EU CRA Compliance Requirements and Key Deadlines for Manufacturers Webinar

What the Cyber Resilience Act is and who it affects

The Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that entered into force on 10 December 2024. It establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market and replaces fragmented national rules with a single EU-wide framework. The regulation has three core goals: reduce vulnerabilities in connected products before they reach the market, ensure vulnerabilities found after release are managed and disclosed responsibly, and give buyers the information they need to make informed security decisions.

Any product with digital elements placed on the EU market is in scope unless a specific exclusion applies. That covers IoT devices, consumer electronics, industrial control equipment, smart home products, network equipment, operating systems, applications, firmware, and security components sold separately. Two points consistently catch manufacturers off guard. Direct internet connectivity is not required for a product to fall in scope: a USB port, a Bluetooth interface, or any external data connection is sufficient. Responsibility also sits with the organization that places the final product on the EU market, regardless of where it was designed or manufactured. Importers and distributors carry their own obligations.

Sector-specific exclusions apply where existing EU law already covers cybersecurity, including certified medical devices under the EU MDR, motor vehicles under UN Regulation No. 155, and civil aviation products. Free and open-source software has a separate treatment, with obligations attaching only when it is supplied commercially.

The CRA sits alongside the Radio Equipment Directive and PSTI as part of a broader shift in how EU and UK regulators approach product cybersecurity. Element's whitepaper on cybersecurity requirements under RED, PSTI, and CRA covers how these regulations overlap and what compliance looks like across all three.

For a deeper look at how cybersecurity requirements apply specifically to radio equipment, see Element's article on cybersecurity and the RED Article 3.3 essential requirements.

 

The core cybersecurity requirements manufacturers must meet 

The CRA's essential requirements span the full product lifecycle and are built on two principles.

Secure by design means cybersecurity is addressed from the earliest stages of development, not added after the fact. That means strong access controls, least-privilege principles, protection of data integrity and confidentiality, and a secure update mechanism maintained for the duration of the support period.

Secure by default means the product ships in a secure state. Default passwords are prohibited unless unique per unit and changed on first use. Unnecessary interfaces are disabled. No advanced configuration should be required for the product to operate safely out of the box.

Before placing a product on the EU market, manufacturers must conduct a cybersecurity risk assessment, document the resulting design decisions, complete a conformity assessment appropriate to the product's risk class, and apply the CE mark. Most products can self-certify. Products classified as Important Class I, Important Class II, or Critical require assessment by a notified body.

Element's CE marking and conformity assessment services support manufacturers through this process, and our product cybersecurity testing and certification team works with manufacturers across IoT, consumer electronics, and industrial equipment categories.

 

Vulnerability management and Article 14 reporting obligations

Two of the most significant CRA obligations sit outside the traditional product approval process and apply from 11 September 2026, including to products already on the market.

Manufacturers must operate a vulnerability handling process for the full duration of the product's support period. That period is typically the expected product lifetime, with a minimum of five years for many product categories. The process must cover active monitoring of the product and its third-party components, security updates issued without delay when a vulnerability is identified, and a machine-readable SBOM describing the software composition of the product.

From 11 September 2026, Article 14 introduces a staged reporting requirement for actively exploited vulnerabilities and severe incidents, processed through the ENISA Single Reporting Platform. Manufacturers must issue an early warning to the designated CSIRT and ENISA within 24 hours of becoming aware of the issue, follow up with a technical notification within 72 hours, and submit a final report within 14 days of a corrective measure being available for vulnerabilities, or within one month for severe incidents. These timelines apply to legacy products already on the market. A tested incident response process needs to be in place well before September 2026.

 

The CRA compliance timeline and what it means for your product program

The CRA entered into force on 10 December 2024. From that point, three milestones govern when obligations take effect. On 11 June 2026, member states designate conformity assessment bodies and the notified body regime becomes operational. On 11 September 2026, the Article 14 vulnerability and incident reporting obligations apply to all products, including those already on the market. On 11 December 2027, full compliance is required for all products with digital elements placed on the EU market.

From the December 2027 deadline, a non-compliant product cannot legally be placed on the EU market, and substantial modifications to existing products trigger reassessment. Fines for the most serious infringements can reach €15 million or 2.5% of global annual turnover, whichever is higher.

Mapping your product portfolio against CRA scope is the logical starting point. Identify which products are in scope and which fall into the Important or Critical categories that require notified body assessment. From there, a gap assessment against the essential requirements compares your current secure-development practices, documentation, and update mechanisms against what the regulation expects. Building the SBOM and update infrastructure follows, as both are required for conformity assessment and throughout the support period. Establishing vulnerability handling and incident response processes needs to happen before September 2026, not after full compliance is achieved. Monitoring emerging CEN-CENELEC harmonized standards, several of which are still in draft, allows manufacturers to align early rather than retrofit later.

Manufacturers that handle the CRA well treat it as a product engineering programme. Cybersecurity needs to be designed in from the start. With the December 2027 deadline under two years away and September 2026 closer still, that work needs to start now.

Element's IoT cybersecurity certification team, wireless testing services, and product certification and approvals experts work with manufacturers across these product categories.

Speak to our team using the form below to discuss your specific CRA requirements.

To learn more about Element's testing and certification capabilities, visit our About Element page.

 

Frequently Asked Questions

Q1: Does the Cyber Resilience Act apply to products already on the market?

Yes, in part. The full compliance deadline of 11 December 2027 applies to products being placed on the EU market from that date. The Article 14 vulnerability and incident reporting obligations take effect on 11 September 2026 and apply to legacy products already on the market. Manufacturers must have a tested incident response process in place before that date.

Q2: What products are excluded from the Cyber Resilience Act?

Exclusions are limited to product categories where sector-specific EU law already governs cybersecurity. These include certified medical devices under the EU MDR, motor vehicles covered by UN Regulation No. 155, and civil aviation products. Free and open-source software is excluded unless supplied commercially. All other products with digital elements, including those without direct internet connectivity, are within scope if they have any external data connection.

Q3: What is the fine for non-compliance with the Cyber Resilience Act?

The CRA sets a maximum administrative fine of €15 million or 2.5% of global annual turnover for the most serious infringements, whichever is higher. Market surveillance authorities can also require products to be withdrawn from the EU market or recalled. Penalty rules are set by each EU member state within the framework that the CRA establishes.