Table of content

Compliance Cybersecurity

17 Apr 2026

Cyber Resilience Act explained for software and IoT companies

Quick summary

The Cyber Resilience Act introduces mandatory cybersecurity requirements for all digital products in the EU. It enforces secure-by-design principles, lifecycle accountability, and strict vulnerability management. Software and IoT companies must adapt development and compliance processes before full enforcement in 2027.

Introduction

The European Union is reshaping cybersecurity regulation with a clear shift towards product accountability. The Cyber Resilience Act (CRA) introduces legally binding requirements for products with digital elements, covering both standalone software and connected IoT devices.

This regulation reflects a broader transformation in how digital risk is managed. Instead of focusing only on organisational practices, the CRA ensures that the products themselves are secure throughout their lifecycle. This is particularly relevant in sectors such as energy, manufacturing, and critical infrastructure across Denmark and the wider EU, where software and connected systems are deeply integrated.

For software and IoT companies, the CRA is not simply a compliance requirement. It is a structural change that affects how products are designed, developed, tested, and maintained.

What is the Cyber Resilience Act

The Cyber Resilience Act is an EU regulation that establishes horizontal cybersecurity requirements for products with digital elements. It applies to software, hardware, and connected devices placed on the EU market, regardless of where the manufacturer is based.

The regulation aims to reduce vulnerabilities and ensure consistent security standards across the European market. It introduces mandatory requirements for secure design, vulnerability handling, and transparency towards users.

According to the European Commission, the CRA ensures that products are secure by default and remain protected throughout their lifecycle, while also improving how vulnerabilities are reported and addressed (European Commission, 2025).

The regulation was formally adopted as Regulation (EU) 2024/2847, creating a unified legal framework for product cybersecurity across the EU (EUR-Lex, 2024).

Takeaway: The CRA establishes mandatory, EU-wide cybersecurity requirements for all products with digital elements.

Why the CRA matters for software and IoT companies

Digital products are increasingly embedded in critical systems, from smart grids in the Nordics to industrial automation across Europe. This creates a growing attack surface, particularly in software supply chains and connected devices.

ENISA’s Threat Landscape 2025 analysed 4,875 cybersecurity incidents between July 2024 and June 2025, highlighting that supply chain vulnerabilities and software weaknesses remain key risk areas (ENISA, 2025).

The CRA directly addresses these issues by enforcing consistent security practices across the product lifecycle. It targets common weaknesses such as insecure default settings, lack of updates, and insufficient vulnerability management.

For IoT devices, the impact is especially significant. Many devices operate in long lifecycle environments, such as energy infrastructure, where security updates and monitoring have traditionally been limited.

Takeaway: The CRA addresses rising software and IoT risks by enforcing lifecycle-based cybersecurity requirements.

Scope: which products are covered

The CRA applies to a broad range of products with digital elements sold or deployed within the EU. This includes:

Enterprise and consumer software
IoT devices such as sensors, smart meters, and industrial controllers
Embedded systems used in sectors like energy and transport
Cloud-connected applications and platforms

Certain products are categorised as critical and are subject to stricter conformity assessments. These typically include systems that play a role in essential services or have higher cybersecurity risks.

The regulation also applies to non-EU manufacturers if their products are made available on the EU market, reinforcing its global relevance.

Takeaway: The CRA covers nearly all software and IoT products in the EU, with stricter requirements for critical systems.

Key requirements under the CRA

Secure by design and by default

Products must be designed with cybersecurity as a core requirement from the outset. This includes minimising attack surfaces, using secure default configurations, and implementing appropriate access controls.

These principles align with established standards such as ISO 27001 and IEC 62443, widely used in European industries.

Vulnerability management and patching

Manufacturers are required to manage vulnerabilities throughout the product lifecycle. This includes identifying, documenting, and addressing security issues, as well as providing timely updates.

The CRA also introduces obligations to report actively exploited vulnerabilities to authorities within defined timelines (European Commission, 2025).

Documentation and transparency

The regulation requires clear documentation of product security features and known vulnerabilities. A Software Bill of Materials (SBOM) is encouraged to improve transparency and enable better supply chain risk management.

According to the National Institute of Standards and Technology, SBOMs provide a structured inventory of software components, improving visibility and risk assessment across supply chains (NIST, 2024).

Conformity assessment and CE marking

Products must undergo conformity assessments to demonstrate compliance with CRA requirements. Once compliant, they receive CE marking, indicating adherence to EU cybersecurity standards.

This integrates cybersecurity into the EU’s broader product safety framework.

Takeaway: The CRA mandates secure design, continuous vulnerability management, and transparent documentation for all digital products.

