What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is a landmark regulation that establishes mandatory cybersecurity requirements for products with digital elements sold in the European Union. It covers everything from consumer smart home devices to industrial control systems, creating a unified baseline for security across connected products for the first time.

Who Does It Apply To?

The CRA applies to manufacturers, importers, and distributors of products with digital elements — broadly, any hardware or software product that connects directly or indirectly to another device or network. This includes consumer IoT devices, operating systems, routers, smart appliances, industrial sensors, and enterprise software. Open-source software developed outside of a commercial context is largely exempt, though commercial open-source distributions are not.

Crucially, the CRA creates obligations throughout the supply chain. Manufacturers bear the heaviest burden: they must design products with security by default, handle vulnerabilities actively, and report incidents to authorities. Importers and distributors must verify that products they place on the market comply with CRA requirements and cannot knowingly introduce non-compliant products.

Key Obligations Under the CRA

The CRA imposes two categories of requirements set out in Annex I. The first category covers essential cybersecurity requirements that must be met before a product is placed on the market — these include security by design principles, protection against unauthorised access, minimal attack surface, and data minimisation. The second category covers vulnerability handling obligations that persist throughout the expected lifetime of the product, requiring manufacturers to provide security updates, maintain a software bill of materials (SBOM), and actively monitor for and address vulnerabilities.

Beyond these technical requirements, Article 14 introduces a mandatory incident reporting obligation. Manufacturers who become aware of an actively exploited vulnerability or a security incident impacting their product must notify ENISA (the EU Agency for Cybersecurity) within 24 hours and follow up with a detailed report within 72 hours. A final report is due within 14 days of issuing a patch, or within one month of becoming aware of the incident.

The Enforcement Timeline

The CRA entered into force in December 2024, but manufacturers do not yet face full compliance obligations. Incident reporting obligations under Article 14 apply from September 2026, giving manufacturers roughly 21 months from entry into force to build their reporting processes. Full compliance — covering all technical security requirements and conformity assessment — is required by December 2027.

The phased timeline reflects the significant technical and organisational changes required. Products already on the market before December 2027 are not retroactively covered, but any product placed on the market after that date must comply in full. Manufacturers of critical products (Class I and Class II as defined in Annex III) face additional conformity assessment requirements, with Class II products requiring third-party certification.

What This Means in Practice

For manufacturers, the CRA means cybersecurity can no longer be an afterthought bolted on before release. Security by design, structured vulnerability disclosure, and an active patch management process are now legal requirements. Products without security update mechanisms, or organisations without vulnerability disclosure policies, will not be able to place products on the EU market after December 2027.

The practical steps manufacturers should take now include: conducting a CRA applicability assessment to determine product classification, establishing an SBOM generation process for all digital components, building an internal incident detection and reporting workflow aligned to Article 14 timelines, and reviewing conformity assessment obligations based on product criticality.