Blackfort Technology

Cyber Resilience Act: What Manufacturers of Digital Products Need to Know Now

What Is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is Regulation (EU) 2024/2847. It entered into force on 10 December 2024 and establishes binding cybersecurity requirements for all products with digital elements placed on the EU market. Manufacturers, importers and distributors are all in scope — regardless of whether a product is sold for a fee or distributed free of charge.

In short: anyone who markets software, hardware, or network-connected products in the EU must be able to demonstrate cybersecurity as an integral part of the product — built in from the start, not added as an afterthought. Use our Scope Check to find out whether your product is affected.

The Three Critical Deadlines

The CRA comes into force in stages. Three dates matter most in practice:

Date What applies from then on?
11 September 2026 Reporting and notification obligations for actively exploited vulnerabilities and severe incidents (Art. 14 CRA). This is the first hard operational deadline for manufacturers.
11 June 2026 Rules on notified bodies (Conformity Assessment Bodies) become applicable.
11 December 2027 Full applicability of all remaining product requirements: Security by Design, SBOM, CE marking, technical documentation, EU Declaration of Conformity.

Any manufacturer without a functioning notification process in place by September 2026 risks non-compliance — before the main product requirements even apply. For details: CRA Notification Obligations from 11 September 2026 — what applies now.

Who Is Affected by the CRA?

The CRA targets all economic operators along the supply chain who place products with digital elements on the EU market:

  • Manufacturers: Anyone who develops or has developed a product and markets it under their own name or brand — including when offered free of charge.
  • Importers: Anyone who brings a product from a third country into the EU and places it on the EU market.
  • Distributors: Anyone who makes a product available on the EU market without being the manufacturer or importer — with graduated obligations.

A "product with digital elements" is any hardware or software capable of establishing a direct or indirect logical or physical connection to a device or network. This includes mobile apps, industrial control systems, network devices, security software and many other categories.

No size exemption: SMEs and micro-enterprises are in principle in scope. There are limited accommodations regarding certain notification and penalty aspects, but no blanket exemption. More on this: CRA for SMEs.

Products already covered by equivalent sector-specific EU legislation are excluded — for example, medical devices (MDR/IVDR), motor vehicles (type approval), and aviation products. This covers edge cases; the vast majority of software and hardware manufacturers fall under the CRA.

Still unsure whether your product is affected? Check your scope now — or read the in-depth article: Cyber Resilience Act — am I affected? Roles & exceptions explained.

Product Classes: What Applies to Which Product?

The CRA distinguishes three risk-based categories. The classification determines which conformity assessment procedure is required:

Class Typical products (examples) Conformity assessment
Default Memory chips, mobile apps, video games, smart speakers Self-assessment (internal control, Module A) permissible
Important — Class I (Annex III) Identity and access management software, browsers, password managers, VPN, SIEM, PKI, network monitoring, malware detection Self-assessment only when harmonised standards or common specifications are applied; otherwise third-party assessment by a notified body
Important — Class II (Annex III) Hypervisors, container runtimes, hardware firewalls, ICS/SCADA systems, routers/modems for industrial use, general-purpose microprocessors Involvement of a notified body mandatory (EU type examination Module B/C or Module H)
Critical (Annex IV) Smart cards, secure elements, smart meter gateways Notified body mandatory in all cases, or mandatory EU cybersecurity certification scheme

Technical descriptions for important and critical products are specified further in Implementing Regulation (EU) 2025/2392. Classifying a specific product may require interpretation in individual cases — blanket self-assessments are not appropriate here. More on classification: CRA product classes: classification & conformity pathways.

Notification Obligations from 11 September 2026

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting the security of their products. The timelines are tight:

  • 24 hours: Early warning upon becoming aware
  • 72 hours: Full notification including corrective and mitigation measures taken
  • 14 days: Final report for vulnerabilities — no later than 14 days after a corrective measure becomes available
  • 1 month: Final report for severe incidents — within one month of the 72-hour notification

Reports are submitted once via the CRA Single Reporting Platform (SRP), operated by ENISA and scheduled to be operational by 11 September 2026. The notification is sent to the CSIRT of the member state of the manufacturer's main establishment and simultaneously to ENISA.

Meeting these deadlines requires prior preparation: an established PSIRT process, a maintained SBOM for rapid vulnerability identification, and clear internal escalation paths. Without this foundation, the 24-hour early warning is not realistically achievable.

Details and recommended actions: CRA notification obligations from 11 September 2026: 24h/72h/14-day timelines explained.

