Cyber Resilience Act: What Every Electronic Device Manufacturer Must Know to sell products in the EU after November 2027

The CRA applies to all products with digital elements that are placed on the EU market, including both hardware and software. However, certain categories such as medical devices are explicitly excluded if they are already governed by other sector-specific regulations like IEC 81001-5-1. Embedded systems are included if they have interfaces that could be manipulated externally.

The CRA applies to all products sold on or after the enforcement date (December 12, 2027). Products already in use before this date are not retroactively affected unless they are significantly modified. Devices without internet connectivity may still fall under the CRA if they have any interface (e.g., USB) that could be exploited.

Prototypes that are not placed on the market are not subject to CRA requirements. However, once a prototype evolves into a marketable product, full CRA compliance is required. There are no exemptions for small or medium-sized enterprises (SMEs) or low-volume production runs.

Manufacturers who integrate components and place the final product on the market are considered the responsible party under the CRA. They must ensure full compliance, including documentation, risk assessment, and incident management—even if the components themselves are pre-certified.

“Digital elements” refer to components or systems that include a microcontroller or similar digital logic and have an interface to the outside world. This includes even simple devices if they can be manipulated externally.

A product is considered connected if it has any interface that allows external communication or manipulation—regardless of whether it uses the internet, a VPN tunnel, USB, or other physical or wireless connections. What matters is the technical possibility of access, not the type of connection. If a product has an interface and/or connection, it can be networked. It is not important whether a customer uses this interface and/or connection.

Yes. If a device has a microcontroller and any form of external interface, it may be subject to CRA requirements—even if it does not connect to the internet.

Yes. All components that contribute to the digital functionality of a product must be considered in the CRA compliance process. Even if components are pre-certified, the final product must be assessed as a whole.

If such systems have external interfaces that could be exploited, they fall under the CRA. A risk assessment must be conducted to evaluate potential vulnerabilities based on the system architecture and use cases.

The CRA requires that products be updatable for at least five years. Manufacturers should incorporate sufficient memory for future updates, especially for security patches. This may influence hardware design decisions such as selecting microcontrollers with adequate storage.

Incidents must be reported within 24 hours of detection. There are no exceptions for weekends or holidays. While the CRA does not specify exact timelines for resolving vulnerabilities, it requires that they be addressed “as soon as possible” and that appropriate processes be in place to manage them.

All customer-reported vulnerabilities must be evaluated and, if confirmed, reported within the 24-hour window. The CRA expects manufacturers to have internal processes for triaging, documenting, and responding to such reports.

Under the CRA, the primary reporting authority for product-related incidents in Germany is the BSI (Federal Office for Information Security). The details of responsibility may still change. The LKA (State Criminal Police Office) may still be involved in criminal investigations, but CRA compliance is managed through the BSI.
In other countries, different organizations are responsible.

Yes. A risk assessment must be conducted for every product with digital elements. Even if a product does not have internet connectivity, it must be evaluated for potential vulnerabilities through other interfaces such as USB or serial ports.

Risk assessments can be performed using tools ranging from Excel spreadsheets to specialized software like Ansys Medini. Methodologies such as TARA (Threat Analysis and Risk Assessment) are also often recommended. The choice of tool depends on the complexity of the product and the organization’s internal capabilities.

These standards are not mandatory under the CRA but are highly relevant. IEC 62443 is particularly important for industrial and automation systems. ISO 21434 applies to the automotive sector. While not officially harmonized with the CRA yet, they provide valuable guidance and are expected to align closely in the future.

EN18031 and RED-DA apply to radio interfaces and require specific documentation and testing. CRA requirements are layered on top of these, meaning that products with radio interfaces must comply with both sets of regulations in order to obtain CE certification.

In many cases, yes. For non-critical products, a self-assessment and declaration of conformity may be sufficient. However, for high-risk or critical products, additional certification or third-party evaluation may be required.

If open-source software is integrated into a commercial product, the manufacturer is responsible for ensuring that it complies with CRA requirements. This includes maintaining the software and addressing vulnerabilities throughout the product lifecycle and for five years after the last day of sale.

Manufacturers must provide security updates for at least five years after the last day of sale of the product. This includes ensuring that the update process is secure, authenticated, and accessible—ideally through remote update mechanisms.

Yes, if those products are placed on the market after December 12, 2027. The date of sale—not the date of manufacture—determines CRA applicability. Products in storage must be CRA-compliant if sold after the enforcement date.

They may no longer be legally placed on the market. A new Declaration of Conformity must be issued in accordance with CRA requirements for continued distribution.

If a product undergoes a major change—such as the addition of a new control unit or connectivity feature—it must be reassessed for CRA compliance. Even replacement parts may trigger CRA obligations if they introduce new digital functionality.

Yes. Various commercial tools and consulting services are available to support CRA implementation, including risk assessment platforms, compliance management systems, and automated documentation tools.

A self-assessment includes identifying digital elements, evaluating risks, documenting security measures, and preparing a Declaration of Conformity. It is similar in structure to ISO 9001 internal audits but focused on product cybersecurity.

SIL (Safety Integrity Level) certification addresses functional safety, not cybersecurity. CRA compliance must be evaluated separately, especially for digital interfaces and update mechanisms.

It depends on the risk profile and system architecture. A hardened MCU with an integrated secure element may be sufficient, but for high-security applications, an external secure element can provide additional protection for critical assets like credentials.