The EU Cyber Resilience Act introduces a harmonized regulatory framework for the cybersecurity of certain products with digital elements. With a phased implementation, the CRA mandates secure-by-design and life cycle resilience. For manufacturers, importers and distributors whose hardware and software product offerings interact with networks, the obligations are significant.
1. Determine organizational and geographical applicability
First, confirm whether your organization will be subject to the CRA. The regulation covers anyone who makes available or places certain products with digital elements on the EU market. This includes distributors located both inside and outside the EU, importers and manufacturers. Even entities that substantially modify such products may be deemed manufacturers under the law. The CRA applies to hardware and software components that interact with a network including laptops, industrial control systems, embedded firmware, smartphone apps, routers, microprocessors and more. Organizations engaging with any of these within the EU market may fall within scope.
2. Identify in‑scope products and categories
Once potential organizational applicability is confirmed, each product must be evaluated to determine if it falls under the CRA and, if so, how it should be classified. Digital products that are connected to devices or networks automatically qualify unless specifically exempted, such as certified aviation or medical devices. The CRA categorizes products into three tiers: default, important or critical. Approximately 90% fall into the default tier, which allows self-assessment. However, products in the important or critical categories — such as VPN systems, firewalls, routers, operating systems, security modules and intrusion detection systems — may require third-party certification depending on their classification. The European Commission will issue technical specifications further defining which products fall into each tier by December 2025.
3. Understand the essential cybersecurity requirements
The essential cybersecurity requirements set out in Annex I of the regulation are pivotal to the CRA. These requirements define the minimum technical and organizational controls that must be embedded into a product throughout its lifecycle.
Manufacturers must ensure that products are designed to minimize attack surfaces and resist known vulnerabilities. This includes the use of secure-by-default configurations, ensuring that vulnerabilities can be addressed through security updates and mechanisms to prevent unauthorized access. Products must be capable of ensuring data confidentiality, integrity and availability under normal conditions and foreseeable misuse.
Importantly, the CRA also requires products to allow users to easily, securely, and permanently remove data and settings. Additionally, where data is transferable, it must transmit to other products or systems in a secure manner.
By codifying these baseline controls, the CRA ensures that cybersecurity is not merely a reactive effort but a proactive design requirement. The burden is on manufacturers to prove that these principles have been meaningfully applied.
4. Ensure secure design, development and production
Cybersecurity must be embedded in all stages of product development. Products must be secure-by-design, secure-by-default, and subject to lifecycle protection, e.g., via security patches in case vulnerabilities are discovered. This requires secure coding practices, minimized attack surfaces, monitoring, logging and robust access controls. In addition, products need to be designed, developed and produced to reduce the impact of an incident by using appropriate exploitation mitigation mechanisms and techniques. All these measures must be documented via architecture reviews, build logs, secure testing evidence or quality and assurance reports, as applicable.
5. Conduct product‑level cybersecurity assessments
Products in scope must undergo a cybersecurity assessment aligned with the CRA’s essential requirements. The results of these assessments must be properly documented and available to regulators upon request. This entails identifying vulnerabilities, mapping threat vectors, and evaluating or reviewing existing controls.
6. Establish a vulnerability management program
Beyond the technical aspects, manufacturers must implement organizational practices to comply with vulnerability handling. This includes keeping track of vulnerabilities and components, e.g., through a software bill of materials, and maintaining quality assurance controls through regular and effective tests or reviews to ensure the continued security of a product. These measures are not optional. They form the benchmark by which both internal assessments and third-party evaluations will judge a product’s compliance.
The CRA mandates that manufacturers maintain an effective vulnerability management program throughout a product’s expected lifecycle, which is a period determined by the manufacturer support period and lasting no less than ten years. Such a program may involve continuous vulnerability monitoring, coordinated disclosure processes, patch development, secure distribution methods, and verification following patches or updates. As of 11 Sept. 2026, any actively exploited vulnerability or serious incident must be reported to national computer security incident response teams and the EU Agency for Cybersecurity within 24 hours. This must be followed by more detailed reports within 72 hours and a full root‑cause analysis within one month. A mature program is essential to meet these deadlines under pressure.
7. Prepare the EU Declaration of Conformity
Each in‑scope product must be accompanied by an EU Declaration of Conformity, asserting compliance and demonstrated fulfillment of the essential cybersecurity requirements. The declaration draws upon a product’s technical documentation, which should include descriptions of the design, development and production of a product. This should include system architecture descriptions explaining how software components build on or feed into each other and integrate into the overall processing, cybersecurity risk assessments, testing outcomes, vulnerability handling processes, and upon request, SBOMs. For default‑tier products, internal evidence suffices. However, important and critical products require third‑party verification prior to declaration.
8. Secure the supply chain
The CRA holds organizations accountable for the cybersecurity of sourced components. This includes hardware, firmware and software libraries. Manufacturers must conduct due diligence on suppliers, e.g., by requiring SBOMs or similar inventories of components that will be used in applicable products. Contracts should mandate compliance with CRA principles; periodic security audits or questionnaires should be implemented to assess and validate adherence to the CRA. Manufacturers are required to respond promptly to vulnerabilities in upstream dependencies. Importers and distributors are responsible for verifying that products they sell have a CE marking and are accompanied by technical documentation and declarations.
9. Prepare for certification and compliance audits
Unlike default products, important and critical products must undergo external conformity assessments by a notified body. Critical products require certification against a European cybersecurity scheme at "substantial" assurance levels. Important products, such as VPNs, firewalls and access management systems, require Type I or II certification.
A Type I product only needs an external conformity assessment if it does not meet the harmonized standards or has not obtained the European cybersecurity certification at the substantial assurance level. A Type II product will need to obtain either a European cybersecurity certification at the substantial assurance level or undergo an external conformity assessment. Notified bodies will scrutinize documents like technical documentation, security plans and development methodologies to verify that specimens have been developed or manufactured in conformity with the technical documentation and carry out appropriate examinations and tests. Notified bodies are required to perform periodic audits under the conformity assessment procedures set out in Annex VIII. Audit processes, goals and decision requirements vary based on a product at issue, requiring careful review and understanding of the annex.
10. Affix the CE mark before market availability
The final step is to affix the CE mark to a product, signifying compliance with all applicable EU directives and regulations including the CRA. It should be visible on the product, its packaging or accompanying documentation. It should be legible and indelible. In cases where a notified body is involved in the conformity assessment procedure, the mark must be followed by the identification number of the notified body. The CE mark should only be applied once the full conformity process — technical documentation, Declaration of Conformity, and, where necessary, notified body certification — is complete. Misuse or premature marking risks regulatory enforcement, including fines or product withdrawal.
364 days to go
The CRA is a fundamental shift in product cybersecurity governance. Organizations that embed security early will avoid steep penalties and gain a competitive advantage through demonstrable resilience. While the deadlines may seem distant, the tasks are complex. Planning and execution must commence now.
To begin, conduct a gap analysis of your portfolio. Follow the steps above to implement cybersecurity requirements, vulnerability management and ensure supply chain security. Define clear development and incident response workflows. Engage with notified bodies early. When done properly, CRA compliance demonstrates legal conformity, but more importantly signifies trust and leadership in a digitally connected future.
Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, is a former research and insights analyst at the IAPP.
Ana Bruder is a partner at Mayer Brown.
