Key Takeaways
- The CRA defines a clear minimum level of cybersecurity that products with digital elements must meet within the European Union.
- The CRA is product-focused, rather than organisation-focused.
- Any party placing products with digital elements on the EU market must be able to demonstrate that they are securely developed, designed and supported.
- Security must be integrated in both the design and development phase and the supply phase.
- Vulnerabilities must be actively monitored and significant incidents impacting product security must be reported to the competent authorities as of September 2026.
- The CE marking serves as a declaration of conformity, based on documented processes and risk assessments.
- The CRA becomes fully applicable in December 2027, although organisations should already be preparing to meet its requirements.
Introduction: the EU sets a clear boundary
The European Union is committed to a secure digital future and works towards this objective in various ways. One of the initiatives is to improve the security of digital products.
By means of the Cyber Resilience Act (CRA), the European Union defines a clear minimum level of cybersecurity that products with digital elements must meet within the European Union. While NIS2 is concerned with protecting organisations, the CRA is aimed at the products themselves.
Up until recently, manufacturers could simply say: “We design the product; the user is responsible for its safe use.” The burden of responsibility rested mainly with the user. The CRA flips this principle. Any party placing products with digital elements on the EU market must be able to demonstrate that they have been securely developed and designed, but also that they are supported after being placed on the market.
The CRA represents more than a new obligation. It turns cybersecurity into a core element of digital products. What does this mean in real terms for manufacturers and suppliers? This blog explains.
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is EU legislation defining minimum standards for the cybersecurity of products with digital components.
Put simply, the CRA defines the security standard a digital product must satisfy before it may be marketed in the European Union.
NIS2 requires organisations to strengthen the security of their systems and processes, whereas the CRA is directed at the products themselves. The objective is to ensure that digital products are developed securely from the very beginning and remain secure once they are sold.
The CRA responds to a fundamental issue where too many products are placed on the market without sufficient cybersecurity built in. Update support is often limited, vulnerabilities are addressed too late, and the burden of responsibility has commonly been passed on to the end user.
This legislation establishes a clear position across Europe. Any party placing a product with digital elements on the EU market must meet the following requirements:
- Security is integrated into the design and development process
- Vulnerabilities are actively monitored
- Security updates are provided for the product’s expected lifetime
- It is demonstrated that these practices are systematically implemented
This is not a single technical assessment or a standard tick-box exercise. Instead, it involves a lasting responsibility across the product’s entire lifecycle.
Who does the CRA apply to?
The Cyber Resilience Act is not limited to specific sectors, in contrast to NIS2 which focuses on critical infrastructure, healthcare and financial institutions.
The CRA applies to any party placing a product with digital elements on the EU market.
A product is understood to include: “a software or hardware product and its remote data processing solutions”. This includes standalone software like applications or programs, hardware with embedded software (such as internet of things devices), standalone hardware (such as integrated circuits or motherboards), as well as any combination of these elements.
Products may be placed on the EU market by:
- The manufacturer
- The importer
- Any other party that first makes the product available in the EU (including parties from outside the EU)
In most cases the manufacturer is responsible, but importers also carry responsibility. Any party placing a product with digital elements on the EU market must be able to demonstrate that it complies with the CRA requirements.
Does this also apply to SMEs?
Yes. The scale of your organisation is irrelevant. Any party placing a product with digital elements on the EU market is subject to the CRA. Small and medium-sized enterprises are equally expected to meet the essential requirements.
The EU acknowledges that this can be more challenging for SMEs. For that reason, support measures are being introduced, including initiatives such as Secure4SME cascade funding call. Within this initiative, European SMEs may apply for financial
Would you like to know more?
Cingulum supports organisations in assessing their current level of maturity, developing a CRA roadmap and implementing the required technical and governance processes. We not only assist with CRA compliance preparation but also advise on how initiatives such as Secure4SME can be used strategically.
If you are interested in understanding your current position and eligibility for support, we are available to explore this with you.
Are all digital products treated in the same way?
No. The CRA adopts a risk-based approach. Requirements become more stringent as the potential impact on user safety or other systems increases.
Products that serve a critical function, such as operating systems or digitally enabled vehicle components, will be assessed more strictly than a product with a lower level of impact.
Nevertheless, the basic rule remains the same, as any party placing products with digital elements on the EU market must be able to demonstrate that they are securely designed and remain secure throughout their lifetime.
What does this mean in practice? Two key requirements
The Cyber Resilience Act introduces a mix of new and familiar terminology, but in practice it comes down to two main obligations across a product’s lifecycle, specifically the design and development phase and the supply phase. In other words, security must be built in from the start and maintained over time.
1. The design and development phase: designing and developing products in a secure way
The first key change concerns the design and development phase. Security is not something to be added on later but must be embedded in the product’s design and development.
