Cyber Resilience Act: what changes for digital products from 11 September 2026

The Cyber Resilience Act is the new EU Regulation on the cybersecurity of digital products. It is already in force, but will become fully applicable only on 11 December 2027.

The first operational deadline, however, is much closer: 11 September 2026. A deadline that also affects products already on the market.

What is the Cyber Resilience Act

The Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), is the first European regulation to impose horizontal cybersecurity requirements on all digital products sold in the Union. It was adopted on 23 October 2024, published in the Official Journal of the EU on 20 November 2024 and entered into force on 10 December 2024.

The objective is twofold: to reduce the number of vulnerabilities in connected products and to ensure that purchasers have clear information on how to use them safely and on how long security updates will be provided.

Which products are covered

The CRA applies to “products with digital elements” (PDEs). The definition is deliberately broad: any hardware or software product that, directly or indirectly, connects to another device or to a network falls within the scope.

In practice, this includes categories such as:

• smart lighting and connected LED strips;
• Wi-Fi air conditioners and household appliances (washing machines, refrigerators, ovens);
• smart locks and alarm systems;
• home video surveillance cameras;
• robot vacuum cleaners;
• smartwatches and fitness trackers;
• smart speakers;
• internet-connected toys;
• home routers and modems;
• software sold separately such as antivirus or password managers.

The Cyber Resilience Act does not apply to:

• medical devices;
• motor vehicles;
• aeronautical and maritime equipment;
• pure cloud services (SaaS, PaaS, IaaS), which are governed by the NIS 2 Directive;
• free and open-source software not supplied in the course of a commercial activity.

Who is subject to the obligations

The CRA identifies three roles with different responsibilities.

The manufacturer has primary responsibility: designs the product to be secure from the outset, manages vulnerabilities throughout its life cycle, draws up the technical documentation, affixes the CE marking and provides information to the user.

The importer verifies upstream that the manufacturer has carried out the conformity assessment, drawn up the documentation and affixed the CE marking. The importer must indicate its own contact details on the product and keep the EU Declaration of Conformity for ten years.

The distributor exercises formal due diligence: verifies the presence of the CE marking and of the documentation before placing the product on the market.

What the manufacturer must do

Manufacturer obligations are grouped into four areas.

• Design: the product must be placed on the market without known exploitable vulnerabilities and with a secure configuration by default.
• Life cycle: the manufacturer must provide free security updates for a “support period” of at least five years (except where the expected product lifetime is shorter), compile a software bill of materials (SBOM) and designate a single point of contact for vulnerability reports.
• Documentary conformity: technical documentation, conformity assessment, EU Declaration of Conformity, CE marking and user instructions.
• Reporting to authorities: the area that becomes operational first, on 11 September 2026.

CRA deadlines

• 10 December 2024: the CRA enters into force.
• 11 June 2026: notified bodies become operational.
• 11 September 2026: the obligation to report vulnerabilities and incidents starts to apply (Art. 14).
• 11 December 2027: the Regulation becomes fully applicable.

What happens on 11 September 2026

From 11 September 2026, manufacturers of digital products will need to be able to notify European authorities of two types of events.

The first is an actively exploited vulnerability: a defect in the product that someone is already using to breach the security of its owner.

The second is a severe incident having an impact on the security of the product: a compromise of the manufacturer’s internal processes, for example of the firmware update distribution channel, that may put users at risk.

In both cases, Art. 14 sets very tight deadlines:

• within 24 hours of becoming aware of the event: the manufacturer sends an early warning;
• within 72 hours: a structured notification containing the initial assessment and the corrective measures under way;
• within 14 days: a final report for vulnerabilities (from the availability of the patch), or within 1 month for severe incidents.

Notifications are sent to the single reporting platform managed by ENISA (the EU Agency for Cybersecurity), which forwards them to the national CSIRTs. The platform becomes operational on 11 September 2026.

Penalties

Art. 64 of the CRA provides for severe penalties: up to EUR 15 million or 2.5% of the worldwide annual turnover, whichever is higher, for breaches of the most serious obligations, including reporting obligations.

It should be noted that the full penalty regime becomes enforceable from 11 December 2027, with the general application of the Regulation. In the meantime, there remains exposure to civil liability towards customers, significant reputational risk and the ordering powers of the market surveillance authorities.

How to get ready

Priority actions:

• map the catalogue to identify which products fall within the definition of PDE;
• designate a single point of contact (SPOC) for vulnerability reports;
• set up a minimum internal “incident response” process compatible with the 24-hour and 72-hour deadlines;
• start reviewing the technical file in a CRA perspective, in view of the full application from December 2027.

Frequently Asked Questions (FAQ)

Does a Wi-Fi product fall within the Cyber Resilience Act?

Most likely yes. The definition of product with digital elements (PDE) under Art. 3 of Reg. (EU) 2024/2847 is deliberately broad and covers any hardware or software product that connects to a network, even indirectly. The Cyber Resilience Act therefore covers smart lighting, Wi-Fi household appliances, home cameras, smartwatches, connected toys, home routers and many other consumer categories.

Does a software sold in the cloud (SaaS) fall within the CRA?

No. Pure cloud services (SaaS, PaaS and IaaS) are governed by the NIS 2 Directive and not by the CRA. Within the scope of the Cyber Resilience Act are instead the software installed on the product and software sold separately as a stand-alone product (for example antivirus, password managers, updatable firmware).

Do the CRA obligations also apply to products already in the catalogue?

The obligation to report vulnerabilities and incidents under Art. 14 of the CRA also applies to digital products already placed on the market before 11 September 2026, under Art. 69(3) of the Regulation. The other obligations (technical documentation, “cyber” CE marking, EU Declaration of Conformity) apply instead only to products placed on the market from 11 December 2027.

Does the CRA replace the cybersecurity requirements for radio equipment (RED Delegated Reg. 2022/30)?

Over time, yes. During the transition phase the two regimes coexist; from 11 December 2027 the Cyber Resilience Act absorbs the cybersecurity requirements of the RED for products falling within both scopes, making the CRA the sole regulatory reference. The transition is discussed in the article dedicated to cybersecurity for radio equipment.

What changes for CE marking under the Cyber Resilience Act?

The CE marking remains unique: compliance with the CRA is added to the other applicable regulations (for example LVD, EMC, RED). The EU Declaration of Conformity may be a single document covering all the legislation applicable to the product, certifying conformity to several European legal acts at once.