Christoph Callewaert
reuschlaw, Saarbrücken
christoph.callewaert­@reuschlaw.de

Christina Kiefer
reuschlaw, Saarbrücken
christina.kiefer@reuschlaw.de

Introduction

Through the creation of the European Cyber Resilience Act (CRA),^[1] the EU has introduced a horizontal regulation setting mandatory cybersecurity requirements for a wide range of digital products. It aims to close critical security gaps by establishing a consistent and high level of cybersecurity across the EU market. While the CRA will be fully applicable from 2027, companies need to act now. This article outlines the scope and obligations of the CRA and provides guidance on how companies placing digital products on the EU market should prepare.

What products are in scope?

The scope of the CRA covers a wide range of products with digital elements, reflecting the intention of the EU legislator to ensure a consistent level of cybersecurity across the digital product landscape. These include:

• software products, such as applications, operating systems or embedded software;
• hardware products with data communication capabilities, including connected devices (eg, Internet of Things devices, smart home systems, wearables); and
• software or hardware components that are placed on the market separately.

However, the CRA does not apply to certain categories of products that are already regulated under specific EU frameworks. Notable exclusions include medical devices and in vitro diagnostic devices, which are covered by specific EU legislation, as well as products developed exclusively for national security purposes. To ensure the innovation and high potential of open-source software, free and open-source software is excluded from the scope of the CRA as long as it is not made available on the EU market in the course of a commercial activity.

From a geographical perspective, the CRA follows the so-called ‘marketplace principle’. This means that the regulation applies to any product made available on the EU internal market, whether for payment or free of charge, as long as it is made available in the context of a commercial activity. It is therefore irrelevant whether the manufacturer or supplier is based inside or outside the EU, if the product is available to users within the EU, the CRA applies.

Who is affected?

The CRA applies to a wide range of economic operators involved in placing products with digital elements on the EU market. This includes not only manufacturers, but also importers, distributors and authorised representatives. The definition of a manufacturer under the CRA is broad, it covers not only those who design and build products, but also those who rebrand existing products or make substantial modifications before placing them on the EU market. Even open-source software stewards fall within scope of certain specific obligations.

What core obligations must be met?

Risk assessment and risk management

The CRA requires manufacturers to ensure that products with digital elements are designed, developed and maintained in a way that guarantees an appropriate level of cybersecurity throughout their entire lifecycle. This obligation marks a significant shift towards embedding security as a fundamental element of product design and operation, rather than treating it as an afterthought.

A core component of this requirement is the performance of a comprehensive risk assessment. This assessment must consider the intended use of the product, any reasonably foreseeable misuse, the operating environment in which the product will operate, the types of data it will process and the expected lifetime of the product. In addition, manufacturers must consider the potential impact of security incidents on the confidentiality, integrity and availability of the relevant systems and information.

Based on the results of this risk assessment, manufacturers must take proactive risk control measures. Products can only be placed on the EU market if they do not contain any known exploitable vulnerabilities at the time of their release. Furthermore, products must be delivered with secure default settings, must minimise potential attack surfaces through secure-by-design principles and must allow users to apply security updates without the need for additional software or hardware.

These obligations go beyond technical specifications. Manufacturers must also embed these requirements into their internal structures and processes, including development practices, quality assurance workflows, incident response protocols and overall cybersecurity governance. The CRA thus promotes a holistic, lifecycle-based approach to cybersecurity that will require companies to review and strengthen their existing development and compliance strategies.

Vulnerability management and monitoring

As part of their compliance with the CRA, manufacturers must establish and maintain a robust vulnerability management system. This system must include both proactive and reactive measures to identify and address cybersecurity risks throughout a product’s lifecycle.

At its core, the system must include continuous monitoring, both active and passive, of products in the field to detect emerging threats and vulnerabilities. This monitoring must also cover third-party components, including open-source software, that are incorporated into digital products. To facilitate transparency and effective risk management, manufacturers are further required to maintain a detailed Software Bill of Materials (SBOM), listing all software dependencies used within a product. Regular security testing, including penetration testing and code reviews, should be conducted to ensure that the product remains secure over time.