The CRA commonly refers to secure-by-design. It may sound abstract at first, yet the underlying principle is simple: security thinking must be embedded from the design and development phase, including how the product might be misused and how to prevent this. The same principle is also found in the GDPR, where reference is made to Data Protection by Design.
Examples include user authentication during first-time installation, the avoidance of default settings that could be misused, and the protection of sensitive internal interfaces. However, this is not an exhaustive list. The appropriate measures vary depending on the product type and the related risk profile.
In any case, manufacturers must be able to demonstrate that they:
- have identified the risks
- have made deliberate security choices that have been embedded in the product
- have documented those decisions accordingly
It is therefore less about following a fixed technical checklist and more about a structured way of working. Security becomes an integral part of the development lifecycle.
2. The support phase: keep products secure
The second key change applies after the product has been sold.
In the past, many manufacturers saw their responsibility as ending once the product was delivered. Updates were only provided for a limited period, vulnerabilities were handled reactively, and further security was often the responsibility of the customer.
The Cyber Resilience Act fundamentally changes this approach. Manufacturers are expected to actively track vulnerabilities, address them and take action where required. This means that designing and developing a secure product is no longer enough, as manufacturers must also provide a mechanism to deliver security updates. In other words, cybersecurity becomes an ongoing obligation.
Furthermore, the CRA establishes new notification requirements. From September 2026 onwards, actively exploited vulnerabilities and significant incidents impacting product security must be reported to the competent authorities. This calls for both technical capacity and well-defined internal procedures.
This is a real challenge. Many organisations underestimate the level of ongoing coordination this requires. It covers:
- clear responsibilities within the organisation
- processes for vulnerability management
- documentation and need to demonstrate compliance
- a long term approach to product support
Securing a product is not a single step. It is an operational decision that may continue for years.
How should an organisation get started?
Many organisations perceive the CRA as complex and technical. The natural response is often to look for solutions in additional tools or checks. Yet the real starting point is simple: what is your current position? Do secure development processes already exist? Are vulnerabilities monitored systematically? Is there a defined update process? Are risk assessments performed and properly documented?
To start off on the right track, consider the following three steps:
1. Create clarity
Identify the processes that already exist and highlight where the main gaps are. This provides a realistic view of your current level of maturity.
2. Define priorities
Not everything needs to be done at once. The CRA is risk based. Start by focusing on what areas have the biggest impact on product security.
3. Embed security into business processes
Security must be part of the design and development process as well as the support process. This involves clear responsibilities, documentation and structured monitoring. A crucial element is embedding this practice across the organisation. It is not a project with a fixed end date, but a change in how you work. Organisations that adopt a strategic approach may use the CRA to ensure compliance while enhancing product quality and building stronger customer confidence.
How to demonstrate compliance?
Being compliant is one thing, proving it is another. Under the CRA, it is not enough to put security measures in place, there must also be evidence that they have been applied. This requires documentation, clear justification and transparency.
The CE marking is an important part of this. As applies to other EU product regulations, the CE marking indicates that your product complies with the relevant requirements, including those set out in the CRA. This marking is not just a formality but must rely on a robust conformity assessment.
In practical terms, this means primarily that you must be able to demonstrate:
- which risk assessments have been carried out
- which security measures have been implemented
- how vulnerabilities are monitored and managed
- how updates are deployed
- which internal processes are in place for this
The CRA also requires that certain information is made publicly available, for example in technical documentation and user information, such as relevant product risks and security aspects. Transparency therefore becomes part of compliance.
Doable cybersecurity for SMEs?
We can offer that!
As a partner and service provider of VLAIO Cybersecurity improvement programs, we can offer up to 50% subsidy to SMEs, sheltered workshop companies, or businesses that fall under NIS2 and still have a lot of work to do.
Curious? Discover our offering!
Deadlines and compliance
The Cyber Resilience Act does not become fully applicable all at once. Clear transition periods are in place. That said, organisations should not delay preparations until the very last moment.
The first important date is 11 September 2026. From then onwards, the notification requirements will apply in their entirety. This includes the obligation to report actively exploited vulnerabilities and severe incidents impacting the security of products with digital elements to the competent authorities.
The CRA will become fully applicable on 11 December 2027. From that point onwards, all products with digital elements placed on the EU market will need to meet the defined cybersecurity requirements in full.
Those who wait until 2026 or 2027 to take action will discover that this is not a simple update, but a deep, structural change in working practices.
The CRA should not be seen as a paperwork exercise, but as a strategic product decision
The Cyber Resilience Act introduces a fundamental change in the way digital products are designed and supported. It is more technical than NIS2 and directly affects development, product management and support. Although the CRA requires clear processes, documentation and continuous monitoring, it also presents opportunities.
Organisations that prioritise secure-by-design and structured vulnerability management are not simply working towards compliance. They are building more secure products, enhancing customer trust and improving their competitive strength. When cybersecurity is treated as a core element of product quality, it delivers compliance as well as long-term sustainability.
