We use cookies for analytics and error tracking.

Back to blog
Dr. Philip Empl

Cyber Resilience Act - What Manufacturers Need to Know Now

CRARegulationComplianceEU

1. The Cyber Resilience Act (CRA) - What Manufacturers Are Facing

The Cyber Resilience Act (CRA) is one of the most far-reaching regulatory interventions by the EU in product development in recent years. For the first time, it explicitly defines cybersecurity as a mandatory product property. Legally, it is thereby placed on the same level as traditional requirements such as electrical safety or functional safety.

The legal basis is Regulation (EU) 2024/2847, in particular Articles 13 and 14 and the associated annexes.

For manufacturers, this means: Cybersecurity is no longer a voluntary add-on. Without demonstrable compliance with the CRA requirements, a product may no longer be placed on the EU market.

2. Why the Cyber Resilience Act Was Introduced

Digital functions are now an integral part of virtually all products. Machines, controllers, embedded systems, software, and cloud connections are networked, updatable, and often in use for many years. At the same time, security incidents, known vulnerabilities, and attacks are continuously increasing.

Until now, cybersecurity in the product context has often been:

  • inconsistently regulated
  • heavily dependent on voluntary measures
  • difficult to verify

The CRA is intended to address this deficit. The goal is to establish a uniform, verifiable minimum level of cybersecurity for products with digital elements.

This objective runs through the entire legal act and is specifically realized in:

  • Articles 5-10 (Scope and obligations)
  • Article 13 (Obligations of manufacturers)
  • Annex I (Essential cybersecurity requirements)

3. Which Products Are Affected by the CRA

The CRA applies to all products with digital elements as defined in Article 3(1). This includes hardware and software whose intended use requires a direct or indirect data connection.

Examples:

  • Machines with control software
  • Embedded systems
  • Industrial PCs and gateways
  • IoT and IIoT components
  • Independently distributed software

The scope is intentionally broad. What matters is not the industry, but the digital functionality of the product.

Exceptions and special cases are governed by Article 2, but they do not change the fundamental principle: Digital products will be subject to regulatory cybersecurity requirements going forward.

4. Roles and Responsibilities Under the CRA

The CRA distinguishes three key market roles:

  • Manufacturers (Article 13)
  • Importers (Article 16)
  • Distributors (Article 17)

Primary responsibility clearly lies with the manufacturer. They must ensure that the product:

  • meets the requirements of Annex I
  • is properly documented (Annex VII)
  • is accompanied by user information (Annex II)
  • is secured throughout its lifecycle

Importers and distributors have verification and due diligence obligations, but may not rely on mere assurances.

5. Key Obligations of the Cyber Resilience Act

The CRA consolidates its requirements into three major areas of obligation, each explicitly anchored in the legislation.

5.1 Product Requirements - Annex I, Part 1

The essential cybersecurity requirements for products are set out in Annex I, Part 1. They apply horizontally to all affected products, regardless of industry or technology.

Among other things, products are required to:

  • be placed on the market without known exploitable vulnerabilities
  • be delivered with secure default settings
  • implement appropriate access controls
  • protect confidentiality, integrity, and availability
  • minimize attack surfaces
  • enable security updates

The CRA explicitly does not demand absolute security, but rather a risk-based implementation. The benchmark is whether the security level is proportionate to the identified risks.

5.2 Vulnerability Management - Annex I, Part 2

Mandatory vulnerability management is regulated in Annex I, Part 2 and further specified by Article 13(8).

Manufacturers must establish a structured process that includes at minimum:

  • Receiving vulnerability reports
  • Assessment and prioritization
  • Remediation and tracking
  • Communication with users
  • Coordinated disclosure

Additionally, reporting obligations to authorities apply under Article 14, particularly for actively exploited or severe vulnerabilities.

These obligations become binding as of September 11, 2026.

5.3 Documentation and User Information - Annex VII and Annex II

Cybersecurity must not only be implemented but also be demonstrable. The CRA explicitly regulates this in two annexes:

  • Annex VII: Technical documentation
  • Annex II: Product-accompanying user information

The technical documentation must include, among other things:

  • a description of the product
  • the risk analysis performed
  • security measures implemented
  • evidence of compliance with Annex I

User information must contain clear instructions for secure use, configuration, and maintenance.

Without this documentation, CE marking is not legally permissible.

6. Standards, Product Classes, and Timeline

The CRA references harmonized standards pursuant to Article 27, which concretize the requirements from Annex I.

A distinction is made between:

  • Type-A standards: General principles
  • Type-B standards: Product-agnostic requirements (e.g., vulnerability management)
  • Type-C standards: Product-specific requirements

The timeline is derived from Article 71:

  • Entry into force of the regulation: 2024
  • Application of reporting obligations: September 11, 2026
  • Full application: December 11, 2027

7. How Complioty Supports CRA Implementation

The CRA does not require a single document, but rather a consistent system that connects requirements from multiple articles and annexes. This is exactly where Complioty comes in.

7.1 Notifier - Vulnerability Management per Annex I, Part 2 and Article 14

The Notifier supports manufacturers in implementing the requirements from:

  • Annex I, Part 2 (Vulnerability Handling)
  • Article 14 (Reporting obligations)

It provides a public reporting channel, supports structured workflows for handling vulnerabilities, and documents all steps in an audit-proof manner. This makes vulnerability management CRA-compliant and auditable.

7.2 Designer - Risk Management as the Foundation of Annex I

The Designer addresses the implicit core requirement of the CRA: the risk analysis upon which all requirements from Annex I, Part 1 are based.

Manufacturers can:

  • Model product architectures
  • Systematically analyze threats
  • Assess and prioritize risks
  • Document measures

This creates a robust foundation for meeting product requirements.

7.3 Documenter - Documentation per Annex VII and Annex II

The Documenter supports the creation and maintenance of:

  • Technical documentation in accordance with Annex VII
  • User information in accordance with Annex II

Documents are created continuously along the product lifecycle and remain consistent, up-to-date, and auditable.

8. Conclusion

The Cyber Resilience Act makes cybersecurity a legally verifiable product property. The requirements are clearly structured and explicitly anchored in the legislation:

  • Product requirements: Annex I, Part 1
  • Vulnerability management: Annex I, Part 2
  • Documentation: Annex VII and II

Manufacturers must not only implement security but demonstrably master it. Complioty helps implement these requirements systematically, comprehensibly, and practically - throughout the entire product lifecycle.

Ready to get started?

Cyber Resilience Act

September 11, 2026.

From then on, product security is a legal obligation. No evidence, no CE marking.

176
Days
:
15
Hrs
:
27
Min
:
35
Sec

Knowledge alone isn't enough — action counts.

Put insights into practice. Complioty makes product security actionable.

Free CRA Quick Scan