team meeting with laptop showing EU Flag and a security lock

Cyber Resilience Act: What companies need to know now.

Author: Stefan Schweiger
From December 2027, the Cyber Resilience Act (CRA) will fully come into effect. It applies to all digital products that are manufactured, distributed, or imported within the European Union. For manufacturers, distributors, and importers, this marks a fundamental change: they will be required to design and provide devices and software with security built in from the outset.

Failure to comply with the CRA can have serious consequences. Products that do not meet the prescribed requirements will no longer receive the CE marking and will therefore be unable to enter the European market. In addition, companies may also face substantial fines. The CRA thus establishes a new standard for cybersecurity and encourages the entire industry to take action promptly.

Would you like to find out more about the CRA?

Get in touch – our experts would be happy to answer your questions.

Get in touch

sensors

Why the CRA has been introduced.

Digital connectivity has increased rapidly in recent years. Whether sensors in production, gateways for OT environments, or everyday software applications – more and more products are communicating with each other and connecting to networks or the internet. However, these new possibilities have also increased the number of potential attack surfaces. IoT and OT devices, in particular, are often targeted by cyberattacks because they are delivered with insecure default settings or outdated protocols.

The EU aims to establish a uniform high level of protection with the Cyber Resilience Act. The goal is not only to enhance the security of digital products but also to strengthen the free movement of goods within the internal market.

Would you like more detailed information about the Cyber Resilience Act?

Register now for our webinar (only available in German).

Register now

judges gavel

What companies can expect under the CRA.

The CRA has been in force since December 2024. By 11 December 2027, all requirements must be implemented. Its core elements include:

  • Mandatory security requirements throughout the entire product lifecycle
  • Obligation to obtain CE marking as proof of CRA compliance
  • Fines of up to 2.5 per cent of global annual turnover or 15 million euros
  • Applies to all manufacturers, importers, and distributors – regardless of company location

 

CRA: New pressure for manufacturers.

The CRA requires that security aspects are considered from the very beginning. This includes:

  • Security by Design and Security by Default
  • Obligation to provide updates and patches
  • Mandatory reporting of actively exploited vulnerabilities from September 2026
  • Proof of compliance through declarations of conformity for CE marking

Manufacturers of IoT and OT devices, in particular, will need to adapt their processes and products to meet these new standards.
 

judges gavel
What companies can expect under the CRA.

The CRA has been in force since December 2024. By 11 December 2027, all requirements must be implemented. Its core elements include:

  • Mandatory security requirements throughout the entire product lifecycle
  • Obligation to obtain CE marking as proof of CRA compliance
  • Fines of up to 2.5 per cent of global annual turnover or 15 million euros
  • Applies to all manufacturers, importers, and distributors – regardless of company location

 

CRA: New pressure for manufacturers.

The CRA requires that security aspects are considered from the very beginning. This includes:

  • Security by Design and Security by Default
  • Obligation to provide updates and patches
  • Mandatory reporting of actively exploited vulnerabilities from September 2026
  • Proof of compliance through declarations of conformity for CE marking

Manufacturers of IoT and OT devices, in particular, will need to adapt their processes and products to meet these new standards.
 

Bechtle team

Small companies, big challenge.

For many small and medium-sized enterprises, implementation represents a major task. Although the EU provides certain facilitations, such as simplified documentation and regulatory test environments, it is clear that without early preparation, it will be difficult to meet the complex requirements in time.

Our offer: We support companies in implementing the new requirements pragmatically. This includes gap analyses to identify existing security weaknesses, consulting on compliance with conformity requirements, and hands-on workshops to raise employee awareness. In addition, we provide secure product solutions developed according to the principles of Security by Design.

Conclusion: Act now – don’t wait.

The Cyber Resilience Act changes the rules for everyone involved in developing or marketing digital products. What may still seem like a distant regulation today will soon become a mandatory prerequisite for market participation. Those who start early to align their products and processes not only ensure compliance and security but also gain a clear competitive advantage.
Learn more in our white paper on the Cyber Resilience Act!

You can find all details, specific obligations, and practical recommendations for action in our white paper “Cyber Resilience Act: New requirements for your digital products. What the CRA means for businesses and how you can prepare.” (White paper only available in German).

Download now