More and more of what we use every day — devices, smart gadgets and equipment — are now connected to each other, the cloud and the internet. However, this also presents new security risks, which is why the European Union (EU) has introduced the Cyber Resilience Act (CRA) to define binding minimum standards for cybersecurity.
But what does this mean for manufacturers? What tasks do they face, what deadlines do they have to meet and what are the opportunities?
Which products and companies are affected by the CRA?
The CRA applies to all connected digital products — both hardware and software — for sale in the EU. The only exceptions are medical devices, vehicles and products developed for aviation, defense or national security purposes. Other, significantly stricter security requirements already exist for these products.
Implementing the safety requirements of the CRA is primarily the responsibility of manufacturers. In addition, importers and retailers are obliged to import only compliant products into the EU or sell them in the region.
And if retailers market a product under their own name or brand, or make significant changes to the product, they are considered manufacturers with all the same obligations.
What is the timeline for implementing the CRA?
Manufacturers of connected products must comply with the CRA’s strict reporting obligations by 11 September 2026 and meet the cybersecurity requirements by 11 December 2027.
Neither deadline gives these manufacturers a lot of time. To create and implement a strong cybersecurity plan — from making secure products to maintaining product security through regular updates — requires many technical and organizational changes.
What are the new CRA reporting obligations?
- Manufacturers must report actively exploited vulnerabilities in their products and serious incidents with an impact on product security to the relevant authorities within 24 hours.
- Then, within 72 hours, they must share detailed information, including the type of weakness, how it is being exploited and what steps users can take to fix it.
- Vulnerabilities must be reported no later than 14 days after a patch or another fix becomes available.
- Security incidents must be reported within one month of the initial notification.
Manufacturers must also inform users of the options they have to minimize the impact of a vulnerability or security incident, such as installing a security update or adjusting settings in the product configuration. Should a manufacturer fail to do this, authorities can step in and issue the warning themselves, if they deem it necessary.
What do the new cybersecurity requirements mean in practice?
Annex I of the CRA lists extensive requirements that all connected products sold in the EU from 11 December 2027 must meet.
For example, they must not have any known vulnerabilities and should offer the smallest possible attack surface, especially where they connect to networks, the internet or other devices.
Products must also come with a secure standard configuration and receive security updates to address vulnerabilities, and they need to include control mechanisms that prevent unauthorized access and the misuse or manipulation of data.
This approach is known as security by design and security by default. It means that manufacturers must pay attention to cybersecurity from the start of the product-development process and keep their products secure even after they are released onto the market. This goes hand in hand with risk management — identifying, evaluating and minimizing risk throughout the product lifecycle.
The CRA stipulates a 10-year product support period, but manufacturers should also take user expectations into account and, if necessary, support and update a product for longer.
If at any point a manufacturer becomes aware of vulnerabilities in its product, it must address them immediately. Patches or security updates must be made available free of charge.
Manufacturers also need to provide a contact address where users and third parties can report vulnerabilities or ask for information about known vulnerabilities. However, it is not enough to simply wait for such reports; manufacturers must also test their products regularly to detect any vulnerabilities. They also need to monitor their own software as well as frameworks, libraries and tools sourced from external providers. To do this, they must maintain a software bill of materials — a detailed inventory of all the software components in their products.
What are the penalties for noncompliance with the CRA?
If manufacturers violate the CRA — for example, by disregarding basic security requirements or missing reporting deadlines — they could face severe fines of up to €15 million or up to 2.5% of their global annual turnover. In serious cases, they could even face a sales ban.
Who checks products for CRA compliance?
For products that do not pose any major security risks, such as smartphones, notebooks, simple IoT devices or digital games, manufacturers can conduct in-house testing. They must keep a record of the tests and technical details of their products, information on security risks and measures and ways to deal with any weaknesses.
A strict conformity assessment procedure is prescribed for important products that perform safety-relevant tasks and can affect other devices or endanger people.
- Class I products — such as operating systems, password managers, routers, internet-connected toys and wearables or smart home devices like cameras and alarm systems — can be tested by the manufacturer or a testing body.
- Class II products — including hypervisors and container runtime systems, firewalls and other security systems, and tamper-proof microcontrollers and microprocessors — must be tested externally.
In addition, high-risk products such as smart cards and smart meter gateways must be certified according to the appropriate European certification system.
What are the challenges of CRA implementation?
Both the tight timeframe and the technical and organizational changes associated with the CRA can be a challenge for manufacturers. It takes time, knowledge, people and money to identify risks, make security plans, change processes and find new solutions.
Moreover, the CRA is not the only cybersecurity regulation that manufacturers have to implement. Depending on the industry and product, the NIS2 Directive and the EU Machinery Regulation may also apply. The best strategy is to deal with cybersecurity in a structured way and align the regulatory requirements within a few coordinated projects. In this way, duplication, delays and unnecessary costs can be avoided.
However, CRA implementation also presents a valuable opportunity for manufacturers to develop an internal cybersecurity culture and increase their resilience to cyberthreats. Both actions increase customer confidence and help manufacturers to secure long-term competitive advantages.
Where do I start?
Manufacturers should answer the following key questions to determine whether they need to act and, if so, to assess the extent of the need for action:
- What measures have we already implemented to ensure compliance with the CRA?
- How do we ensure that all our products meet the minimum cybersecurity requirements?
- Do we have a complete overview of all vulnerabilities and security incidents in our products, and how do we deal with them?
- How do we ensure the security of our products throughout their lifecycle?
- Have we familiarized ourselves with the specific requirements of the CRA and assessed their impact on our existing security strategies?
- How do we currently handle vulnerability and security incident reporting?
How NTT DATA can help
NTT DATA supports manufacturers of connected products in every step of CRA implementation. We start with a gap analysis to identify any compliance gaps. Then we develop and implement specific measures to limit risk and cover all the CRA requirements.
We can integrate security solutions into existing systems, update processes and provide security awareness training to employees across departments. We can also manage these security solutions and offer security operations center (SOC) services to find and stop threats before they become a problem.
With our in-depth industry knowledge and extensive experience in cybersecurity and compliance projects, we can provide customized advice and tailor-made solutions. And, manufacturers receive everything from a single source, so that no additional service providers need to be commissioned and coordinated.