Core Obligations for Manufacturers

From 11 December 2027, the full requirements of Art. 13 and Annex I and II apply to all manufacturers of products with digital elements:

  • Security by Design and Security by Default: Cybersecurity must be embedded from the outset in product design and development — as a default, not an option.
  • Cybersecurity risk assessment: Systematic evaluation throughout the entire lifecycle (design, development, production).
  • Vulnerability management over the support period: Coordinated vulnerability disclosure, patch provision, communication of end-of-support dates.
  • Software Bill of Materials (SBOM): Complete inventory of all software components including third-party components — as part of technical documentation and the basis for vulnerability tracking.
  • Technical documentation: To be kept available for market surveillance authorities.
  • CE marking: After successful conformity assessment.
  • EU Declaration of Conformity: Formal proof of compliance with CRA requirements.
  • User information (Annex II): Transparent communication about security properties and support period.

SBOM requirements in detail — formats, archiving obligations, depth: SBOM requirements under the CRA: CycloneDX vs. SPDX, TR-03183-2 & archiving.

CRA Readiness: Where Do Your Processes Stand Today?

Many affected organisations still underestimate how technically demanding the CRA requirements are — and the first operational deadline (September 2026) is closer than many realise. CRA Readiness does not mean fulfilling all requirements simultaneously, but addressing the right measures in the right sequence:

  1. Clarify scope and product class — What applies to which product?
  2. Establish notification processes — PSIRT, escalation paths, SRP connectivity — by September 2026.
  3. Build SBOM foundations — Component inventory, dependency tracking, format selection (CycloneDX 1.6 or higher / SPDX 3.0.1 or higher).
  4. Anchor Security by Design — Integrate risk assessments into development processes.
  5. Prepare conformity assessment — Technical documentation, and where applicable, engage a notified body.

Which steps make sense for your product and in which order depends on your starting point. A prioritised implementation plan for SMEs and mid-size companies: Cyber Resilience Act for SMEs: Prioritised implementation plan 2026/2027.

How Blackfort Technology Supports Your CRA Journey

Blackfort Technology provides technical and organisational support to manufacturers, importers and distributors on the path to CRA Readiness. Christian Gebhardt, Managing Director and co-author of the ACS/BSI guidance on LLM penetration testing as well as a member of the ACS AI expert working group, brings hands-on implementation experience from PKI projects, DORA and NIS2 mandates, ISMS build-outs, and SBOM and vulnerability management engagements.

Key areas of support:

  • Scope analysis and product classification: Structured classification of your products into Default, Class I, Class II or Critical — based on the CRA text and Implementing Regulation (EU) 2025/2392.
  • SBOM build-out and gap analysis: Component inventory, format selection, integration into existing development processes, Dependency-Track connectivity. For an initial assessment: Request an SBOM Gap Report (cra-sbom.de).
  • Vulnerability management and PSIRT establishment: Process design and operational support for building a Product Security Incident Response Team capable of meeting the 24h/72h notification deadlines.
  • Security by Design integration: Embedding cybersecurity risk assessments into existing development and quality assurance processes.
  • Conformity assessment preparation: Technical documentation, self-assessment (Module A) or support when engaging a notified body.

For mid-market and small companies, we provide pragmatic, prioritised support — concrete measures that fit within realistic budgets and timeframes. Our SME offering at a glance.

Further Reading

Frequently asked questions

When does the Cyber Resilience Act apply?
The CRA entered into force on 10 December 2024. The first operational obligation — reporting actively exploited vulnerabilities and severe incidents — applies from 11 September 2026. The full product requirements (Security by Design, SBOM, CE marking) apply from 11 December 2027.
As a software manufacturer, am I affected by the CRA?
Most likely yes. The CRA applies to all manufacturers of products with digital elements — including software products capable of connecting to a network or device. This covers business software, security solutions, mobile apps and many other categories. There is no size exemption. Use our Scope Check to assess your situation in a structured way.
What is an SBOM and why does it matter for the CRA?
A Software Bill of Materials (SBOM) is a complete, machine-readable list of all software components in a product — including third-party components and their versions. The CRA requires an SBOM as part of technical documentation. In practice, it is the foundation for being able to issue an early warning within 24 hours when a known vulnerability affects a dependency. Without an SBOM, this process is not reliably achievable.
What happens if I fail to meet the notification obligations from September 2026?
The CRA provides for graduated sanctions. Infringements of the essential requirements (Annex I) as well as of core manufacturer obligations under Art. 13 and 14 — which include the reporting obligations — can result in fines of up to EUR 15 million or 2.5 % of global annual turnover (whichever is higher). For infringements of certain other obligations, the CRA provides a lower ceiling of up to EUR 10 million or 2 % of annual turnover. The exact penalty framework in an individual case should be clarified with legal counsel.
Does the CRA apply to open-source software?
Open-source stewards — organisations that coordinate the development of open-source software without commercialising it — benefit from lighter obligations, including no CRA penalties. Manufacturers who incorporate open-source components into commercial products and market those products are fully subject to the CRA. The distinction lies not in the source code, but in commercial marketing.

Let's talk about your CRA readiness

Where does your product stand today against CRA requirements? Talk to Christian Gebhardt about a pragmatic starting point — SBOM inventory, PSIRT process and scope clarification as first steps.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.