The CRA Makes EU Market Access Conditional on Product Cybersecurity

The Cyber Resilience Act is an EU regulation. It applies directly and uniformly across all Member States from 11 December 2027, without national transposition. Reporting obligations for actively exploited vulnerabilities take effect from 11 September 2026.

The CRA covers products with digital elements: hardware and software that connect to a network or to another device. Consumer devices, industrial equipment, enterprise software and embedded systems all fall within scope. Two product tiers attract different conformity assessment requirements, with higher-risk products requiring independent third-party assessment.

Manufacturers, importers and distributors all carry obligations under the CRA, though they differ. An importer that places a product on the EU market carries responsibility for ensuring the manufacturer has met the essential requirements. A distributor that modifies a product becomes the manufacturer for the purposes of the regulation.

Four areas define the substantive obligation.

Secure design

Products must meet essential cybersecurity requirements from the design stage, covering vulnerability identification, secure default configurations, data minimisation and protection against unauthorised access. For existing product lines, meeting these requirements may involve material changes to the development process and to the product itself.

Vulnerability handling

Manufacturers carry an ongoing obligation to address and disclose vulnerabilities throughout the product's supported life. The regulation sets a minimum support period. A coordinated vulnerability disclosure policy must be established and maintained. This is a standing operational commitment that continues well beyond product launch.

Conformity assessment

Before placing a product on the EU market, manufacturers must demonstrate that it meets the essential requirements. The method depends on the product tier: Class I and Class II products require progressively more rigorous assessment. The CE marking is the visible output, but the evidence base behind it is substantive.

Supply chain

Manufacturers are responsible for the cybersecurity of components and dependencies they integrate. Where a component introduces a vulnerability, the product manufacturer carries accountability for addressing it. Supply chain assessment is part of the conformity process.

The December 2027 deadline is close for organisations with complex product portfolios. Bringing existing products into compliance requires design and development work, supply chain assessment and conformity preparation. These take time that is already running. An organisation that treats CRA as a 2027 problem will face it as a 2026 resourcing and prioritisation decision.

The investment sits in product budgets and R&D, alongside existing roadmap commitments. Boards need to understand which products are in scope, which require the most significant changes, and whether the compliance and conformity timeline is achievable within those commitments. The reporting obligation for actively exploited vulnerabilities begins in September 2026, which arrives before the main compliance deadline and requires operational readiness well in advance.