Part 1: The EU CRA - Key Points for Manufacturers
This blog series, divided into three parts, is designed to equip you with the knowledge and tools to prepare for the EU Cyber Resilience Act (EU CRA). It will delve into key areas of focus, actionable steps for compliance, potential implications, and how Periphery can assist you in navigating the complexities of the EU CRA.
The EU Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, is a new law that establishes mandatory cybersecurity requirements for nearly all connected products sold within the European Union. Adopted in October 2024 and applicable in full from December 2027, the CRA introduces a horizontal regulatory framework for any product with digital elements (PDEs). This includes embedded systems, connected hardware, firmware, software platforms, and combinations thereof.
Unlike previous regulations that focused on sector-specific risk or data protection (like GDPR), the CRA is product-centric. Its purpose is to ensure that digital products entering the EU market are both secure-by-design and maintain cyber resilience throughout their lifecycle. This effectively means that CE marking for many digital products will now explicitly include cybersecurity compliance.
The CRA applies to manufacturers, importers, and distributors, but the most substantial obligations fall on the original product manufacturer. In order to place a product on the EU market, manufacturers must perform a conformity assessment against a set of essential cybersecurity requirements laid out in Annex I of the regulation. Once compliance is demonstrated, the product can bear the CE marking, just as it would for electrical safety or environmental regulations.
For manufacturers, this fundamentally changes how products must be developed and maintained. Products must:
- Be designed with known cybersecurity risks in mind.
- Be shipped without exploitable vulnerabilities.
- Include secure default settings (e.g. no hardcoded credentials).
- Provide mechanisms for logging, access control, and data protection.
Additionally, the CRA introduces long-term post-market responsibilities: timely security updates must be provided for a support period of at least five years, and manufacturers must implement a coordinated vulnerability disclosure (CVD) policy, maintain a software bill of materials (SBOM), and report serious security incidents within 24 hours.
This creates a direct compliance burden for R&D and product teams, especially those unaccustomed to cybersecurity documentation, threat modelling, or incident handling. And while the CRA offers a 24-month grace period, many of its obligations (like vulnerability reporting to ENISA) come into effect as early as September 2026.
In practical terms, that means CRA readiness isn’t just a regulatory issue, it’s a product design and engineering challenge. Waiting until 2027 will not be viable for manufacturers planning to release or certify products from 2026 onward.
.png)
.png)
.png)
