Cyber Resilience Act: What Manufacturers of Digital Products Need to Know Now
What Is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is Regulation (EU) 2024/2847. It entered into force on 10 December 2024 and establishes binding cybersecurity requirements for all products with digital elements placed on the EU market. Manufacturers, importers and distributors are all in scope — regardless of whether a product is sold for a fee or distributed free of charge.
In short: anyone who markets software, hardware, or network-connected products in the EU must be able to demonstrate cybersecurity as an integral part of the product — built in from the start, not added as an afterthought. Use our Scope Check to find out whether your product is affected.
The Three Critical Deadlines
The CRA comes into force in stages. Three dates matter most in practice:
| Date | What applies from then on? |
|---|---|
| 11 September 2026 | Reporting and notification obligations for actively exploited vulnerabilities and severe incidents (Art. 14 CRA). This is the first hard operational deadline for manufacturers. |
| 11 June 2026 | Rules on notified bodies (Conformity Assessment Bodies) become applicable. |
| 11 December 2027 | Full applicability of all remaining product requirements: Security by Design, SBOM, CE marking, technical documentation, EU Declaration of Conformity. |
Any manufacturer without a functioning notification process in place by September 2026 risks non-compliance — before the main product requirements even apply. For details: CRA Notification Obligations from 11 September 2026 — what applies now.
Who Is Affected by the CRA?
The CRA targets all economic operators along the supply chain who place products with digital elements on the EU market:
- Manufacturers: Anyone who develops or has developed a product and markets it under their own name or brand — including when offered free of charge.
- Importers: Anyone who brings a product from a third country into the EU and places it on the EU market.
- Distributors: Anyone who makes a product available on the EU market without being the manufacturer or importer — with graduated obligations.
A "product with digital elements" is any hardware or software capable of establishing a direct or indirect logical or physical connection to a device or network. This includes mobile apps, industrial control systems, network devices, security software and many other categories.
No size exemption: SMEs and micro-enterprises are in principle in scope. There are limited accommodations regarding certain notification and penalty aspects, but no blanket exemption. More on this: CRA for SMEs.
Products already covered by equivalent sector-specific EU legislation are excluded — for example, medical devices (MDR/IVDR), motor vehicles (type approval), and aviation products. This covers edge cases; the vast majority of software and hardware manufacturers fall under the CRA.
Still unsure whether your product is affected? Check your scope now — or read the in-depth article: Cyber Resilience Act — am I affected? Roles & exceptions explained.
Product Classes: What Applies to Which Product?
The CRA distinguishes three risk-based categories. The classification determines which conformity assessment procedure is required:
| Class | Typical products (examples) | Conformity assessment |
|---|---|---|
| Default | Memory chips, mobile apps, video games, smart speakers | Self-assessment (internal control, Module A) permissible |
| Important — Class I (Annex III) | Identity and access management software, browsers, password managers, VPN, SIEM, PKI, network monitoring, malware detection | Self-assessment only when harmonised standards or common specifications are applied; otherwise third-party assessment by a notified body |
| Important — Class II (Annex III) | Hypervisors, container runtimes, hardware firewalls, ICS/SCADA systems, routers/modems for industrial use, general-purpose microprocessors | Involvement of a notified body mandatory (EU type examination Module B/C or Module H) |
| Critical (Annex IV) | Smart cards, secure elements, smart meter gateways | Notified body mandatory in all cases, or mandatory EU cybersecurity certification scheme |
Technical descriptions for important and critical products are specified further in Implementing Regulation (EU) 2025/2392. Classifying a specific product may require interpretation in individual cases — blanket self-assessments are not appropriate here. More on classification: CRA product classes: classification & conformity pathways.
Notification Obligations from 11 September 2026
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting the security of their products. The timelines are tight:
- 24 hours: Early warning upon becoming aware
- 72 hours: Full notification including corrective and mitigation measures taken
- 14 days: Final report for vulnerabilities — no later than 14 days after a corrective measure becomes available
- 1 month: Final report for severe incidents — within one month of the 72-hour notification
Reports are submitted once via the CRA Single Reporting Platform (SRP), operated by ENISA and scheduled to be operational by 11 September 2026. The notification is sent to the CSIRT of the member state of the manufacturer's main establishment and simultaneously to ENISA.
Meeting these deadlines requires prior preparation: an established PSIRT process, a maintained SBOM for rapid vulnerability identification, and clear internal escalation paths. Without this foundation, the 24-hour early warning is not realistically achievable.
