This September, the first binding phase of the European Union's new Cyber Resilience Act (CRA) takes effect, reshaping the rules for developing and selling products with digital elements (both software and hardware containing software) within the EU market and introducing new obligations for software companies. However, the CRA isn't just another layer of regulatory red tape — it will actually give developers a much clearer grasp of their products' security posture.
What is the CRA and why does it matter?
The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for a broad spectrum of products with digital elements (PDEs). This regulation places the primary responsibility for cybersecurity squarely on manufacturers and distributors, who will be required to guarantee product security throughout its entire lifecycle.
Who does the CRA apply to?
The regulation applies to economic operators that place products with digital elements on the EU market. This includes manufacturers (including software and app developers), authorized representatives, importers, and distributors.
A product with digital elements means both standalone software (e.g. an app, library, or firmware) and hardware that contains or connects to software (such as smart devices, IoT sensors, or routers). If a PDE placed on the European market can connect (even potentially) to a computer network or another device, the CRA almost certainly applies to it.
Timeline and Transition Periods
Although the CRA officially entered into force in late 2024, its implementation is phased. Key obligations for manufacturers kick in during autumn 2026, and the main bulk of the regulation becomes fully enforceable on December 11, 2027.
Practical implementation guidelines have been available since the end of 2025.
What must companies do to comply with CRA requirements?
1. Reporting Vulnerabilities and Incidents
Starting September 11, 2026, manufacturers of products with digital elements are required to report actively exploited vulnerabilities and severe incidents. Reports are submitted just once via a Single Reporting Platform (SRP) managed by ENISA, which immediately shares the data with national authorities (such as NÚKIB in the Czech Republic).
Given the strict three-stage deadlines — an early warning within 24 hours, a more detailed report within 72 hours, and a final report within 14 days of a vulnerability patch or 1 month of an incident — companies will need to completely overhaul their Incident Response and detection workflows.
Example: If a manufacturer discovers that a vulnerability in their product is being actively exploited (e.g., attackers are using it to gain unauthorized access) — whether it’s a smart home thermostat, a mobile app (like a game), or a web-based information system — they must log an early warning via the SRP. This is followed by a more comprehensive report detailing the severity and impact of the vulnerability. Once the manufacturer rolls out a patch, they submit a final report summarizing the entire incident and its resolution.
2. Security by Design
Manufacturers must fully integrate security practices directly into their development lifecycle. This means embedding software bill of materials (SBOM) generation into their workflows, deploying static and dynamic vulnerability analysis tools, and abandoning architectures that rely on hardcoded, unchangeable default passwords or libraries that are a nightmare to update.
An SBOM (Software Bill of Materials) is essentially a structured ingredient list of all components making up the software — including third-party libraries, open-source dependencies, their specific versions, and licenses. Thanks to the SBOM, both the manufacturer and the customer know exactly what’s under the hood and can quickly spot if any dependency has a known vulnerability.
3. Ongoing Vulnerability Management
The CRA mandates that manufacturers manage security risks in the systems they build, continuously scan for vulnerabilities affecting their products, and provide security patches for them.
Setting up thorough vulnerability management isn't just about checking a regulatory box — it’s an investment in the quality and trustworthiness of your product. Systematically tracking, evaluating, and fixing security flaws directly lowers the odds of a successful attack on your system. The payoff is more resilient software, fewer security incidents, and significantly better data protection for your users.
4. Transparency with Users
Manufacturers are obligated to provide clear, understandable information regarding product security. Before buying, a user needs to know exactly how long the product will receive security updates and who to contact if they discover a vulnerability.
While manufacturers don't need to broadcast their SBOM publicly to every consumer, they must generate it and have it ready for inspection by supervisory authorities.
Developers already regularly encounter transparency demands and SBOM requests (usually under an NDA) when dealing with corporate clients in sensitive sectors like healthcare, critical infrastructure, or automotive. The CRA will amplify this push for transparency across the entire supply chain.
5. Conformity Assessment and CE Marking (from December 2027)
Products will carry the CE mark to prove compliance with CRA requirements. However, higher-risk products (such as firewalls, operating systems, or routers) will require an independent, third-party assessment before they can even touch the EU market.
6. The "Substantial Modification" Rule
To close any loopholes, the CRA introduces the "substantial modification" rule. If a manufacturer makes a major change to an existing product after December 11, 2027 (such as introducing new core functionality, modifying the architecture, or updating the system kernel) that product is treated as brand new and must immediately comply with all CRA rules. Standard security updates and bug fixes, however, do not count as substantial modifications and can be pushed to older products without requiring a fresh recertification.
What are the penalties for non-compliance?
Failing to comply can result in steep financial penalties enforced by national authorities within the EU:
Up to €10,000,000 or 2% of turnover for failing to meet other obligations, such as reporting mandates.
Up to €5,000,000 or 1% of turnover for providing incorrect, incomplete, or misleading information to supervisory bodies.
On top of financial hits, authorities can pull non-compliant products straight off the shelves across the entire EU market.
The CRA features a built-in safety net for micro, small, and medium-sized enterprises (including startups). If a smaller business violates the rules, national regulators are legally required to heavily weigh the company's size, market share, and economic capacity when calculating the fine. For these businesses, the percentage caps based on turnover act as an absolute theoretical ceiling rather than the baseline for standard penalties.
Summary: What should you do right now?
It pays to break down your CRA preparation into two main phases based on when the new rules go live:
Phase 1: By September 2026 (Mandatory Reporting)
- Roll out incident reporting workflows: Align your internal tracking so your team can confidently hit the tight 24-hour window for reporting an exploited vulnerability through the European SRP platform (which routes directly to national bodies like NÚKIB).
Phase 2: By December 2027 (Secure Product & Certification)
- Implement Security by Design: Bake security checkpoints right into your software development lifecycle.
- Automate SBOM generation: Set up automated tools to spin up a software bill of materials, keeping you fully aware of all components and open-source dependencies.
- Establish vulnerability management: Ensure continuous flaw tracking, deliver free security patches, and maintain transparent communication with your users.
- Prep for conformity assessments: Compile the necessary technical documentation required to secure your CE marking.
The CRA is far from a paper-pushing exercise — it marks a major cultural shift in how the EU approaches product cybersecurity. Teams that kick off their preparations early won't just dodge massive fines; they'll shield their reputation from serious damage.