The EU Cyber Resilience Act (CRA) represents a major shift in how cyber security is regulated across the European Single Market. It entered into force on 10 December 2024, with main obligations applying from 11 December 2027 and reporting obligations from 11 September 2026.

The Act introduces legally binding cybersecurity requirements for products with digital elements placed on the EU market. Unlike voluntary standards, the CRA establishes enforceable obligations covering the entire product lifecycle from design and development through deployment, maintenance, and end of life.

At its core, the CRA aims to reduce vulnerabilities in digital products, improve transparency around cybersecurity practices, and establish clear accountability for organisations that design, manufacture, import, or distribute connected technologies. Cyber security is no longer solely an IT function. It is now a product safety, governance, and regulatory obligation.

Scope and applicability

The CRA applies broadly to products with digital elements placed on, or made available in, the EU market, including:

  • software sold in executable or downloadable form;
  • embedded software in devices;
  • network equipment;
  • industrial control systems; and
  • other digital and digitally enabled products placed on, or made available in, the EU market.

 The Act also applies to products that rely on third party components if the overall product has digital functionality.

Importantly, obligations are based on market placement, not corporate location. Manufacturers inside or outside the EU must comply if their products are sold in the EU. Responsibilities also extend to other economic operators, including authorised representatives, importers, and distributors, each with defined duties around compliance, documentation, and market oversight.

Key requirements

Firms must demonstrate that their products meet baseline cyber security requirements, which include:

  • designing and developing products to minimise security vulnerabilities;
  • addressing known vulnerabilities before market placement; and
  • maintaining robust processes for vulnerability detection, reporting, and remediation once products are in use.

Cyber security must be integrated across the product lifecycle, including design, testing, deployment, maintenance, and end-of-life. One-off assessments are insufficient, and firms must maintain documented governance and monitoring to respond promptly to emerging risks.

Obligations across the supply chain

Economic operators who are not manufacturers also have responsibilities. Importers and distributors must ensure products comply with the Act and carry appropriate documentation. Authorised representatives act as the legal contact for non-EU manufacturers and verify that products meet regulatory requirements.

The CRA introduces a framework for conformity assessments and technical documentation. Products that pose higher cyber security risk may require third party assessment by a recognised body.

All regulated products must be supported by technical documentation demonstrating compliance, including evidence of risk assessment, secure-by-design measures, and vulnerability management processes.

Firms must also consider their software bill of materials (SBOM), logging and monitoring practices, secure update mechanisms, and coordinated vulnerability disclosure (CVD)  processes.

Vulnerabilities must be classified, addressed, and communicated in accordance with defined standards, and security updates must be provided promptly and transparently.

Enforcement and supervision

Enforcement and supervision under the Act will be carried out by national market surveillance authorities in each EU Member State. Authorities have powers to request documentation, conduct inspections, require corrective actions, and impose penalties for non-compliance.

Although the official application dates vary by product category and risk classification, firms should not defer planning until the final enforcement timelines. In practice, obligations around secure-by-design practices, documentation readiness, governance structures, and supply-chain visibility require time to implement effectively. Early engagement will help firms avoid last-minute remediation when formal enforcement begins.

The CRA also influences procurement, vendor risk frameworks, and contractual obligations. Larger enterprises and regulated entities are already introducing CRA-aligned requirements into supplier assessments. Public sector tenders and cross-border contracts are likely to reference CRA expectations as baseline cyber security standards.

The CRA forms part of a broader EU regulatory framework focused on digital resilience. It operates alongside measures such as the Digital Operational Resilience Act (DORA), which applies to financial services, and the Network and Information Systems Directive (NIS2), which applies to essential and important entities. Together, these frameworks reinforce expectations around accountability, resilience, and transparency in cyber risk management.

Practical steps for CRA readiness

Assess product scope

  • Identify products within CRA scope.
  • Understand third-party components and their impact on product risk.

Governance and accountability

  • Assign clear ownership for product cyber security, including senior executive accountability.
  • Embed security roles and responsibilities into development and risk structures.

Secure design practices

  • Incorporate threat modelling, secure coding standards, and security testing into development lifecycles.
  • Build processes for early identification and mitigation of vulnerabilities.

Documentation and evidence

  • Prepare technical documentation, including risk assessments, SBOMs, and security testing results.
  • Ensure artefacts are audit-ready ahead of enforcement.

Vulnerability management and disclosure

  • Establish formal processes to receive, triage, and respond to vulnerability reports.
  • Develop patching and update mechanisms that align with CRA expectations.

Supplier and third party oversight

  • Update vendor risk frameworks to reflect CRA requirements.
  • Include cyber security requirements in contracts with suppliers and technology partners.

Market and contractual readiness

  • Engage with customers and buyers on CRA expectations and evidence needs.
  • Prepare for due diligence questionnaires and procurement requirements.

Final thoughts

The EU Cyber Resilience Act represents a significant evolution in how cyber security risk is regulated for digital products in the EU market. Firms should act now to assess their exposure, embed resilient practices into their product lifecycles, and build the governance and evidence base necessary to demonstrate compliance. Early action will not only reduce regulatory risk but also support resilience, trust, and competitive differentiation in an increasingly cyber-aware marketplace.

How fscom can help

fscom helps firms understand how the Cyber Resilience Act applies to their products, supply chains, and operating models. We support organisations in strengthening product cyber security governance, embedding secure-by-design practices, and developing the technical documentation and evidence required to demonstrate compliance. From vulnerability management and SBOM readiness to supplier oversight and regulatory assurance, fscom works with firms to build resilient, audit-ready frameworks ahead of CRA enforcement deadlines.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.