EU Advances Cyber Resilience Act (CRA) Implementation, Sets Key Deadlines for Manufacturers

Executive Summary

The European Union is moving forward with the implementation of the Cyber Resilience Act (CRA), a groundbreaking piece of legislation that imposes mandatory cybersecurity standards on all products with digital elements sold within the EU market. The act, which officially entered into force on December 10, 2024, mandates a security-by-design approach and ongoing vulnerability management from manufacturers. While full compliance is not required until late 2027, a critical deadline is approaching: manufacturers must have processes in place to report actively exploited vulnerabilities to authorities within 24 hours by September 11, 2026. This requires immediate preparation from all affected companies.

Regulatory Details

The Cyber Resilience Act represents a major shift from voluntary standards to legally binding requirements for product security. Its primary objectives are:

• To ensure hardware and software products are placed on the market with fewer vulnerabilities.
• To require manufacturers to take security seriously throughout a product's lifecycle.

Key provisions include:

• Secure by Design: Manufacturers must design, develop, and produce products in line with essential cybersecurity requirements.
• Vulnerability Management: Manufacturers are legally obligated to manage vulnerabilities effectively for the expected lifetime of the product or for a period of five years, whichever is shorter.
• Security Updates: Timely security updates must be provided to users.
• Transparency: Clear and understandable information about the product's security features must be provided to consumers.
• CE Marking: Compliant products will bear a CE marking to signify they meet CRA standards.

Affected Organizations

The CRA has a very broad scope and affects virtually any manufacturer, importer, or distributor that sells products with digital components in the EU. This includes:

• Hardware manufacturers (e.g., IoT devices, routers, smart appliances).
• Software developers (e.g., operating systems, standalone applications, mobile apps).
• Manufacturers of products that contain software components (e.g., cars, industrial machinery).

Compliance Requirements

The most pressing requirement is related to vulnerability reporting. As of September 11, 2026, manufacturers will be obligated to:

• Notify the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerability within 24 hours of becoming aware of it.
• Inform their users about the vulnerability and any available mitigations or patches.

To facilitate this, ENISA is developing a single reporting platform for notifications. European standardization bodies (CEN, CENELEC, ETSI) are also working to develop harmonized standards that will help manufacturers demonstrate compliance.

Implementation Timeline

The CRA will be implemented in phases:

• December 10, 2024: The Act entered into force.
• December 1, 2025: The Commission published an implementing act on technical descriptions for critical products.
• September 11, 2026: The 24-hour vulnerability reporting obligation begins.
• December 11, 2027: The majority of the CRA's obligations become fully applicable.

Impact Assessment

• For Manufacturers: The CRA will require significant investment in secure development lifecycle (SDLC) processes, vulnerability management programs, and incident response capabilities. Companies will need dedicated product security teams (PSIRTs) to handle vulnerability intake, analysis, and reporting.
• For Consumers: The act is expected to lead to a higher baseline of security in consumer products, reducing the risk from insecure IoT devices and software.
• For the Market: The CE marking for cybersecurity will become a key differentiator. Non-compliant products will be barred from the EU market, forcing a global rise in security standards for any company wishing to do business in Europe.

Enforcement & Penalties

Enforcement will be carried out by national market surveillance authorities in each EU member state. These authorities will have the power to order product recalls and impose significant fines for non-compliance. Penalties can be as high as €15 million or 2.5% of the company's total worldwide annual turnover, whichever is higher.

Compliance Guidance

Manufacturers must begin preparing now to meet the 2026 and 2027 deadlines. Key steps include:

1. Conduct a Product Portfolio Review: Identify all products sold in the EU that fall under the CRA's scope.
2. Establish a PSIRT: Create or formalize a Product Security Incident Response Team responsible for managing vulnerability reports.
3. Develop Reporting Procedures: Define an internal process to ensure any actively exploited vulnerability can be identified and reported to ENISA within the 24-hour window.
4. Integrate Security into Development: Adopt a secure software development lifecycle (SSDLC) to meet the security-by-design requirements.
5. Monitor Harmonized Standards: Keep track of the standards being developed by CEN, CENELEC, and ETSI, as these will provide a presumed path to conformity.