Overview
Cybersecurity regulation in the EU is shifting in a meaningful way. With the Cyber Resilience Act (CRA), the focus is moving upstream—from how organizations operate to how digital products are actually built and maintained. For manufacturers and software vendors, it changes what it means to bring a product to market in the EU.
The CRA aims to give consumers a consistent baseline of security across all products with digital elements, regardless of industry. These products now sit at the heart of critical infrastructure, industrial systems, and everyday life. Ongoing vulnerabilities, unclear software supply chains, and weak default settings have already proven expensive—and risky—for organizations.
What is the EU Cyber Resilience Act (CRA)?
The CRA sets mandatory cybersecurity requirements for any product with digital elements sold in the EU. At its core, it’s about making sure products are secure by design, secure by default, and supported throughout their lifecycle.
The regulation formally came into force on 10 December 2024. According to the European Commission, most requirements will apply from 11 December 2027, with vulnerability reporting obligations starting earlier, on 11 September 2026.
In practical terms, manufacturers are now responsible for their product’s security from initial design all the way through post-market support. That includes identifying and reducing risks, managing vulnerabilities, and delivering updates when needed.
The CRA works alongside other EU frameworks like GDPR and NIS2, but it tackles a different layer. GDPR is about protecting personal data. NIS2 focuses on organizational security. The CRA, on the other hand, is about the product itself—raising the baseline so that risks are reduced across the entire digital ecosystem.
Who does the EU Cyber Resilience Act Affect?
Types of Organizations
The CRA applies to any organization selling digital products in the EU, no matter where the organization may be based and touches a broad range of organizations, including:
- Hardware manufacturers with connected or digital functionality
- Software vendors offering commercial or enterprise solutions
- Developers of embedded systems and firmware
- Importers and distributors selling products under their own name in the EU
Non-EU companies are fully in scope if their products are sold in the EU. In many cases, responsibility is shared across the supply chain, which makes clear ownership and documentation essential.
Categories of Products
“Products with digital elements” covers a wide range of technologies, such as:
- Connected devices (IoT, industrial systems, automotive, medical components)
- Software (operating systems, applications, network services)
- Hardware that depends on software or firmware for secure operation
The CRA distinguishes between standard and critical products, with stricter requirements for higher-risk categories. That distinction directly affects how much investment and assurance work is needed.
Inclusions and Exclusions
Most commercially distributed hardware and software fall within scope. Some non-commercial open-source projects may be excluded, but once software is used commercially, it’s generally covered. Products built solely for national security or defense are excluded.
A common mistake is assuming that third-party components or bundled software fall outside the regulation. In reality, many of these products are still covered.
What is required by organizations and how can IOActive help?
Secure-by-Design and Default Practices
Security needs to be built in from the start. That means identifying risks early, reducing attack surfaces, and shipping products with secure default settings. Relying on perimeter defenses or fixing issues after release is no longer enough.
IOActive supports this with a structured Security Design Review process that evaluates:
- Technology stacks
- Known vulnerabilities
- Potential design flaws
- Data flows
- Practical recommendations for improvement
Finding issues early not only improves security—it also reduces cost and avoids reputational damage down the line.
Vulnerability Discovery and Management
Organizations need a clear process for receiving vulnerability reports, assessing their impact, and fixing issues quickly. Reporting and disclosure are core requirements, and responsibilities don’t end at product launch.
IOActive has a long track record of identifying vulnerabilities in both software and hardware. Clients regularly rely on our teams to test new products and uncover risks before attackers do.
Product Lifecycle Accountability
Manufacturers are responsible for product security throughout its entire lifecycle. That includes providing updates and communicating clearly with users when issues arise. Unsupported products can quickly become both compliance and reputational risk.
IOActive helps organizations put structure around the full lifecycle—from design and development through testing, maintenance, and eventual decommissioning.
Supply Chain and Component Risk
Using third-party components doesn’t shift responsibility. You’re still accountable for the security of everything in your product. That makes supplier assurance, software bills of materials, and risk tracking much more important.
Modern supply chains are global and complex, often involving multiple vendors and regions. IOActive approaches this with an attacker’s mindset, combining research and real-world techniques to identify weaknesses across the entire stack—even down to the silicon level.
Governance and Documentation
Compliance isn’t just about doing the work—it’s about proving it. Organizations need clear documentation of their security processes, decisions, and risk management activities.
This pushes product security beyond engineering. It becomes a shared responsibility across product, security, legal, and compliance teams.
FAQs
Who will the EU CRA Impact?
Any organization that sells products with digital elements in the EU, regardless of where it’s based.
When is an organization’s product considered in scope of the Cyber Resilience Act?
As soon as it’s placed on the EU market. Engaging early in the development process is the best way to ensure compliance.
What is considered a product with ‘digital elements’?
- Connected devices (IoT, industrial, automotive, medical)
- Software (OS, apps, network services)
- Hardware relying on software or firmware
When will the CRA take effect?
According to the EU Commission, “The main obligations introduced by the Act will apply from 11 December 2027, with reporting obligations to apply as of 11 September 2026.”
What is the difference between “main obligations” and “reporting obligations?”
Main obligations are the core “secure-by-design” requirements—things that shape how a product is built, documented, and assessed before it goes to market.
Reporting obligations are about what happens when something goes wrong: the need to quickly notify the appropriate parties if there’s an active security breach or a newly discovered vulnerability.