When vulnerabilities are discovered, manufacturers must act quickly. Security updates must (usually) be provided free of charge, typically for at least five years or the expected lifetime of the product, whichever is shorter. These updates must be provided without introducing additional security risks and in a way that does not impose additional technical requirements on the user. To build and maintain user confidence, manufacturers are also expected to publicly disclose information about fixed vulnerabilities, thereby promoting transparency and accountability in the handling of security issues.

Reporting obligations and documentation

In situations where vulnerabilities are actively exploited, the CRA imposes strict and timely reporting obligations on manufacturers. These measures are designed to ensure rapid response and transparency in the event of a security incident affecting products with digital elements.

Manufacturers must issue a preliminary warning to the competent authority within 24 hours of becoming aware of the incident. This early warning is intended to notify the relevant authorities of a potential threat, even before a full analysis is available. Within 72 hours, a more detailed incident notification must be submitted. This report should detail the affected product, the nature and severity of the exploit and any initial corrective or containment measures implemented to mitigate the impact. Finally, a follow-up report must be submitted within 14 days of the implementation of the mitigation. This report should include information on the root cause of the vulnerability, the identity and tactics of any malicious actors (if known) and a full description of the corrective measures taken.

In addition to these reporting obligations, the CRA also requires manufacturers to maintain comprehensive documentation to demonstrate compliance. This includes a detailed technical file explaining how the product meets the requirements of the CRA, records of the initial risk assessment and its conclusions, documentation on all the corrective actions and security updates issued and a description of the internal processes for identifying, managing and remediating vulnerabilities. These records must be made available to the market surveillance authorities upon request and they will serve as the evidentiary basis for verifying regulatory compliance.

Supply chain and contractual implications

The cybersecurity obligations as imposed by the CRA extend well beyond the boundaries of individual companies and products, reaching deep into the supply chain. Manufacturers are responsible not only for the security of their own components, but also for those sourced from third parties, including open-source software. This extended responsibility means that supply chain security is no longer optional, it is a legal requirement.

To meet these obligations, manufacturers must ensure that contracts with suppliers and service providers clearly define the relevant cybersecurity responsibilities. This includes assigning roles for identifying and remediating vulnerabilities, managing updates and ensuring the secure integration of components. Contracts should also include specific provisions for penetration testing, cooperation in regard to incident response and the timely delivery of security patches and updates. In addition, it is increasingly recommended that manufacturers require their suppliers to provide a SBOM as part of the contractual framework. This allows for greater transparency regarding the components used and supports effective risk assessment and vulnerability management throughout the supply chain.

To enforce these requirements, manufacturers should implement audit rights and contractual enforcement mechanisms, including penalties for non-compliance. Regular monitoring of supplier compliance is essential to mitigate risks and ensure that the entire value chain aligns with the cybersecurity standards set out in the CRA.

When does the CRA apply?

The CRA entered into force in December 2024 and will apply in stages:

• from 11 June 2026 the requirements for conformity assessment bodies will apply;
• from 11 September 2026 the notification obligations for manufacturers will apply; and
• 11 December 2027 marks the full applicability of the CRA in all EU Member States.

In view of this timeline, the CRA provides for a graded three-year transition period. However, this should not be seen as a reason to delay the relevant preparations. On the contrary, the complexity and scope of the obligations, ranging from product design and risk assessment to contractual management and incident reporting, require careful preparation and early action. Companies that start now will be far better positioned to meet compliance requirements and avoid business disruptions as the deadline approaches.

What should companies do now?

Although the full application of the CRA is still some way away, its far-reaching impact demands early action. Some key actions are as follows:

• identify affected products and clarify your role (manufacturer, importer, distributor);
• conduct a gap analysis: which cybersecurity controls are already in place? Where are the gaps?;
• implement a compliance roadmap, integrating technical and organisational measures;
• review and adapt contracts with suppliers, especially concerning security responsibilities; and
• educate product teams and develop internal guidelines for CRA compliance, including an open-source software management team.

Conclusion

The CRA represents a significant shift in the landscape of cybersecurity for digital products within the EU market. With strict obligations and high penalties, up to €15m or 2.5 per cent of global annual turnover, companies should treat CRA compliance as a strategic priority. Those who act now can not only avoid costly surprises, but also gain a competitive advantage through secure and compliant product design.