November 17, 2025

EU Cyber Resilience Act (CRA): A Didactic Guide for Manufacturers

The EU Cyber Resilience Act (CRA) introduces new mandatory cybersecurity rules for any product that has a digital element — software, hardware, connected devices, IoT, industrial systems, etc.

If you manufacture anything that runs software, this concerns you.

The purpose of the CRA is simple:

👉 Make digital products secure throughout their entire life.

To help you comply, here is a step-by-step approach

1. First Step: Understand Whether Your Products Are in Scope

A product is covered by the CRA if it has:

  • Software
  • Connectivity
  • Embedded electronics
  • Ability to communicate with networks or other devices

This covers most modern products, from routers to smart washing machines, industrial controllers, apps, medical devices, and AI-driven equipment.

Manufacturers must:

  • List all their products with digital elements
  • Group them into “risk classes” (default, important, critical)

Why this matters:
Higher-risk products will require stricter assessments.

2. Build Security Into the Product From the Beginning

The CRA is based on two ideas:

  1. Secure by design → security must be built into the architecture and development
  2. Secure by default → when a user opens the box, the product must already be secure

To achieve this, manufacturers must adopt:

✔ Secure software development practices

(threat modelling, secure coding, code reviews)

✔ Regular testing

(penetration testing, fuzz testing, vulnerability scans)

✔ Safe default settings

(no weak passwords, limit unnecessary ports, enable encryption)

✔ Documentation of the design choices

(explain how safety and security risks were managed)

Think of it as:
“Would this product be safe if a non-expert installed it without reading the manual?”
If the answer is no, it fails CRA expectations.

3. Create a Strong Vulnerability Management Process

This is one of the core obligations of the CRA.

Manufacturers must have the ability to:

  • Monitor new vulnerabilities
  • Fix vulnerabilities quickly
  • Provide signed and secure updates
  • Maintain an SBOM (Software Bill of Materials)
  • Have a Coordinated Vulnerability Disclosure (CVD) policy

The CRA also introduces mandatory reporting timelines:

⏱️ Within 24 hours → Notify ENISA when a vulnerability is being exploited
⏱️ Within 72 hours → Provide an initial incident report
⏱️ Within 14 days → Provide the root-cause & remediation plan for vulnerabilities
⏱️ Within 1 month → Provide the full technical report for serious incidents

This means manufacturers need:

  • A security team
  • A clear workflow
  • Monitoring tools
  • Internal responsibility for reporting

4. Prepare Documentation (this is mandatory!)

Manufacturers must prepare and maintain:

  • A security risk assessment for each product
  • Technical documentation showing how they meet CRA requirements
  • A Software Bill of Materials (SBOM)
  • User instructions on:
    • how to configure the product securely
    • how to update it
    • how to decommission it safely

This documentation will be checked during audits.

5. Plan for the Entire Product Lifecycle

CRA requires manufacturers to clearly state:

  • How long they will provide security updates
  • How they will support the product
  • How users will get security patches

This period must be realistic — you cannot say “1 year” for a product that lasts 10 years.

Lifecycle responsibility is a major change:
You are responsible as long as the product is “alive” in the market.

6. Prepare for Conformity Assessment (CE Mark)

To sell in the EU, products must meet CRA requirements and obtain CE marking.

There are two types of assessment:

1. Self-assessment (for lower-risk products)

The manufacturer verifies compliance and signs the Declaration of Conformity.

2. Third-party assessment (for important/critical products)

A Notified Body must review your product and processes.

Manufacturers must plan early because Notified Bodies will have long waiting lists.

CRA Deadlines

Here is the timeline in a simple, visual way:

🔹 10 December 2024 — CRA enters into force

This is when the regulation became official.
Manufacturers can start preparing, but nothing is mandatory yet.

🔹 11 September 2026 — EARLY OBLIGATIONS BEGIN

These apply before the full CRA:

What starts in 2026:

  • You must report exploited vulnerabilities within 24 hours
  • You must follow the mandatory incident reporting timelines
  • You must have a vulnerability management process in place

This is the “early warning system” part of CRA.

🔹 11 December 2027 — FULL CRA COMPLIANCE BECOMES MANDATORY

From this date, manufacturers must comply with:

  • Secure-by-design requirements
  • Secure-by-default requirements
  • Lifecycle support obligations
  • Documentation obligations
  • Conformity assessment (self-assessment or third-party)
  • CE marking under CRA

If a product is not compliant after this date, it cannot be placed on the EU market.

World Compliance was founded in 1994 providing certification and consulting to numerous Tier1 suppliers and OEM manufacturers. We focus on the specific, unique needs of the automotive and industrial sectors and we are accustomed to the aggressive cost and timing demands of the industry.

WORLD COMPLIANCE AGENCY, S.L. © 2025. All rights reserved.