Details and recommended actions: CRA notification obligations from 11 September 2026: 24h/72h/14-day timelines explained.
Core Obligations for Manufacturers
From 11 December 2027, the full requirements of Art. 13 and Annex I and II apply to all manufacturers of products with digital elements:
- Security by Design and Security by Default: Cybersecurity must be embedded from the outset in product design and development — as a default, not an option.
- Cybersecurity risk assessment: Systematic evaluation throughout the entire lifecycle (design, development, production).
- Vulnerability management over the support period: Coordinated vulnerability disclosure, patch provision, communication of end-of-support dates.
- Software Bill of Materials (SBOM): Complete inventory of all software components including third-party components — as part of technical documentation and the basis for vulnerability tracking.
- Technical documentation: To be kept available for market surveillance authorities.
- CE marking: After successful conformity assessment.
- EU Declaration of Conformity: Formal proof of compliance with CRA requirements.
- User information (Annex II): Transparent communication about security properties and support period.
SBOM requirements in detail — formats, archiving obligations, depth: SBOM requirements under the CRA: CycloneDX vs. SPDX, TR-03183-2 & archiving.
CRA Readiness: Where Do Your Processes Stand Today?
Many affected organisations still underestimate how technically demanding the CRA requirements are — and the first operational deadline (September 2026) is closer than many realise. CRA Readiness does not mean fulfilling all requirements simultaneously, but addressing the right measures in the right sequence:
- Clarify scope and product class — What applies to which product?
- Establish notification processes — PSIRT, escalation paths, SRP connectivity — by September 2026.
- Build SBOM foundations — Component inventory, dependency tracking, format selection (CycloneDX 1.6 or higher / SPDX 3.0.1 or higher).
- Anchor Security by Design — Integrate risk assessments into development processes.
- Prepare conformity assessment — Technical documentation, and where applicable, engage a notified body.
Which steps make sense for your product and in which order depends on your starting point. A prioritised implementation plan for SMEs and mid-size companies: Cyber Resilience Act for SMEs: Prioritised implementation plan 2026/2027.
How Blackfort Technology Supports Your CRA Journey
Blackfort Technology provides technical and organisational support to manufacturers, importers and distributors on the path to CRA Readiness. Christian Gebhardt, Managing Director and co-author of the ACS/BSI guidance on LLM penetration testing as well as a member of the ACS AI expert working group, brings hands-on implementation experience from PKI projects, DORA and NIS2 mandates, ISMS build-outs, and SBOM and vulnerability management engagements.
Key areas of support:
- Scope analysis and product classification: Structured classification of your products into Default, Class I, Class II or Critical — based on the CRA text and Implementing Regulation (EU) 2025/2392.
- SBOM build-out and gap analysis: Component inventory, format selection, integration into existing development processes, Dependency-Track connectivity. For an initial assessment: Request an SBOM Gap Report (cra-sbom.de).
- Vulnerability management and PSIRT establishment: Process design and operational support for building a Product Security Incident Response Team capable of meeting the 24h/72h notification deadlines.
- Security by Design integration: Embedding cybersecurity risk assessments into existing development and quality assurance processes.
- Conformity assessment preparation: Technical documentation, self-assessment (Module A) or support when engaging a notified body.
For mid-market and small companies, we provide pragmatic, prioritised support — concrete measures that fit within realistic budgets and timeframes. Our SME offering at a glance.
Further Reading
- Cyber Resilience Act — am I affected? Roles & exceptions explained
- CRA notification obligations from 11 September 2026: 24h/72h timelines and PSIRT build-out
- SBOM requirements under the CRA: CycloneDX vs. SPDX, TR-03183-2 & archiving
- CRA product classes: Default, Class I/II and Critical — classification & conformity pathways
- Cyber Resilience Act for SMEs: Prioritised implementation plan 2026/2027
Frequently asked questions
When does the Cyber Resilience Act apply?
As a software manufacturer, am I affected by the CRA?
What is an SBOM and why does it matter for the CRA?
What happens if I fail to meet the notification obligations from September 2026?
Does the CRA apply to open-source software?
Let's talk about your CRA readiness
Where does your product stand today against CRA requirements? Talk to Christian Gebhardt about a pragmatic starting point — SBOM inventory, PSIRT process and scope clarification as first steps.
Request a first call Check eligibility