Home Knowledge Cyber Resilience Act: What Manufacturers Need to Know

Cyber Resilience Act: What Manufacturers Need to Know

The Cyber Resilience Act (Regulation (EU) 2024/2847) (CRA) is the EU’s first binding cybersecurity framework specifically for products.

It introduces mandatory cybersecurity obligations for products with digital elements (PDEs) placed on the EU market. PDEs such as smartphones, smart fridges, routers, industrial sensors, operating systems and connected health devices can all fall within the scope of the CRA.

The CRA represents a fundamental development in the EU’s efforts to enhance its cybersecurity posture, elevating cybersecurity from a best-practice consideration to a legal compliance requirement for PDEs.

This article outlines five key obligations that PDE manufacturers need to understand.

CRA key dates at a glance:

  • 11 September 2026: Mandatory incident and vulnerability reporting goes live (this includes products already on the EU market).
  • 11 December 2027: Full CRA compliance required for products being placed on the EU market.

1. What products are in the scope of the CRA?

For a product to be in scope of the CRA, these three cumulative criteria must be satisfied:

  • The product meets the definition of a ‘PDE’. Article 3(1) of the CRA defines a PDE as a ‘product with digital elements’, as a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
  • The product is made available on the EU market (Article 3(22) of the CRA); and
  • The ‘intended purpose’ or ‘reasonably foreseeable use’ of the product includes a ‘direct or indirect logical or physical data connection’ to a device or network. Examples of connections in scope include direct (e.g., Wi-Fi) and indirect (e.g., a software component running on a connected host operating system (OS)).

2. Who is affected by the CRA?

The CRA applies across the supply chain, including manufacturers, authorised representatives, importers, and distributors of PDEs. The most onerous obligations rest on manufacturers who design, develop or manufacture PDEs and place them on the EU market under their own name or trademark.

The obligations apply regardless of whether the PDE is manufactured inside or outside the EU, and cover both hardware and software, including remote data processing solutions (such as cloud-based functionality) that are integral to a PDE’s operation.

Certain PDEs are excluded, such as those already regulated under sector-specific EU legislation. For example: medical devices, motor vehicles, certified aviation products, marine equipment and products developed exclusively for national security, defence or classified information processing.

3. Classification and why it matters

A key element of the CRA is the classification of the PDE, as it determines the obligations that apply. The CRA establishes three tiers of product classification that determine the applicable conformity assessment procedure and the associated legal requirements. Classification is based on a product’s core functionality, not the characteristics of any individual component it contains. The result is a graduated regulatory framework in which the level of conformity assessment and regulatory oversight increases with the cybersecurity significance of the product’s core functionality, rather than the characteristics of its constituent parts.

This table provides an overview of the CRA’s classification categories:

CategoryExamples of PDEConformity AssessmentEU Cybersecurity Cert
DefaultAll other PDEs not listed in Annex III or IV.Self-assessment (Module A).Not required.
Important (Annex III, Class I)Password managers, operating systems, routers, browsers, VPNs, smart home security products.Self-assessment where harmonised standards are fully applied; otherwise notified body (Module B+C or H).Not required.
Important (Annex III, Class II)Hypervisors, firewalls, intrusion detection/prevention systems, tamper-resistant microprocessors.Third-party assessment always required (Module B+C or H).Not required.
Critical (Annex IV)Hardware security boxes, smart meter gateways, smartcards/secure elements.Third-party assessment required; European cybersecurity certificate may be required by delegated act. In the absence of mandatory certification requirements, conformity assessment must be carried out under Module B + C or HRequired at 'substantial' assurance level (if delegated act adopted).

The European Commission published an implementing act that provides technical descriptions of Class I, Class II, and Annex IV products and offers further guidance on classification (see here).

4. The five key obligations for manufacturers

4.1 Secure by Design and Secure by Default

Manufacturers must ensure that PDEs are designed, developed and produced in accordance with the essential cybersecurity requirements set out in Article 13 and Annex I, Part I of the CRA. Security must be built in from the earliest design stage.

Key pre-market obligations for manufacturers include ensuring:

  • There are no known exploitable vulnerabilities in products placed on the market;
  • That secure default configurations are implemented (i.e. no insecure default/factory settings);
  • The protection of the confidentiality, integrity and availability of data and functions;
  • The minimisation of the attack surface, including external interfaces;
  • The ability to securely update, reset and decommission the product;
  • That cybersecurity measures are proportionate to a documented risk assessment;

Under the CRA, products may not be placed on the EU market unless they satisfy these requirements. These obligations apply from 11 December 2027.

4.2 Mandatory Cybersecurity Risk Assessment

Before placing a PDE on the EU market, manufacturers must carry out, document and keep under review a cybersecurity risk assessment under Article 13 of the CRA. This is not a one-off exercise; rather, it must be maintained and updated throughout the product’s support period.

The documented risk assessment must document:

  • The product’s intended purpose and reasonably foreseeable use;
  • The relevant threat environment;
  • The assets, impacts and lifecycle phases from planning through to maintenance;
  • The expected product lifetime (‘support period’); and
  • The applicable essential cybersecurity requirements and how they are implemented.

The risk assessment must be included in the technical documentation required for conformity assessment under Article 31 of the CRA. The risk assessment also determines:

  • How the applicable Annex I requirements are implemented, and where a requirement is not applicable, the documented justification for that conclusion; and
  • Ongoing updates when vulnerabilities or changes arise.

