Networked products have become established – from machines in production to cloud software for customers. This networking also requires regulation. In addition to the GDPR, NIS-2, Data Act and AI Regulation, the Cyber Resilience Act (CRA) now provides a European security framework specifically for digitally connected products.
The CRA has been in force since December 10, 2024, and from December 11, 2027, only CRA-compliant products will be allowed on the European market. Reporting obligations for safety incidents will already apply from September 11, 2026. For many medium-sized manufacturers, this means that development processes, documentation and liability risks need to be put to the test.
Regulations of the Cyber Resilience Act
The CRA covers all commercially available products with digital elements that are placed on the market in the EU – from smart home devices and software to networked industrial systems. Among other things, non-commercial open source projects and product groups for which specific cybersecurity requirements already exist, such as medical devices or vehicles, are excluded.
The regulation is aimed at manufacturers, importers and distributors of products with digital elements. Pure users and operators have no direct obligations under the CRA, but are indirectly affected because in future they will only be allowed to use CRA-compliant products and should demand more transparency and security in their contracts.
Binding safety requirements throughout the entire product life cycle are at the heart of the CRA. Manufacturers must carry out a risk assessment, define suitable technical and organizational protective measures and implement them in a documented manner. Products should be designed and preconfigured in such a way that attack surfaces are minimized, weak passwords are avoided and security-relevant functions – especially security updates – are activated by default.
Ongoing patch management is also required. Security vulnerabilities need to be addressed throughout the entire support period, typically for the lifetime of the product. Manufacturers must provide security updates and clearly communicate how long a product will be supported.
The CRA distinguishes between “products with digital elements” and particularly important or critical product groups. For the majority of products, an internal conformity assessment by the manufacturer is sufficient; for important and critical products, stricter procedures by bodies designated by the Member States are envisaged. At the same time, harmonized standards and guidelines are expected, which can be used to guide practical implementation.
Violations can lead to high fines – up to €15 million or 2.5% of annual global turnover – as well as market surveillance measures such as sales bans or recalls. In addition, there may be claims arising from data protection violations if personal data is affected.
Implementation in the SME sector
Start with an inventory of your product portfolio. Record which products and product combinations you develop, manufacture, import or sell under your own brand and whether they communicate directly or indirectly with networks or other devices.
In these cases, anchor security by design and security by default in your development processes, carry out risk assessments and adopt the CRA specifications in development and quality assurance: define which security functions are active by default and how long each product is supported. Ensure that you are able to eliminate actively exploited vulnerabilities and serious incidents in good time, rectify them for your customers, report them on time and document them internally in a traceable manner.
Conclusion
The Cyber Resilience Act is not a niche topic for IT departments, but changes the way in which networked products are designed, documented and supported throughout their life cycle. From December 11, 2027, products with digital elements may only be offered on the European market if they meet the CRA requirements; central reporting obligations and increased liability risks will already apply from September 11, 2026. At the same time, attention should be paid to compliance with the requirements of the GDPR, NIS-2, Data Act and AI Regulation – the legislator is thus establishing a large number of provisions against which market participants in the IT environment must be measured.
