5 things every product company must know before the EU’s Cyber Resilience Act kicks in

For many years, manufacturers could sell connected products with little legal obligation to ensure their security. Cybersecurity was treated as optional, or as a feature to be added later, or simply ignored. At the same time, the number of cyberattacks on connected systems has grown rapidly.

The EU created the CRA to change this situation. For industrial equipment companies, it brings fundamental changes to how products are designed, documented, supported, and sold in the EU.

The CRA, officially Regulation (EU) 2024/2847, entered into force on December 10, 2024, with a 3-year transition period. However, starting September 11, 2026, manufacturers must report exploited vulnerabilities within 24 hours, including those affecting products already on the market. When the final deadline arrives, full compliance is required.

The CRA covers all products with digital elements placed on the EU market that can connect, directly or indirectly, to a device or network. It applies to hardware such as drives, PLCs, robots, and sensors, to standalone software such as SCADA software and configuration tools, and remote data solutions such as cloud services.

The regulation covers not only manufacturers but also authorized representatives of non-EU manufacturers, importers, and distributors. They must all verify that products comply with CRA requirements. Without proven CRA compliance, the CE marking is not allowed, and the product cannot be placed on the EU market.

The CRA is based on three core principles: security by design and by default for the full product lifecycle. During the design phase, manufacturers must assess security risks and design the product to mitigate them.

When a product leaves the factory, it must be configured in a secure state without requiring the customer to take extra steps. Manufacturers must provide updates at least five years post-sale or longer if the product remains in use.

While typical consumer products are replaced in a few years anyway, many industrial products have lifecycles spanning over decades. This forces manufacturers to commit to long-term security support, even for legacy equipment. This is a major change compared to current practices.

Complex embedded software and supply chain dependencies add to the challenge. High-risk products, such as those used in critical infrastructure, may require third-party audits.

All products must meet about a dozen security requirements, and compliance must be proven by documentation. Manufacturers must conduct cybersecurity risk assessments. They must provide and maintain technical documents for the design and security architecture for at least 10 years.

It is critical to focus on SBOMs (Software Bill of Materials) for every product, as they are needed for regulatory verification and building them retroactively takes time. They must be in a machine-readable, commonly used format. They are also crucial for maintaining real-time vulnerability reporting systems that can check public vulnerability databases against SBOMs.

Need help assessing your CRA documentation, SBOM readiness, or cybersecurity compliance requirements? Talk to our cybersecurity specialists

Non-compliance risks financial penalties, market exclusion, and reputational damage.

If a company fails to meet the essential cybersecurity requirements, the fine may be 15 million euros or 2.5% of global annual turnover, whichever is higher. The fine for failing to report exploited vulnerabilities soon enough can be €10 million. The EU may also ban the sale of products, order market withdrawals, and announce violations in public.

Agentic AI can accelerate compliance by automating the generation of SBOMs and documentation, assisting threat modeling, and supporting penetration testing.

However, technology alone isn’t enough. The fastest and best way forward is to partner with a company that understands the CRA and industrial engineering. Now is the time to act.

Preparing for the EU Cyber Resilience Act? Etteplan helps product manufacturers assess compliance gaps, strengthen cybersecurity processes, and accelerate readiness.