Quick summary
The Cyber Resilience Act makes security a legal condition for selling almost any product with digital elements in the EU. Connected and IoT makers face secure-by-design obligations, mandatory software bills of materials and incident reporting, with the first hard deadlines arriving in 2026.
For most of the connected hardware era, a device could ship with known weaknesses and no plan to fix them, and nothing in EU law required otherwise. The Cyber Resilience Act ends that arrangement by tying market access to demonstrable cybersecurity across a product’s entire supported life.
The regulation is broad by design. It applies to almost any product with digital elements placed on the EU market, from industrial gateways and sensors to consumer electronics and the software that runs on them. For manufacturers, importers and distributors, the change is not cosmetic: security moves from a feature to a precondition for selling at all.
The CRA, formally Regulation (EU) 2024/2847, entered into force on 10 December 2024 and applies horizontally to products with digital elements made available on the EU market (European Commission, 2025). That phrase is deliberately wide. It captures software and hardware, their remote data processing components, and parts placed on the market separately, which means a single connected product can carry obligations across several economic operators.
Crucially, the regulation reaches manufacturers based outside the EU if their products reach EU buyers. A device assembled in Asia and sold into Denmark or Germany is in scope exactly as a domestically produced one would be, which removes the option of treating EU compliance as someone else’s problem further up the supply chain.
The CRA does not ask whether a product is connected; it asks whether its security can be demonstrated, maintained and reported on throughout its life.
The reason this framing matters is that it shifts the burden from the point of sale to the whole lifecycle. A product that was secure on launch day but receives no updates is no longer compliant simply because it once passed a test.
Takeaway: The CRA applies horizontally to nearly every product with digital elements sold in the EU, including non-EU manufacturers, and judges security across the full product lifecycle.
The CRA’s substantive requirements force security decisions to the start of development rather than the end. Manufacturers must design and build products to a set of essential cybersecurity requirements, then maintain that security for the product’s expected support period. The obligations that most affect engineering teams include:
Secure-by-design and secure-by-default engineering from the initial concept
A machine-readable software bill of materials covering at least top-level dependencies
Coordinated vulnerability disclosure and a process to handle reported flaws
Security updates for the defined support lifetime of the product
Conformity assessment and CE marking before the product is placed on the market
The software bill of materials is the obligation teams most often underestimate. Without an accurate, maintained inventory of components, a manufacturer cannot answer the basic question the CRA will ask after September 2026: is one of my products affected by a newly exploited vulnerability? The implication is that supply chain transparency stops being good practice and becomes a reporting prerequisite.
This is where disciplined IoT product development earns its return, because retrofitting an SBOM and an update mechanism onto a finished design is far harder than building them in. Teams that treat component tracking and over-the-air updates as core architecture, rather than late additions, absorb the CRA with far less disruption.
Takeaway: The CRA pushes security to the design phase, and the software bill of materials and update mechanism are the foundations everything else depends on.
The CRA’s general provisions apply from 11 December 2027, and many organisations plan around that date. The reporting obligations, however, arrive over a year earlier. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting their products with digital elements (European Commission, 2025).
The mechanics are demanding. A manufacturer must submit an early warning within 24 hours of becoming aware of an actively exploited vulnerability, a full notification within 72 hours, and a final report after a corrective measure is available. Reports go through a single reporting platform that ENISA is building, routed to the relevant national CSIRT.
According to Bryan Cave Leighton Paisner (2025), these reporting duties apply regardless of when a product was placed on the market, which is the detail that catches teams off guard. The reason this matters is that a connected gateway shipped in 2019 and still in use is covered: if an exploitable vulnerability in one of its components is being attacked, the manufacturer must detect and report it from September 2026 onward.
The 2027 headline deadline hides the real one, because reporting obligations land in 2026 and apply to products already in the field.
Takeaway: Incident and vulnerability reporting begins on 11 September 2026, more than a year before full compliance, and covers products already on the market.
