EU Cyber Resilience Act from 2026: What CISOs Must Check When Purchasing Digital Products

3 min Reading Time

The EU Cyber Resilience Act (CRA) has been in force since December 10, 2024. Reporting obligations take effect in September 2026, and by December 2027, all digital products on the EU market must meet full security requirements. For CISOs, this changes not only their own compliance landscape but the entire procurement logic: no CE marking without cybersecurity proof, no access to the EU market without a conformity declaration.

TL;DR

🔒 The CRA is an EU regulation directly applicable in all member states. No national transposition required (unlike NIS2).
⚠️ From September 11, 2026: Mandatory reporting of actively exploited vulnerabilities to ENISA within 24 hours.
🛡️ From December 11, 2027: Full compliance required. Products without a CRA-compliant CE mark cannot be sold in the EU.
📊 Fines: up to 15 million Euro or 2.5 percent of global annual turnover.
🔧 CISOs need new procurement criteria: conformity declaration, SBOM, support duration, update policy.

What the CRA Regulates

The CRA applies to all “products with digital elements” – hardware and software placed on the EU market, regardless of whether the manufacturer is based in the EU. An IoT sensor from Shenzhen, a VPN client from California, and a firewall from Munich are all subject to the same rules.

The law distinguishes three classes. Standard products (the majority) can be certified via self-assessment. Class I products (including password managers, VPN tools, web browsers, smart home devices, and operating systems) are subject to stricter procedures. Class II products (firewalls, intrusion detection systems, tamper-proof microprocessors) require third-party assessment by a notified body.

Exemptions include non-commercial open-source software, medical devices, vehicles, and products for national security. Everything else that is digital and commercially distributed falls under the CRA.

Sept. 2026

Reporting obligations active

Dec. 2027

Full compliance

15 Mio. €

Maximum fine

The Five Core Obligations for Manufacturers

1. Secure by Design and Default. Cybersecurity must be integrated from the start of development. No weak default passwords, minimized attack surface, encryption of stored and transmitted data. Automatic security updates must be supported.

2. Vulnerability Management and SBOM. Manufacturers must create a Software Bill of Materials (SBOM). Important nuance: publishing the SBOM is not mandatory. It serves internal vulnerability management and must be provided upon request by market surveillance authorities. In addition, a process for coordinated vulnerability disclosure must be established.

3. Reporting Obligations from September 2026. In case of actively exploited vulnerabilities, manufacturers must send an early warning to ENISA within 24 hours. A detailed report must follow within 72 hours, and a final report is due after 14 days.

4. CE Marking for Cybersecurity. No CE marking without CRA compliance. No CE marking, no access to the EU market. Manufacturers must issue an EU Declaration of Conformity. Importers must retain this document for ten years.

5. Minimum of Five Years of Security Updates. Manufacturers must communicate the end-of-support date and provide free security updates throughout the entire support period.

“The CRA changes the rules of the game for the entire EU digital market. For the first time, cybersecurity becomes a prerequisite for the CE marking of digital products.”
BSI (Federal Office for Information Security), information page on the Cyber Resilience Act

What CISOs Must Change in Procurement Now

The CRA binds not only manufacturers but all economic actors along the supply chain. For CISOs and IT procurement, this means procurement criteria need updating.

Seven questions procurement must ask starting in 2026:

1. Is there an EU Declaration of Conformity (DoC) for the CRA?

2. Is the CE marking present and related to CRA requirements?

3. How long is the declared support period? What happens at end-of-support?

4. Is an SBOM available (on request)?

5. Which conformity assessment route was chosen?

6. Is there a documented process for coordinated vulnerability disclosure?

7. Does the manufacturer have a policy for automatic security updates?

Procurement contracts should explicitly include CRA conformity proofs, update obligations, and end-of-support agreements. The CRA sets the standard for what constitutes a product defect.

Distinctions: CRA, NIS2, DORA, and AI Act

The CRA regulates products prior to market authorization. NIS2 regulates organizations during ongoing operations. DORA regulates financial institutions and their ICT providers. The AI Act regulates AI systems by risk class. CRA and NIS2 can apply simultaneously.

24 h

Reporting deadline for actively exploited vulnerabilities to ENISA (from Sept. 2026)

Source: EU Regulation 2024/2847 (Cyber Resilience Act)

Conclusion: Cybersecurity Becomes a Market Access Requirement

The CRA makes cybersecurity the gatekeeper to the EU market. No CE marking without security proof, no marketing without a conformity declaration, no vulnerability without a 24-hour report. Reporting obligations begin as early as September 2026. Anyone waiting until then faces a timing problem.

Frequently Asked Questions

Does the CRA apply to software?

Yes. The CRA covers all “products with digital elements,” including both hardware and software. Non-commercial open-source software developed without profit motive is exempt.

Must the SBOM be published?

No. The SBOM must be created and made available upon request by market surveillance authorities. Mandatory public publication is not required.

What happens in case of non-compliance?

Fines of up to 15 million Euro or 2.5 percent of global annual turnover. In addition, market surveillance authorities may prohibit distribution or order product recalls. In Germany, the BSI (Federal Office for Information Security) is responsible.

How are CRA and NIS2 related?

The CRA regulates products (prior to market entry), while NIS2 regulates organizations (during operations). Both can apply simultaneously.

What must CISOs do by September 2026?

Update procurement criteria, assess existing suppliers for CRA readiness, and amend procurement contracts to include conformity proofs and update obligations.