EU Cyber Resilience Act: What Software Manufacturers and Retailers Need to Know

The EU Cyber Resilience Act (CRA) is more than just another compliance requirement. It fundamentally changes how companies can develop, test, and bring digital products to market. Those who start preparing now have a significant advantage over competitors who wait until the last minute.

TL;DR

All “products with digital elements” are affected: From IoT devices to software – if a network connection is present, the CRA applies.
Security by Design becomes mandatory: Security must be built into development, not added later.
5-year support obligation: Manufacturers must provide security updates for at least 5 years or the expected product lifecycle.
24-hour reporting obligation: Actively exploited vulnerabilities must be reported to ENISA within 24 hours.
Fines up to €15 million: Or 2.5% of global annual turnover.

What the CRA Regulates – and What It Doesn’t

The Cyber Resilience Act applies to all products that can be connected directly or indirectly to other devices or networks. This includes hardware with software, pure software, and SaaS (with limitations). Exceptions include open-source software without commercial use, medical devices (subject to their own regulatory regime), and automotive software.

Critical product classes face stricter regulation: Class I (e.g., password managers, browsers) must undergo a conformity assessment. Class II (e.g., firewalls, microcontrollers) requires independent certification by a Notified Body.

Specific Obligations for Manufacturers

Development: Implement a Secure Development Lifecycle (SDLC), threat modeling, security testing, and code reviews – not as an add-on, but as an integrated part of the development process.

Documentation: Technical documentation, Software Bill of Materials (SBOM), and declaration of conformity – all must be readily available to authorities.

Operation: Vulnerability monitoring, update management, and a coordinated vulnerability disclosure program (CVD/VDP). Actively exploited vulnerabilities must be reported and patched immediately.

Discontinuation: If a product exits support, users must be proactively informed and provided with clear migration paths.

Timeline and Next Steps

The CRA was proposed by the European Commission in September 2022. Following the EU legislative process, it is expected to enter into force in 2024, with a 36-month transition period – meaning full compliance will be required by approximately 2027.

Manufacturers should begin now: Conduct a gap analysis of current development practices, implement SBOMs across all products, and establish a formal vulnerability disclosure program. Though 36 months may sound generous, transforming an entire development lifecycle is a substantial undertaking – and time is already tight.

Key Facts at a Glance

Affected products in the EU: Approximately 400 million+ (Commission estimate)

Support obligation: At least 5 years or the expected product lifecycle

Reporting obligation for actively exploited vulnerabilities: 24 hours to ENISA

Maximum fine: €15 million or 2.5% of global annual turnover

Expected full application: 2027 (36 months after entry into force)

Fact: According to the Allianz Risk Barometer 2025, cyberattacks are the biggest business risk worldwide.

Fact: Only 43 percent of German SMEs have an IT emergency plan, according to Bitkom.

Frequently Asked Questions

Does the CRA apply to open-source software?

No – for non-commercial open-source projects. However, organizations that commercially distribute or integrate open-source software may fall under the CRA’s scope. Stewards of security-critical open-source projects face proportionally lighter obligations.

What is an SBOM and why is it important?

A Software Bill of Materials (SBOM) is a machine-readable inventory listing every component, dependency, and license in a software product. The CRA mandates SBOMs – and when vulnerabilities emerge, they enable rapid, precise impact assessment across the supply chain.

Does the CRA apply to SaaS?

Generally yes – but with nuance. SaaS falls under the CRA if deployed as a component within critical digital products. Pure B2B SaaS offerings may qualify for exemptions – the final regulatory text will clarify these boundaries.

Who enforces CRA compliance?

National market surveillance authorities are responsible – in Germany, that’s the Federal Network Agency (Bundesnetzagentur). ENISA coordinates enforcement at the EU level and serves as the central point for vulnerability reporting.

What should a company do now?

Start with a gap analysis: Which products are in scope? Where are documentation, SBOMs, SDLC rigor, and vulnerability disclosure processes missing? Then build a realistic, milestone-driven project plan targeting full compliance by 2026-2027. Early action isn’t just prudent – it’s a strategic differentiator.

Further Articles on the Topic

→ NIS2: All Details on the New EU Cybersecurity Directive

→ Supply Chain Security 2026: How Companies Protect Their Software Supply Chain