Blue and purple illustration of a globe and clipboard indicating EU Cyber Resilience Act

The Cyber Resilience Act Isn’t Just Europe’s Problem

By Magda Kocot Mazur and Stephanie Van Ness

Many device manufacturers in the United States and Canada still assume the EU’s Cyber Resilience Act (CRA) is a European regulatory issue. 

It isn’t. 

It’s a global issue. Any company that sells products with digital elements into the EU market — regardless of where that company is headquartered — will be required to meet the CRA’s cybersecurity and lifecycle management requirements. 

This represents one of the most significant regulatory shifts affecting connected products in years.

Although full enforcement does not begin until December 2027, preparing for compliance can’t wait. The CRA requires manufacturers to rethink how product security is addressed throughout the entire lifecycle, from architecture and development to vulnerability management and long-term maintenance. (You can learn more about CRA compliance here.)

In this blog, we want to clear up some common misconceptions about the Cyber Resilience Act.

Misconceptions About CRA

Only European companies need to worry about CRA

One of the most persistent misconceptions about the CRA is that it primarily concerns European manufacturers. In reality, the regulation applies to any company placing products with digital elements on the EU market, regardless of where the company is headquartered. That means device manufacturers in the United States and Canada, and everywhere else, are fully accountable if their products are sold in Europe. 

Only manufacturers are impacted

Not true. The regulation extends responsibility across the supply chain. Manufacturers will require detailed documentation such as a Software Bill of Materials (SBOM) from third-party component suppliers. For many organizations, especially smaller non-EU vendors, producing and maintaining accurate SBOMs and vulnerability tracking processes can be a significant challenge. 

Importers and distributors are also explicitly assigned responsibilities, including verifying that documentation is complete and that products meet CRA requirements before entering the EU market.

Existing products are effectively “grandfathered in” 

Not quite. While products placed on the market before the CRA full enforcement date of December 11, 2027 may initially remain available, this can change. Any substantial product modification, for instance updates that alter functionality, security architecture or intended use, may trigger a new conformity assessment under the CRA.

In practice, this means that maintaining or updating legacy devices could require revisiting fundamental, years-old design decisions, potentially including those involving security architecture or third-party components. For manufacturers with long product lifecycles, this can turn routine updates into significant, possibly disruptive compliance events.

CRA is just extra paperwork

This is perhaps the biggest misconception. CRA is not just about additional documentation – though there is a lot – but rather represents a cultural and technical shift toward a secure-by-design development model. 

Under CRA, manufacturers must integrate security into the entire product lifecycle, from design and development through maintenance and vulnerability handling. This includes practices such as threat modeling during the design phase, defining security controls as system requirements, establishing a security architecture before implementation, and enforcing secure coding and vulnerability management processes throughout development.

Where We See Companies Struggling Most with CRA Preparation

Many companies have heeded the call to get started on CRA compliance rather than waiting until the last minute. Although the CRA touches nearly every part of the product lifecycle, a few areas have emerged as the most difficult and time-consuming for device manufacturers to address. These include:

Building and maintaining accurate SBOMs

Many companies lack a complete inventory of the software components in their products, particularly when open-source libraries, embedded packages and third-party firmware are involved. Creating a reliable SBOM and keeping it continuously updated across product releases requires tooling, automation and disciplined engineering workflows that many organizations do not yet have in place.

Implementing a secure development lifecycle 

The CRA effectively requires manufacturers to adopt a structured security process across development teams. For companies that historically treated cybersecurity as a post-release activity, introducing practices such as threat modeling, security architecture reviews, secure coding standards and vulnerability management requires both organizational and cultural change.

Retrofitting security into existing products

Legacy devices are often built on architectures that were not designed with modern security requirements in mind. Updating these systems to meet secure-by-design expectations, for example redesigning system components or updating communication protocols, is challenging without deep embedded development expertise and domain knowledge, which may not exist internally.

Establishing long-term vulnerability management processes

The CRA requires manufacturers to actively monitor, disclose and remediate vulnerabilities throughout a product’s supported lifecycle. Setting up the infrastructure and operational processes to track vulnerabilities, issue security updates and communicate with regulators is challenging for organizations lacking a formal product security program.

Don’t Procrastinate on Cyber Resilience Act Compliance

Addressing the myriad tasks required for compliance demands specialized software engineering, security architecture and tooling expertise. If that does not exist internally, teaming with experienced partners where needed can help device makers reach compliance without disrupting product roadmaps or slowing innovation.

We created a technical guide to walk device manufacturers through the key steps required for CRA compliance, from product security assessments and SBOM creation to secure development lifecycle implementation and vulnerability management planning. If you want to better understand what practical CRA preparation looks like, download our guide Compliance Essentials for Selling Products in the EU.