Table of content

Quality assurance Compliance

20 May 2026

Testing under the EU Cyber Resilience Act: what manufacturers of connected products need to prove

Quick summary

The EU Cyber Resilience Act introduces lifecycle-wide cybersecurity obligations for almost every product with digital elements placed on the EU market. Manufacturers must demonstrate, not just claim, that security has been engineered in from the design stage. With reporting obligations starting on 11 September 2026 and full conformity requirements applying from 11 December 2027, the time to build testing evidence is now.

Introduction

The Cyber Resilience Act, Regulation (EU) 2024/2847, is the first European regulation to set a minimum cybersecurity baseline for all connected products on the EU market. It entered into force on 10 December 2024 and applies in full from 11 December 2027, with vulnerability reporting obligations starting earlier on 11 September 2026 (European Commission, 2024).

For manufacturers of connected hardware, embedded systems, and software products, the CRA shifts cybersecurity from an internal best practice to a documented, auditable legal requirement. This article explains what the CRA actually requires manufacturers to prove, what testing evidence regulators expect, and how to build a compliance approach that scales across the product lifecycle.

What the CRA actually covers

The CRA applies to virtually every product with digital elements made available on the EU market. According to the European Commission, this includes connected hardware (smartphones, laptops, smart home devices, smart meter gateways, microprocessors, firewalls), software products (operating systems, applications, libraries), and the remote data processing solutions on which they depend (European Commission, 2024).

A few sector-specific products are excluded because they are covered by separate EU rules. Medical devices, motor vehicles, in vitro diagnostics, civil aviation equipment, and marine equipment fall under their own sectoral frameworks. Everything else with a digital element and a network connection sits in scope, which means the CRA's reach across the European market is far wider than most manufacturers initially assume.

For Nordic, DACH, and Benelux manufacturers, this matters particularly in industrial IoT, building automation, energy systems, and connected consumer products, all of which are now treated as security-relevant products under EU law.

Takeaway: The CRA covers almost every product with digital elements on the EU market, far beyond the categories typically associated with cybersecurity regulation.

The key deadlines manufacturers must plan around

The CRA's timeline is staged in the law itself, and each milestone carries different operational requirements.

The critical dates are:

10 December 2024: CRA enters into force
11 June 2026: Member States must designate notifying authorities and procedures for conformity assessment bodies
11 September 2026: Mandatory reporting of actively exploited vulnerabilities and severe incidents begins, applying to all in-scope products including those already on the market
11 December 2026: Member States should ensure sufficient notified bodies are in place to handle conformity assessments
11 December 2027: All CRA requirements apply in full, including essential cybersecurity requirements and conformity assessment before market placement

The September 2026 date is the one most manufacturers underestimate. Vulnerability reporting applies retroactively to products already placed on the market, which means existing connected devices in the field need a reporting capability in place by then, not just new products under development. Building this capability requires vulnerability monitoring, an incident response workflow, and a connection to the ENISA Single Reporting Platform once it goes live.

Takeaway: The 11 September 2026 reporting deadline applies to existing products as well as new ones, making preparation a 2026 priority, not a 2027 one.

What manufacturers must actually prove

The CRA's central principle is that security must be designed into the product from the start, maintained across its lifecycle, and provable through documented evidence. Article 13 sets out the manufacturer's main obligations, complemented by Annex I, which lists the essential cybersecurity requirements.

Manufacturers must be able to demonstrate that they have:

Performed a cybersecurity risk assessment informing the product's design, development, and maintenance
Implemented the essential cybersecurity requirements proportionate to that risk
Tested the product against the identified risks, with documented evidence
Established a vulnerability handling process running throughout the product's support period
Issued security updates and disclosed vulnerabilities in a coordinated manner
Maintained technical documentation and made it available for at least 10 years after the product is placed on the market
Communicated security information to users, including end-of-support dates and decommissioning instructions

The distinction that runs through every one of these obligations is between claiming and proving. Auditors will expect documented evidence of execution, not statements of intent. This is why testing evidence pipelines, software bills of materials (SBOMs), and audit-ready documentation have become central to CRA preparation across European manufacturers.

