European Cyber Resilience Act: What ​​​​Companies Need to Do Now

New Regulations, A Lot of Uncertainty: Challenges Associated With the CRA

The timeline for the Cyber Resilience Act is as follows:

• The reporting obligation for vulnerabilities and incidents is due to take effect on September 11, 2026. Both the ENISA (European Network and Information Security Agency) and CSIRT (Computer Security Incident Response Team) need to be informed.
• From December 11, 2027, the EU CRA will apply in full to all companies that manufacture, trade, or put into circulation products with digital elements in the EU internal market.

f products do not meet the requirements, companies may face fines, product recalls, or the product may be banned from the EU internal market altogether. This presents many companies with challenges, as they have

… Insufficient capacity: Small and medium-sized companies (SMEs) often lack the personnel resources to implement the CRA stipulations. A Europe-wide survey (Ensuring Cybersecurity Compliance: Assessing SME. Awareness and Preparedness for the Cyber Resilience Act) taken by 416 SMEs showed that only 12.3% are familiar with the Cyber Resilience Act.

… A low level of cybersecurity for products with digital elements: Until now, there haven’t been any consistent regulations concerning the cybersecurity of products with digital elements. Products are brought to market with known vulnerabilities or with insufficient protection across their product lifecycle. The main causes are poor technical implementation, insufficient vulnerability management, unregulated periods of support, and a lack of accountability.

… Lack of information for affected users: When it comes to security vulnerabilities and incidents, there is often a lack of information and security updates for users. Communication channels that facilitate communication between companies and customers are often yet to be established. The CRA requires companies to provide security updates and to inform customers about incidents.

What Does the CRA Mean for You? Obligations – CE Marking – Reporting

What does the regulation cover? What are the resulting obligations, requirements, and responsibilities? Read on to find out.

Responsibilities facing manufacturers, distributors, and importers

The CRA requires economic operators – such as manufacturers, distributors, and importers of products with digital elements – to ensure harmonized cybersecurity standards.

• Manufacturers must consider the technical requirements during the development stage (i.e., security by design); they must also assess and document risks (including for third-party components). Furthermore, they need to ensure security updates and vulnerability management are provided throughout the entire support period. In order to obtain the CE label for products with digital elements, additional cybersecurity requirements must now be implemented as part of the CRA.
• Distributors may only place products with digital elements on the EU internal market if they have a CE marking, i.e., if they have implemented the associated CRA requirements. They need to check whether the manufacturer has met the requirements, need to keep declarations of conformity and other documentation to hand, and need to inform the relevant authorities of any vulnerabilities or risks.
• Importers must ensure that all the required information is provided, must refrain from launching products with security defects, and, in the event of product modifications, must assume the manufacturer's responsibilities.

CRA and the CE label

To continue meeting the CE marking requirements (or to be authorized to use the CE label), companies must now also be able to prove that they meet the mandatory cybersecurity requirements stipulated by the CRA, have undergone a conformity assessment procedure, and that the product has been brought to market without any known exploitable vulnerabilities.

What this means for the product cycle

The CRA demands increased responsibility and transparency from companies and makes it clear that cybersecurity does not end when a product is brought to market. Products with digital elements need to be designed, developed, and maintained to ensure cyber resilience throughout their entire lifecycle. Companies need to systematically assess and minimize the risks and vulnerabilities during the development phase and provide regular security updates throughout the product’s expected lifetime. This is a minimum of five years for all products.

The EU CRA standardizes rules and stipulations for reporting

Under the European Union’s Cyber Resilience Act, manufacturers, distributors, and importers are also duty-bound to meet extensive reporting requirements. Clear rules are also stipulated for market surveillance and sanctions. These include:

