![[Translate to Englisch:]](/fileadmin/user_upload/NCP_Blog/2026/Cyber_Resilience.jpg "[Translate to Englisch:]")
The EU’s Cyber Resilience Regulation has been in effect since December 2024. It requires manufacturers of connected products to meet clear security standards, follow reporting obligations, and provide regular updates. Requirements vary by product category, and manufacturers must adjust and document their processes accordingly.
Many manufacturers and users are asking what the Cyber Resilience Act means for them. The Cyber Resilience Act (CRA) came into force on December 10, 2024. Its provisions will be implemented in stages: initial reporting obligations for manufacturers begin September 11, 2026, and full enforcement will take effect December 11, 2027. From late 2027 onward, non-compliant products will no longer be permitted on the EU market, and affected companies will face new responsibilities. These include stronger security requirements, risk assessments, detailed documentation, and expanded reporting. However, the exact obligations depend on the product category and specific criteria.
The Federal Office for Information Security (BSI) aims for the regulation to establish a “minimum level of cybersecurity” for all connected products. This represents a significant shift: any product with digital components sold in the EU must now comply with specific security standards. This covers manufacturers offering hardware or software that is either directly or indirectly connected.
The scope is broad and covers:
Open-source software is exempt only if it is not used for commercial purposes.
The regulation classifies connected products into several categories based on their risk level. Basic “products with digital elements” include items like smartphones, tax software, robotic vacuum cleaners, and Airtags. More sensitive products fall into two “important” classes, Class I and Class II, with an additional “critical products” category.
In brief, the categories are:
Examples include:
These categories determine the level of obligation. Class II products face stricter requirements than Class I, which in turn are more regulated than general products. The Cyber Resilience Act offers several compliance modules, from internal controls (Module A) to EU type examinations (Modules B and C), and comprehensive quality assurance (Module H). Certification is also an option.
Until now, there was no legal mandate for security updates, but the Cyber Resilience Act changes this. Providers must deliver security updates and vulnerability fixes for a minimum of five years. Shorter update periods are allowed only if the product’s expected lifespan is less than five years.
Manufacturers must supply these security updates promptly and free of charge. An exception exists for customized products, where companies may arrange paid updates through contracts.
To ensure CRA compliance, manufacturers must:
The regulation applies to companies of all sizes.
Non-compliance may result in fines of up to:
Support is available from the Federal Office for Information Security (BSI), which has published a technical guideline detailing manufacturer and product requirements. The BSI also offers downloadable information brochures to help companies get started.
The EU Cyber Resilience Act represents a fundamental shift in product cybersecurity regulation. Manufacturers must integrate security-by-design principles, long-term update strategies, and structured risk management processes into their development lifecycle.
Organizations that begin preparing early will reduce regulatory risk and avoid last-minute compliance challenges before the 2027 enforcement deadline.
Ensure Compliance with CRA-Compliant VPN Solutions for Your Security Needs
You might also be interested in:
VPN and Zero Trust – Contradiction or Compatibility in Modern IT Security Architectures?
In today’s IT security landscape, VPNs are often labeled as outdated, while Zero Trust is promoted as the future of secure access to corporate resources. However, this comparison oversimplifies the issue.
Zero Trust for SMEs: Achieving Strong Security with Limited Resources
Zero Trust strengthens SME network security without breaking the bank. Discover practical, cost-effective steps to get started.
NIS-2 in Germany Comes into Force: What Companies Must Consider Now and How VPN Solutions Can Help
After a long delay, the NIS-2 Implementation Act took effect on December 6, 2025, making the European NIS-2 Directive (Network and Information Security Directive 2) legally binding in Germany. According to the Federal Office for Information Security (BSI), approximately 29,500 ...