Takeaway: CRA compliance hinges on documented, traceable evidence of security testing and vulnerability handling, not on policy statements.

What testing evidence looks like under the CRA

Connected-product manufacturers cannot meet CRA requirements with point-in-time penetration testing or release-time security checks alone. The Act expects testing to be ongoing, risk-based, and evidenced across the full product lifecycle.

Practical components of CRA-grade testing evidence typically include:

A risk-based test plan documenting what security testing is performed, on what frequency, and against which threat sources
Verification records per identified vulnerability, including the steps taken, evidence gathered, and conclusion reached
SBOMs that allow vulnerabilities in third-party components to be detected as they emerge
Penetration testing results, including testing scope, methodology, and remediation status
Update testing evidence showing that security patches do not introduce regressions
Documented vulnerability disclosure processes and coordinated disclosure records
Conformity assessment documentation appropriate to the product's classification

For products classified as important or critical under CRA Annexes III and IV, third-party conformity assessment by a notified body is required, raising the bar for documentation quality even further. In practical terms, this means manufacturers need to design their CI/CD and QA pipelines to produce compliance evidence as a by-product of normal testing, rather than treating documentation as a separate workstream.

Takeaway: CRA-grade testing evidence must be continuous, traceable, and integrated into normal product engineering, not produced retroactively.

Reporting obligations and the 24-hour clock

From 11 September 2026, manufacturers of products with digital elements must notify actively exploited vulnerabilities and severe incidents through the ENISA Single Reporting Platform.

The reporting timeline is tight. According to Germany's federal cybersecurity authority BSI, manufacturers must submit an initial report within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, a more detailed notification within 72 hours, and a final report within 14 days of a corrective measure becoming available (or one month for severe incidents) (BSI, 2026).

This is operationally demanding. A 24-hour reporting clock leaves no room for slow internal escalation, ad-hoc evidence gathering, or unclear ownership of vulnerability response. Manufacturers must have triage workflows, evidence templates, and reporting channels in place before the first incident, not after.

The reporting obligation also applies to a manufacturer's own infrastructure if compromise creates downstream risk for users. Build pipelines, update channels, and development environments are all in scope when their compromise could affect end-product security.

Takeaway: Reporting readiness in 2026 requires triage workflows, evidence templates, and clear ownership defined before any incident occurs.

Penalties and the cost of non-compliance

The CRA's penalty structure reflects how seriously the EU treats connected-product cybersecurity. Administrative fines for non-compliance with essential cybersecurity requirements and manufacturer obligations under Articles 13 and 14 can reach €15 million or 2.5 percent of worldwide annual turnover, whichever is higher (European Commission, 2024).

Lower bands apply to other categories of non-compliance. Failures relating to declarations, CE marking, conformity assessment, or notified body obligations can reach €10 million or 2 percent of worldwide turnover. Supplying incorrect, incomplete, or misleading information can reach €5 million or 1 percent of worldwide turnover (EY, 2025).

For most manufacturers placing connected products on the EU market, exposure at this level is not something that can be managed through after-the-fact remediation. The penalty framework is designed to make under-investment in CRA compliance more expensive than the compliance work itself, which is precisely the regulatory intent.

In the Nordics, DACH, and Benelux, where many manufacturers depend on EU market access for the majority of their revenue, the practical cost of non-compliance extends well beyond the headline fine to include CE marking issues, market withdrawal risks, and reputational impact across the supply chain.

Takeaway: CRA penalties are calibrated to make under-investment in compliance more expensive than the compliance work itself.

Building a CRA-ready engineering function

There is no single template for CRA compliance, but the strongest preparation strategies share a few common features.