Products lawfully placed on the market before December 2027 are not retroactively subjected to the full design requirements, which offers some relief. The exception is the reporting framework, which applies to fielded products, and substantial modifications, which reset the clock.
If an existing product undergoes a substantial modification after the regulation’s general application date, it must comply with the CRA, and the party making the change takes on the manufacturer’s responsibilities. For connected products that receive significant firmware overhauls, this blurs the line between maintaining a legacy device and creating a new regulated one.
The practical consequence is that manufacturers need a clear-eyed inventory of what is still in the field and what they can actually update. A product that cannot receive security patches is a liability under a regime that expects vulnerabilities to be detected, reported and remediated.
Takeaway: Older products escape the full design rules but not the reporting duties, and a substantial modification can pull a legacy device fully into CRA scope.
The penalties make the case for early action. Breaches of the essential cybersecurity requirements can attract fines of up to 15 million euros or 2.5 percent of global annual turnover, whichever is higher (European Commission, 2025). For a hardware company with thin margins, that exposure dwarfs the cost of building compliance in from the start.
A sensible programme works backwards from the deadlines. Establish vulnerability handling and reporting processes ahead of September 2026, since those obligations come first, then align the broader design, documentation and conformity work to the 2027 application date. Manufacturers selling into the Nordics, DACH and Benelux markets should also expect customers, particularly industrial buyers, to demand CRA evidence well before the legal deadline as a condition of procurement.
The interpretive point is that the CRA rewards manufacturers who already engineer for maintainability. Component visibility, a working update channel and a documented disclosure process are not just compliance artefacts; they are the same practices that keep a connected product viable over a long service life.
Takeaway: With fines reaching 2.5 percent of global turnover, the efficient response is to build vulnerability handling first for the 2026 deadline, then align design and conformity work to 2027.
The Cyber Resilience Act turns product security into a market access requirement, and its timeline front-loads the obligations that depend most on internal process. Reporting and vulnerability handling come first, in 2026, while the full design and conformity regime follows in 2027.
For connected and IoT makers across the EU, the strongest position is to treat the CRA as an extension of good engineering rather than a separate compliance project. Build products that can be inventoried, updated and monitored, and the regulation becomes a structure to document rather than a wall to climb.
The CRA applies to almost any product with digital elements made available on the EU market, including software, hardware, IoT devices, industrial components and their remote data processing solutions. It also covers components placed on the market separately. Manufacturers based outside the EU are in scope if their products reach EU buyers.
The regulation entered into force on 10 December 2024. Conformity assessment body provisions apply from 11 June 2026, vulnerability and incident reporting obligations from 11 September 2026, and the main substantive requirements from 11 December 2027. The reporting deadline is the one teams most often underestimate, because it arrives more than a year before full compliance.
A software bill of materials, or SBOM, is a machine-readable inventory of the components in a product, covering at least its top-level dependencies. The CRA requires manufacturers to maintain one and provide it to market surveillance authorities on request. It is essential because a manufacturer cannot determine whether a product is affected by a newly exploited vulnerability without knowing what is inside it.
Breaches of the essential cybersecurity requirements can result in fines of up to 15 million euros or 2.5 percent of global annual turnover, whichever is higher. Non-compliance can also lead to product withdrawal or a ban on placing the product on the EU market, alongside reputational damage where vulnerabilities lead to incidents.
The Cyber Resilience Act, summary of the legislative text – European Commission – 2025 – https://digital-strategy.ec.europa.eu/en/policies/cra-summary
Cyber Resilience Act reporting obligations and the Single Reporting Platform – European Commission – 2026 – https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
The Cyber Resilience Act is rewriting the rules of digital product safety – Bryan Cave Leighton Paisner – 2025 – https://www.bclplaw.com/en-US/events-insights-news/the-cyber-resilience-act-is-rewriting-the-rules-of-digital-products-safety.html