Product Development
Data Services
About Us
September 22, 2025
4 mins read
The Cyber Resilience Act is a regulatory framework introduced by the EU to ensure a high, uniform level of cybersecurity for products across their entire lifecycle. It is a direct response to the growing threat posed by cyberattacks that exploit common vulnerabilities in connected devices and software.
Before the CRA, many digital products were launched with weak security, and manufacturers often lacked the legal obligation to fix vulnerabilities once the product was in use. The CRA changes this by effectively shifting the responsibility for cybersecurity from the consumer to the manufacturer.
The CRA applies to any product with digital elements, and the core objectives focus on:
Security-by-Design: To ensure that hardware and software products are placed on the market with fewer vulnerabilities by embedding security into the product's design, development, and production phases.
Lifecycle Commitment: To compel manufacturers to take responsibility for a product’s security throughout its expected lifetime, mandating the provision of timely security updates and fixes.
Transparency: To enable consumers and businesses to make informed decisions by providing clear information about a product's security properties, including the duration of security support.
The scope of the CRA is intentionally broad, covering any product with digital elements whose intended or foreseeable use includes a direct or indirect logical or physical connection to a device or network. This includes, but is not limited to:
Software: Operating systems, non-embedded software, anti-virus programs, virtual private networks (VPNs), and digital assistants. Unlike embedded software (such as firmware built into a router or smart device), non-embedded software runs independently of specific hardware but still connects to devices or networks.
Hardware: Laptops, smart phones, routers, switches, smart cameras, and digital components like CPUs and microcontrollers.
Crucially, the CRA is one of the first regulations to apply mandatory cybersecurity requirements to both hardware and non-embedded software.
The CRA introduces a comprehensive set of mandatory requirements for manufacturers, importers, and distributors who place products with digital elements on the EU market, with the heaviest burden falling on manufacturers.
Before a product can bear the mandatory CE Mark—the symbol of conformity to EU standards—manufacturers must ensure their product is designed to meet specific security criteria:
Secure-by-Default: Products must be placed on the market in a secure-by-default configuration, often requiring users to set a unique password upon first use.
Attack Surface Limitation: The product must be designed to minimize the potential entry points for cyberattacks.
Data Protection: Confidentiality and integrity of stored, transmitted, or processed data must be protected, including through encryption where appropriate.
Access Control: Products must prevent unauthorized access through robust authentication and identity management systems.
Risk Assessment: Manufacturers must carry out a comprehensive cybersecurity risk assessment for the product and document the results.
Under CRA, a product manufacturer is required to provide ongoing continuous improvements and support for security concerns and vulnerabilities. Under CRA, it is no longer sufficient that a product is secure at launch, it is mandatory that the product manufacturer ensures the product remains secure throughout the lifetime of the product, or for a minimum of 5 years:
Minimum Support Period: Manufacturers must monitor their products for vulnerabilities and provide free security updates for the product’s expected use time, with a minimum support period of five years.
Vulnerability Disclosure Policy: A clear, accessible policy must be established to allow third parties (like security researchers) to report potential vulnerabilities.
Rapid Incident Reporting: Manufacturers must report actively exploited vulnerabilities and severe security incidents to the relevant national authorities (CSIRTs) and the EU Agency for Cybersecurity (ENISA) within a tight window:
24 hours for an initial early warning notification of awareness.
72 hours for a vulnerability or incident notification.
Software Bill of Materials (SBOM): Manufacturers must identify and document the components in their products by drawing up a Software Bill of Materials in a machine-readable format.
The CRA came into force in December 2024, but manufacturers have a grace period to adapt their products and processes.
Product manufacturers must conform to mandatory reporting of exploited vulnerabilities and severe incidents by September 2026.
All obligations under CRA will come into full enforcement from December 2027.
The penalties for non-compliance are severe and aim to be a genuine deterrent:
Fines of up to €15 million or 2.5% of a company's total worldwide annual turnover for the preceding financial year, whichever is higher.
Non-compliant products can be withdrawn or recalled from the EU market.
The Cyber Resilience Act is set to be the defining cybersecurity regulation of the decade, setting a global precedent for product security. Businesses must take proactive steps now to review their entire product lifecycle—from design and development to long-term support—to ensure continued access to the EU market – even if your product isn’t made in the EU, it must be CRA compliant to be available on the EU market.
Contact us today to understand how we can prepare your products and connected device infrastructure for the Cyber Resilience Act.