Effective approaches typically include:

Mapping every product's classification under the CRA (default, important, critical) early, before conformity routes are needed
Building security testing and SBOM generation into existing CI/CD pipelines rather than running them as parallel processes
Defining clear ownership for vulnerability monitoring, triage, and reporting before the September 2026 deadline
Coordinating legal, compliance, R&D, and engineering teams on a single roadmap rather than handing CRA compliance to one function
Treating supplier and component due diligence as part of product engineering, given the CRA's lifecycle scope
Designing technical documentation as a continuous output of engineering activity, not a year-end exercise

The teams making the most credible progress are those treating the CRA as a product engineering question, not a legal one. Compliance documentation that does not reflect what engineering actually does will not survive regulatory scrutiny.

Takeaway: CRA readiness is built into engineering processes, not added to them as a separate compliance workstream.

Conclusion

The EU Cyber Resilience Act is the most significant change to connected-product regulation in the EU in a generation. It moves cybersecurity from a voluntary best practice to a documented, auditable, enforceable legal requirement, with penalties calibrated to drive serious investment.

For manufacturers of connected hardware, embedded systems, and software products, the implication is straightforward. Testing under the CRA is not a release-time activity but a lifecycle discipline, and the evidence it produces is now part of the product's legal documentation, not an internal artefact.

The September 2026 reporting deadline gives manufacturers a hard date to plan around. The December 2027 full-application deadline gives them an even harder one. Building the engineering and QA capabilities to meet both is the work of the next 18 months, and starting late is no longer an option.

FAQ

When does the EU Cyber Resilience Act apply?

The CRA entered into force on 10 December 2024 and applies in full from 11 December 2027. Vulnerability and incident reporting obligations apply earlier, from 11 September 2026, and apply to all in-scope products including those already on the market.

What products does the CRA cover?

The CRA covers virtually all products with digital elements placed on the EU market, including connected hardware, software, and remote data processing solutions. Medical devices, motor vehicles, in vitro diagnostics, civil aviation equipment, and marine equipment are excluded because they fall under separate sectoral rules.

What evidence do manufacturers need to produce?

Manufacturers must produce a cybersecurity risk assessment, technical documentation, evidence of security testing, vulnerability handling records, SBOMs, coordinated disclosure records, and conformity assessment documentation. Documentation must be retained for at least 10 years after a product is placed on the market.

What are the penalties for non-compliance?

Administrative fines for non-compliance with essential cybersecurity requirements and key manufacturer obligations can reach €15 million or 2.5 percent of worldwide annual turnover. Lower bands of up to €10 million or 2 percent apply for other categories of non-compliance.

How does the 24-hour reporting requirement work?

From 11 September 2026, manufacturers must submit an initial report within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, a more detailed notification within 72 hours, and a final report within 14 days of a corrective measure becoming available (or one month for severe incidents). Reports are submitted through the ENISA Single Reporting Platform.

Sources

Cyber Resilience Act – European Commission – https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
The Cyber Resilience Act – Summary of the legislative text – European Commission – https://digital-strategy.ec.europa.eu/en/policies/cra-summary
Cyber Resilience Act – Reporting obligations – European Commission – https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
Cyber Resilience Act – BSI (Federal Office for Information Security, Germany) – https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
Cyber Resilience Act: Commission clarifies "important" and "critical" product categories – Herbert Smith Freehills Kramer – https://www.hsfkramer.com/notes/cybersecurity/2026-posts/cyber-resilience-act-commission-clarifies-important-and-critical-product-categories
EU Cyber Resilience Act: Getting ready for CRA compliance in 2026 – Hogan Lovells – https://www.hoganlovells.com/en/publications/eu-cyber-resilience-act-getting-ready-for-cra-compliance-in-2026
Cyber Resilience Act: Horizontal cybersecurity requirements for products with digital elements – EY – https://www.ey.com/en_gr/technical/tax/tax-alerts/cyber-resilience-act-jan-2025

About Author Wirtek is a Danish tech company with 25 years of experience, specialising in three core domains: energy, connectivity & automation and digital engineering. We build, connect and operate digital solutions through software development, Internet of Things (IoT), quality assurance and ready-made products. Founded as a Nokia spin-off, we combine deep know-how with EU compliance to partner with companies on their journey to modernise systems and extend capabilities while reducing risk. Since 2022, we have focused strongly on shaping solutions that power the sustainability transition.