- Veronika Beňová
- 6 min read
The Cyber Resilience Act (CRA for short) is a new EU regulation on the cyber resilience of digital products, and you'll probably be hearing about it more and more often now. That's because, starting 11 December 2027, manufacturers, importers, and distributors will only be allowed to place products with digital elements on the EU market if those products meet new cybersecurity requirements. What exactly counts as a product with a digital element? Who does the CRA apply to, and what obligations does it bring?
What is the CRA and why was the regulation created?
Products with an inadequate level of cybersecurity are reaching the European market – for example, products with weak default passwords, no possibility of updates, or other security flaws that the manufacturer takes no further interest in. On top of that, consumers have no easy way to tell whether the product they're buying is secure. Manufacturers have also often borne no clearly enforceable responsibility for a product's cybersecurity after it has been placed on the market.
The CRA therefore sets uniform minimum cybersecurity requirements for all products with digital elements placed on the EU market, regardless of where the manufacturer is based. These requirements include, for example, setting the period during which the manufacturer will support the product and issue security updates, or informing customers about vulnerabilities and incidents. The main aim of the CRA is thus to raise the baseline level of cybersecurity for digital products on the European market.
Which products does the CRA regulate?
The CRA regulates "products with digital elements." This means any hardware or software product capable of connecting to a network or another device, including remote data processing functions. In practice, these can be routers, IP cameras, smart appliances, industrial sensors, antivirus programs, mobile apps, or ERP systems—but also smart toys or software that you develop in-house and sell to clients.
The CRA applies to products with digital elements placed on the EU market. A product is placed on the market the moment the manufacturer first makes it available for distribution or sale within the EU – whether through a distributor or importer, or by selling it directly to the client. For software, placing on the market can also occur when it is made available online for download or is provided together with a remote service essential to its functioning.
So it's not the case that if you placed a product on the market before the CRA took effect, you're automatically off the hook. If you want to keep selling it – that is, keep "placing it on the market" – the CRA obligations apply to you all the same.
Product risk categories
The CRA divides products with digital elements into four categories according to their level of risk. We'll cover this classification in more detail in future articles. In short, though, the rule is: the higher the risk a product poses, the stricter the requirements for verifying it. The main difference lies in whether the manufacturer can verify the product's security themselves, or whether they must involve an independent third party.
Other products with digital elements (the vast majority of the market) – the manufacturer verifies the product's security themselves.
Important products, class I (for example, password managers, browsers, VPNs, or routers for home use) – in most cases, security must be verified by an independent third party.
Important products, class II (for example, firewalls or hypervisors) – involving an independent third party is always mandatory.
Critical products (for example, hardware security devices or smart cards) – these require European cybersecurity certification under the Cybersecurity Act.
Who does the CRA apply to?
The CRA distinguishes three main roles – manufacturer, importer, and distributor. Each of these roles carries a different degree of responsibility.
Manufacturer bears the main responsibility. They must ensure the product's security throughout its entire support period (at least 5 years, or for the product's expected lifetime if that is shorter). They must also affix the CE marking to the product and draw up technical documentation demonstrating how they ensured its security. If the manufacturer is based outside the EU and has no establishment of its own in the EU, it must have an authorized representative in the EU who fulfills its regulatory obligations toward the European authorities on its behalf.
Importer must verify, before placing the product on the market, that the manufacturer has fulfilled its obligations – that is, that the product has technical documentation drawn up, meets the security requirements, and is correctly marked. Be careful, though: if the importer places the product on the market under its own name or substantially modifies it, it takes on the role of manufacturer, with everything that entails.
Distributor has more limited responsibility. They don't verify the product's security themselves, but before placing it on the market, they must check that it bears the CE marking, has the necessary documentation attached, and is correctly marked. If they have reason to believe that the product does not meet the requirements, they must not place it on the market.
What requirements does the CRA impose?
The most important point is that products must be secure already at the moment they're placed on the market. In practice, this means the manufacturer must ensure a secure default configuration – for example, strong default passwords or mandatory password setup at first startup, encrypted communication, and the ability to update the product. At the same time, they must disable or remove everything the product doesn't need in order to function – features, ports, or interfaces.
But the obligations don't end with the sale itself. Manufacturers must actively manage security weaknesses (vulnerabilities) and issue security updates (patches), free of charge, throughout the entire support period.
The obligations also include reporting serious incidents and security flaws. Manufacturers must report serious security incidents and actively exploited vulnerabilities to ENISA within set deadlines. That's why it pays to have clear internal procedures in place before anything actually happens.
What are the penalties for non-compliance?
The CRA is not just a recommendation. Failing to follow the rules has real consequences. A breach of the basic security requirements can carry an administrative fine of up to 15 million euros or 2.5% of the company's total worldwide annual turnover, whichever is higher. For less serious failings, such as missing documentation or marking, the fine can reach up to 10 million euros or 2% of turnover. Market surveillance authorities also have the power to order a product's withdrawal from the market if it poses a serious cybersecurity risk.
Which deadlines should you watch out for?
The CRA takes effect in several phases. The first part concerns the obligation to report vulnerabilities and serious incidents. Note that this will already apply from September 2026. The rest of the regulation will start to apply from December 2027.
At first glance it looks like there's plenty of time, but the preparation can be more demanding than it seems. From mapping out your product portfolio, through setting up internal processes, to preparing documentation and the final conformity assessment, it can be a long process.
