: The CRA's general provisions become fully applicable.
Products lawfully placed on the market before 11 December 2027 are not retroactively subject to CRA obligations. However, if such products undergo a substantial modification after that date, they must comply with the CRA, and the person making the modification assumes the role of manufacturer for the modified product.
WHAT STEPS SHOULD YOU TAKE NOW?
With the CRA's reporting obligations taking effect from 11 September 2026 and full applicability from 11 December 2027, manufacturers of products with digital elements must act swiftly to align their operations, technical infrastructure, and contractual arrangements. The following steps are essential to ensure compliance and mitigate legal and commercial risks:
- Product assessment and classification
- Conformity assessment preparation
- Drafting the mandatory documentation
- Defining the security support period
- Implementing a vulnerability management process
- Reviewing and redrafting contracts with customers and third parties
- Monitoring the publication of EU harmonized standards
HOW CAN WE ASSIST YOU?
BCLP’s team is equipped to support your organization in navigating the compliance landscape introduced by the Cyber Resilience Act.
We help identify products with digital elements impacted by the regulation through comprehensive gap analyses, assess product classification to determine applicable conformity assessment procedures, and assist in preparing technical documentation and EU declarations of conformity.Our guidance extends to the selection and implementation of appropriate conformity assessment routes, including engagement with notified bodies, application of harmonised standards, and evaluation of European cybersecurity certification schemes such as the EUCC.
To support long-term compliance, we offer ongoing legal monitoring of delegated acts, implementing measures, and harmonised standards as they are adopted, and deliver tailored training sessions to in-house legal, technical, and product development teams, ensuring they remain informed and prepared.
By proactively addressing these obligations, manufacturers not only mitigate legal risk and avoid substantial penalties but also strengthen their competitive position in an increasingly security-conscious market, building customer trust through demonstrable cybersecurity commitment.
Related Capabilities
-
Fintech
-
Data Privacy & Security
-
Intellectual Property & Technology Disputes
