Abstract illustration in purple and blue with lock denoting cybersecurity

EU Cyber Resilience Act Redefines How Products Are Developed

By Milton Yarberry and Stephanie Van Ness

The EU Cyber Resilience Act (CRA), which sets mandatory cybersecurity requirements for software-driven products, is changing the way products are designed, developed and maintained. Created to strengthen trust in digital products and reduce security risks across the EU, the CRA applies to all manufacturers, importers and distributors selling hardware, embedded systems or software-enabled devices into the EU market – even companies based outside the EU.

What Products are Impacted by The CRA?

The CRA affects nearly every product with software or “digital elements.” Products that contain software/firmware, use digital communications or have a USB port are in scope. There are however, exclusions for products that are already governed by other EU regulations, such as medical devices, motor vehicles, civil aviation, marine equipment, national security, defense. 

Under the CRA, these products now carry an expectation of Secure by Design/Default, risk management (throughout the lifecycle), free vulnerability monitoring/management and demonstrable compliance. Cybersecurity applied as an afterthought, especially to products with internet connectivity, risks substantial penalties. 

If you are selling products in the EU, you will need to embed security throughout design and development, track all software components and third-party dependencies, and maintain vulnerability management processes and update mechanisms for your product’s full lifecycle. Requirements also extend to notifications and communications with regulators, customers and security agencies. 

Medical Devices Have Distinct Security Requirements

Medical devices covered by the EU Medical Device Regulation (MDR) are exempt from the CRA because they already fall under dedicated medical cybersecurity/safety rules. This includes devices such as connected pacemakers, imaging systems and insulin pumps.

However, components within those devices, for example secure operating systems, may still fall under the CRA if sold as standalone products with digital elements.

Steep Penalties Make Compliance Non-Negotiable

Compliance is complex, but non-compliance can have a tremendous business impact. Consequences can include market bans, mandatory recalls and fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. When added to the damage to your brand’s reputation for failing to ship a secure product, the case becomes compelling for compliance to CRA throughout the product lifecycle. 

The Clock is is Ticking – It’s Time to Prepare

Early CRA reporting requirements begin in September 2026, and the full suite of compliance obligations becomes mandatory by December 2027. Meeting these requirements will influence your decisions about product roadmaps, supply chain management and market expansion strategies. Your products will need more structured security practices, stronger supply chain oversight and demonstrable evidence of secure design and maintenance. 

Full compliance by December 2027 applies to existing products as well as new. Timelines need to allow for implementation of security controls which may include hardware changes (for encryption enabled processors, secure operating systems and Secure Boot), software changes (secure data at rest and in transit), and organizational changes (for regulatory compliance documentation).

Most product development cycles that involve changes to the hardware and/or software easily span 18 months from design to final product production. Delaying can result in loss, suspension or invalidation of CE marking.  

Your Guide to CRA Readiness

Proactive planning and a clear understanding of CRA expectations can make the transition smoother and turn compliance into a market differentiator rather than a burden. For a practical roadmap, we’ve put together this helpful resource – Compliance Essentials for Selling Products in the EU – which outlines many of the key tasks product owners should address to stay ahead of enforcement. 

Need more customized insight? Our regulatory specialists are available to help you establish a compliance plan tailored to your organization, while our secure-product development experts can help you create devices that fully meet these new standards. If you’d like assistance regarding CRA compliance, get in touch.