4.3 Lifecycle Vulnerability Handling

Manufacturers are responsible, end-to-end, for identifying, handling, and remediating vulnerabilities throughout a product’s support period. The support period must reflect the product’s expected lifespan and be at least five years (unless the expected lifespan exceeds this or a longer period is justified). Manufacturers must document the rationale for the chosen support period.

The CRA’s vulnerability handling obligations include:

  • Maintaining a Software Bill of Materials (SBOM) for all software components;
  • Monitoring for vulnerabilities across all integrated components, including open-source dependencies;
  • Remediating vulnerabilities without undue delay and providing security updates;
  • Enabling secure (and, where appropriate, automatic) update mechanisms;
  • Implementing a Coordinated Vulnerability Disclosure (CVD) policy;
  • Publicly disclosing information on fixed vulnerabilities (subject to limited delay exceptions).

These obligations apply regardless of whether the vulnerability originates in third‑party code. These lifecycle vulnerability handling obligations apply in full from 11 December 2027, subject to transitional provisions.

4.4 Mandatory Incident and Vulnerability Reporting — 11 September 2026 deadline

From 11 September 2026, manufacturers must report to the relevant Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA) simultaneously when they become aware of either:

  • An actively exploited vulnerability in a PDE: meaning there is reliable evidence that a malicious actor has exploited it without the system owner’s permission; or
  • A severe security incident having an impact on the security of a PDE: meaning an incident that negatively affects, or is capable of negatively affecting, the availability, authenticity, integrity or confidentiality of sensitive or important data or functions, or that has led or could lead to the introduction of malicious code into the product or a user’s systems.

Manufacturers may become aware of triggering events through external notifications (e.g., from customers, security researchers, or threat intelligence) or through their own monitoring capabilities, such as security analytics, honeypot systems, or internal incident detection.

Reports are submitted via ENISA’s Single Reporting Platform (expected to be operational around 11 September 2026). The reporting process has three mandatory stages:

DeadlineStageWhat to report
Within 24 hoursEarly warningNotify CSIRT and ENISA of the vulnerability or incident. Indicate Member States where the product has been made available.
Within 72 hoursDetailed notificationProvide general information on the product, the nature of the exploit/incident, corrective or mitigating measures already taken or available to users, and (where applicable) sensitivity classification of the information.
Within 14 days (vulnerabilities), Within one month (incidents)Final reportSubmit a full description of the vulnerability/incident, its severity and impact, information on any malicious actor, and details of the security update or corrective measure made available.
On an ongoing basisUser notificationInform impacted users of the actively exploited vulnerability or severe security incident. If the manufacturer fails to do this promptly, the notified CSIRT may step in and notify users directly.

Affected users must also be notified directly. If a manufacturer fails to do so promptly, the relevant CSIRT may notify users itself. Where public disclosure is necessary to prevent or mitigate a severe incident, the relevant Member State CSIRT may, after consulting the manufacturer, require public disclosure or make the disclosure itself.

4.5 Conformity Assessment, CE Marking and Ongoing Compliance

Before placing a product on the EU market, manufacturers must:

  • Complete the applicable conformity assessment procedure (see the classification table above);
  • Prepare and maintain technical documentation in accordance with Annex VII (including general product description; design, development and production overview; cybersecurity risk assessment; test reports; SBOM where applicable; and a copy of the EU Declaration of Conformity);
  • Issue an EU Declaration of Conformity confirming compliance with the essential cybersecurity requirements;
  • Affix the CE marking visibly, legibly and indelibly to the product, its packaging or accompanying documentation.

The CRA gives manufacturers discretion in meeting this requirement (i.e., it does not prescribe a specific methodology). The key thing is that the product is designed, developed, and manufactured to comply with the essential requirements of the CRA, i.e., Article 13 and Part I of Annex I.

For default‑category products, the applicable conformity assessment procedure operates as a self‑assessment (Module A), as set out in Article 32 and Annex VIII. Manufacturers must draw up an EU Declaration of Conformity in accordance with Article 28, using one of the following formats:

  • The simplified declaration, set out in Annex VI (i.e. you provide a customer with a hyperlink to it); or
  • The detailed version, set out in Annex V (i.e. you provide a client with a copy of it).

5. Penalties for non-compliance

The CRA’s enforcement framework is tiered. Fines are calculated by reference to the type of infringement and, for undertakings, total worldwide annual turnover:

InfringementFine
Breach of essential cybersecurity requirements (Annex I) or core manufacturer obligations (Articles 13 & 14)Up to €15,000,000 or 2.5% of total worldwide annual turnover, whichever is higher
Breach of other CRA obligationsUp to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher
Supplying incorrect, incomplete or misleading information to notified bodies or market surveillance authoritiesUp to €5,000,000 or 1% of total worldwide annual turnover, whichever is higher

Fines may be imposed in addition to other enforcement measures such as corrective action requirements, withdrawal or recall orders, and market prohibition. The fine level takes into account factors including the nature, gravity and duration of the infringement; any prior fines imposed on the same operator; and the size of the undertaking (with particular regard to SMEs, micro-enterprises and start-ups).

Conclusion

The CRA reshapes the regulatory expectations placed on manufacturers of digital and connected products. With obligations extending well beyond market entry into post-market vulnerability handling and incident reporting, CRA readiness will be essential for manufacturers under this new legal framework.

For further advice on how these developments affect your business, please contact Rachel Hayes or your usual William Fry contact.

 

Contributed by Jessica Hill