• Manufacturers must report serious security incidents
  Manufacturers must report serious security incidents Manufacturers must report security loopholes and vulnerabilities that are being actively exploited to the responsible CSIRT and ENISA via a central reporting platform within 24 hours. In addition, once 72 hours have passed, information must be provided (including to users) about the nature of the incident, the affected vulnerability, and measures to correct, mitigate, or reduce the severity of the incident. After 14 days, the manufacturer must provide a final report on the incident.
• Compulsory compliance procedures
  Before products containing digital elements are placed on the EU market, manufacturers must carry out a conformity assessment procedure. There are different procedures depending on the product category. These range from internal controls to extensive external full quality assurance. The EU is striving to achieve uniform guidelines across Europe.
• National authorities are responsible for monitoring
  EU member states’ market surveillance authorities are responsible for coordinated and continuous monitoring of compliance with the CRA regulation via so-called “sweeps”. They work closely with CSIRTs and ENISA. In the case of infringements, they have the power to demand that manufacturers take action. If necessary, they can withdraw or recall products from the market.
• Violations of key obligations may result in sanctions
  If companies fail to meet the requirements, they face heavy fines. These can amount to up to 15 million euros or 2.5 percent of the global annual turnover.

Classifying Products With Digital Elements in Accordance With the EU Cyber Resilience Act

Products with digital elements are categorized according to different product categories, for example, microcontrollers or identity systems. The following classification determines which conformity assessment procedure is used:

1. Important products with digital elements – Class I perform security-relevant functions that may affect other products, networks, or services. These include things like password managers, VPN software, and smart home products. Manufacturers must meet the essential requirements of Annex I of the CRA. The conformity assessment can be carried out by self-assessment under certain circumstances.
2. Important products with digital elements – Class II have a significant impact on other systems, services, or users in the event of a security incident. These products typically include firewalls, microprocessors and controllers, and hypervisors. In the case of these products, the conformity assessment must be performed either by an authorized body or via certification in line with a European cybersecurity certification scheme (where available).
3. Critical products with digital elements are used in critical infrastructures or particularly sensitive environments. Examples of these products include smart meter gateways, security chips, and hardware with control functions that are critical to security. These products require mandatory certification in accordance with a European cybersecurity certification scheme (where available).
4. Products that do not fall under the classification according to Annexes III and IV of the CRA regulation (e.g., simple Internet of Things devices or standardized software solutions without critical functions) must still meet the essential cybersecurity requirements of the CRA. In this case, the conformity assessment is usually completed as part of an internal check.

Trust in Experience and Benefit From Expert Support in Ensuring Compliance With the EU Cyber Resilience Act

The CRA requirements are complex. And this makes it all the more important to address the regulatory challenges early and in a strategic and holistic way. We support companies in the end-to-end implementation of the CRA, utilizing our extensive experience with regulations. We have successfully supported companies in fulfilling the complex requirements of UNECE R155/156, the EU Data Act, and the AI Act. We are here to support you from an initial strategic assessment to technical implementation, training, documentation, and operations. We take a structured, three-stage approach.

Phase 1: Checking what is required

In this first stage, we analyze your company’s status quo and products in view of the requirements of the CRA. Together, we will clarify the specific requirements that the CRA places on your company – whether you are a manufacturer, importer, or distributor. We will identify relevant products and classify your products with digital elements in line with the CRA product categories.

Phase 2: Determining the action needed

We will then carry out a gap analysis and a CRA readiness check. We will examine the extent to which your technical and organizational measures already comply with CRA requirements. In order to do this, we map your existing processes, identify gaps, and determine where action is required. The result: a specially tailored roadmap that serves as an implementation plan for the next phase.

Phase 3: Taking action to move you forward

We then use this roadmap as a basis to implement the measures required and to put them into operation. This phase is not just about technical adjustments but rather about building out the necessary skills, roles, and processes within the company. We will work together with you to develop a rollout plan, accompany you through the compliance assessments and procedures, and ensure that cyber resilience is integrated into your regular processes.

Protect Your Business – With Lasting Cybersecurity

Companies that produce, trade, or market products with digital elements need to act now. The CRA requires the implementation of essential cybersecurity requirements throughout the entire product lifecycle. If you address the requirements of the regulation now, you can reduce the risk of product recalls, fines, or the banning of products.

MHP is here to accompany you along the way – from start to finish. Together, we will create the structures to ensure your company is not just compliant but set for the future. Get the advice you need now.

Legal Disclaimer: This presentation on the EU Cyber Resilience Act is for general information purposes only and does not constitute legal advice. It is therefore no substitute for legal advice in individual cases. Despite careful preparation, we assume no liability for the completeness, timeliness, and accuracy of the information provided

FAQs