How the CRA differs from NIS2 and GDPR

The CRA is part of a broader EU cybersecurity framework that includes NIS2 and GDPR, but each regulation has a distinct focus.

NIS2 focuses on organisational cybersecurity and risk management across essential and important sectors
GDPR regulates personal data protection and privacy
CRA targets the cybersecurity of products themselves

According to the European Commission, NIS2 expands cybersecurity obligations across 18 critical sectors, reinforcing organisational resilience (European Commission, 2025).

Together, these regulations create a layered approach to digital security. For example, a company operating connected energy systems in Denmark must comply with NIS2 for operational security, GDPR for personal data, and CRA for product-level cybersecurity.

Takeaway: The CRA complements NIS2 and GDPR by focusing specifically on securing digital products.

Implications for development and engineering teams

Shift towards integrated security practices

Development teams must embed security throughout the lifecycle. This includes integrating security testing into CI/CD pipelines and continuously monitoring for vulnerabilities.

Expanded role of quality assurance

Quality assurance now includes validating security requirements and compliance, not just functionality. This involves testing for resilience against cyber threats and ensuring adherence to regulatory standards.

Lifecycle responsibility

Manufacturers remain responsible for product security after deployment. This includes providing updates, monitoring threats, and communicating risks to users.

This lifecycle approach represents a significant shift from traditional software delivery models, particularly for IoT and embedded systems.

Takeaway: The CRA requires development teams to integrate security, testing, and compliance across the full product lifecycle.

Timeline and enforcement

The Cyber Resilience Act follows a phased implementation timeline:

Entered into force on 10 December 2024
Reporting obligations apply from 11 September 2026
Full application from 11 December 2027

This phased approach allows organisations time to adapt their processes and technologies while preparing for full compliance (European Commission, 2025; EUR-Lex, 2024).

Non-compliance may result in fines, product withdrawal from the market, or restrictions on distribution within the EU.

Takeaway: With full enforcement by 2027, early preparation is essential to ensure compliance.

How companies can start preparing

Organisations can begin aligning with the CRA by focusing on key areas:

Conduct product-level cybersecurity assessments
Map software components and dependencies using SBOMs
Align processes with ISO 27001 and IEC 62443
Implement secure development and testing practices
Establish vulnerability disclosure and patch management processes

Early preparation not only supports compliance but also strengthens product quality and customer trust, particularly in regulated sectors such as energy and industrial systems.

Takeaway: Proactive alignment with CRA requirements improves both compliance readiness and product resilience.

Conclusion

The Cyber Resilience Act represents a significant shift in how cybersecurity is regulated in the EU. By focusing on the security of digital products, it introduces new levels of accountability for software and IoT companies.

For organisations operating in Denmark and across Europe, the CRA is both a regulatory requirement and an opportunity. It encourages stronger engineering practices, improved transparency, and more resilient digital systems.

Companies that integrate these principles early will be better positioned to meet compliance requirements and compete in a market where cybersecurity is becoming a defining factor.

FAQ

What is the Cyber Resilience Act in simple terms

The Cyber Resilience Act is an EU regulation that requires software and connected devices to be secure by design and maintained securely throughout their lifecycle.

Who needs to comply with the CRA

Any company that develops, manufactures, or sells digital products in the EU must comply, including companies based outside the EU.

When will the CRA be fully enforced

The CRA will be fully applicable from 11 December 2027, with earlier obligations starting in 2026.

Does the CRA apply to software only

No, it applies to all products with digital elements, including hardware, embedded systems, and IoT devices.

How does the CRA relate to NIS2

NIS2 focuses on organisational cybersecurity, while the CRA focuses on securing the products themselves.

Sources

Cyber Resilience Act implementation. Frequently asked questions – European Commission – https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-implementation-frequently-asked-questions
Cyber Resilience Act. Implementation – European Commission – https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation
Regulation (EU) 2024/2847 on cybersecurity requirements for products with digital elements – EUR-Lex – https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
ENISA Threat Landscape 2025 – European Union Agency for Cybersecurity – https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
NIS2 Directive overview – European Commission – https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
Software Bill of Materials (SBOM) – NIST – https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1

About Author Wirtek is a Danish tech company with 25 years of experience, specialising in three core domains: energy, connectivity & automation and digital engineering. We build, connect and operate digital solutions through software development, Internet of Things (IoT), quality assurance and ready-made products. Founded as a Nokia spin-off, we combine deep know-how with EU compliance to partner with companies on their journey to modernise systems and extend capabilities while reducing risk. Since 2022, we have focused strongly on shaping solutions that power the sustainability transition.