Cyber Resilience Act: New Product Cybersecurity Compliance Obligations for Manufacturers, Importers and Distributors
The Cyber Resilience Act (CRA), EU Regulation 2024/2847, introduces mandatory, harmonised product cybersecurity requirements across the European Union. Unlike NIS 2, which focuses on the operational security of organisations and their infrastructure, the CRA applies to products with digital elements- both hardware and software- placed on the EU market. Manufacturers, importers and distributors will need to prepare for a new compliance framework covering the entire lifecycle of such products, including:
- Security by Design;
- secure default configuration;
- vulnerability monitoring and management;
- free security updates throughout the product support period;
- technical documentation, including a Software Bill of Materials;
- CE marking as proof of compliance.
For companies placing products with digital elements on the EU market, CRA compliance is becoming a product-level legal, technical and business priority.
Is Your Product Ready for the Cyber Resilience Act Timeline?
| Date | Compliance milestone | Business action point |
| 11 June 2026 | Entry into force of rules allowing Member States to designate accreditation and product certification bodies | Companies should assess whether their products may require stricter conformity assessment, including external verification for products used in heightened risk sectors. |
| 11 September 2026 | Start of the obligation to actively report vulnerabilities and serious cybersecurity incidents | Manufacturers should prepare processes for monitoring security flaws and reporting vulnerabilities and serious cybersecurity incidents. |
| 11 December 2027 | Full application of the CRA | Products with digital elements cannot be legally placed on the EU market without full proof of CRA compliance and an affixed CE mark. |
Who Must Comply with the Cyber Resilience Act?
The Cyber Resilience Act applies to businesses placing products with digital elements on the EU market. In practice, the new rules affect manufacturers, importers and distributors, redefining their legal liability for product cybersecurity compliance.
The CRA covers both everyday consumer products and highly specialised solutions, including:
- computer systems and applications, such as operating systems, desktop software, mobile applications and web software;
- smart consumer electronics, including IoT devices and their integrated software;
- automation and industrial infrastructure, including programmable logic controllers, sensor systems, measuring apparatus and advanced Industrial Internet of Things architecture.
Products used in heightened risk sectors, such as energy or critical infrastructure, will be subject to strict external verification by independent notified bodies.
For businesses involved in the manufacture, import or distribution of products with digital elements, the CRA should be treated as a core product compliance issue- not merely as another cybersecurity regulation.
What Are the Key Cyber Resilience Act Compliance Obligations?
The CRA introduces a fundamental shift towards cybersecurity compliance across the entire lifecycle of products with digital elements. Under the new framework, cybersecurity must be addressed from the design and manufacturing stage through to vulnerability monitoring and security updates during the product support period.
The key obligations include:
- Security by Design– products must be designed and manufactured in a way that minimises cybersecurity vulnerabilities;
- secure default configuration– products must guarantee a secure configuration by default;
- CE marking– products must carry the mandatory CE mark as visible proof of compliance before they can be traded on the EU market;
- vulnerability management– manufacturers will be legally required to monitor security flaws throughout the product support period;
- free security updates– manufacturers will be required to provide security updates free of charge throughout the product support period, which should generally be at least five years;
- Software Bill of Materials– the required technical documentation must contain an inventory of all software components and libraries, allowing swift action if a flaw is found.
In practice, CRA compliance will require manufacturers, importers and distributors to look at product cybersecurity as a lifecycle obligation- from secure design and CE marking to vulnerability management, documentation and support-period updates.
What Should Companies Do Now?
Companies that manufacture, import or distribute products with digital elements should start preparing for the CRA well before its full application on 11 December 2027.
From that date, products with digital elements cannot be legally placed on the EU market without full proof of CRA compliance and an affixed CE mark.
At this stage, companies should focus on the following steps:
- verify whether their products qualify as products with digital elements under the CRA;
- determine whether they act as manufacturers, importers or distributors;
- assess whether their products may require stricter conformity assessment, including external verification for products used in heightened risk sectors;
- review product design and manufacturing processes from the perspective of Security by Design and secure default configuration;
- prepare processes for monitoring security flaws and reporting vulnerabilities and serious cybersecurity incidents;
- plan free security updates throughout the product support period;
- prepare technical documentation, including a Software Bill of Materials;
- align product compliance with the CE marking requirement before the CRA becomes fully applicable.
The CRA requires companies to treat cybersecurity as an integral part of product compliance. Preparation should therefore cover product design, technical documentation, vulnerability management, security updates and CE marking readiness.
How Can Dudkowiak & Putyra Support Your Cyber Resilience Act Compliance Process?
The Cyber Resilience Act creates a new product cybersecurity compliance challenge for companies placing products with digital elements on the EU market. Manufacturers, importers and distributors should assess whether their products fall within the scope of the CRA, identify applicable obligations and prepare for the upcoming compliance deadlines.
Failure to comply with CRA requirements in a timely manner, including certification requirements where applicable, may expose businesses to significant administrative fines of up to EUR 15 million or 2.5% of the company’s worldwide annual turnover, as well as potential personal liability for management board members.
Dudkowiak & Putyra can support businesses with:
- assessing whether a product qualifies as a product with digital elements under the CRA;
- analysing the company’s role as manufacturer, importer or distributor;
- reviewing the scope of CRA compliance obligations applicable to the product;
- supporting legal and organisational readiness for Security by Design and secure default configuration requirements;
- assisting with vulnerability reporting and serious cybersecurity incident reporting procedures;
- supporting the preparation of required technical documentation, including a Software Bill of Materials;
- reviewing supplier contracts and supporting supply chain continuity;
- helping businesses prepare for CE marking, certification requirements where applicable, and CRA compliance before the full application date.
Do not wait until the CRA becomes fully applicable. If the Cyber Resilience Act may affect your current or planned business operations, contact our experts to assess your obligations and develop a dedicated compliance roadmap.
D&P Legal
MILAN