Contact Nuans law firm in Gent area for corporate law services
Legal experts for GDPR compliance and privacy law in the Gent area
July 2, 2026

Preparing for the Cyber Resilience Act (CRA)

Preparing for the Cyber Resilience Act (CRA): Key Obligations and Upcoming Deadlines

The increasing digitalisation of products creates significant opportunities, but also exposes organisations and users to growing cybersecurity risks. To address these challenges, the Cyber Resilience Act (Regulation (EU) 2024/2847, the “CRA”) introduces a comprehensive cybersecurity framework for products with digital elements.

The CRA aims to raise the overall cybersecurity standard of hardware and software products placed on the EU market. Manufacturers and other economic operators will be required to integrate cybersecurity throughout the entire product lifecycle, ensuring that vulnerabilities are identified, managed and remediated in a timely manner.

As certain obligations will already become applicable from September 2026, organisations should assess without delay whether the CRA applies to their products and activities.

Who does the CRA apply to?

The CRA applies to a broad range of “products with digital elements”, including both hardware and software products.

The Regulation covers products that can connect, directly or indirectly, to a network and that are placed on the EU market. Examples include smartphones, laptops, connected cameras, smartwatches, connected toys, firewalls, smart meters, applications and software products.

The CRA imposes obligations not only on manufacturers, but also on importers and distributors involved in making such products available on the EU market.

What are the key obligations under the CRA?

 Manufacturers, importers and distributors of products with digital elements must comply with a range of cybersecurity requirements, including:

  • Security by design and by default: cybersecurity must be embedded into products from the earliest design and development stages and maintained throughout the product lifecycle;
  • Risk and conformity assessments: manufacturers must identify and assess cybersecurity risks and demonstrate compliance with the CRA through appropriate conformity assessment procedures and technical documentation;
  • Vulnerability management: manufacturers must establish processes to identify, monitor and remediate vulnerabilities throughout the support period of the product (which must generally be at least five years).
  • Reporting of vulnerabilities: Serious vulnerabilities and security incidents must be reported to a single platform at European level to ensure a smooth and efficient transmission of information on vulnerabilities and incidents between national cybersecurity agencies (Computer Security Computer Security Incident Response Teams – CCB) and ENISA;
  • User information and transparency: users must receive clear and comprehensible information regarding the cybersecurity characteristics of the product, including instructions for secure use and vulnerability reporting mechanisms.

Which compliance deadlines should organisations be aware of?

A first important milestone is 11 September 2026. From that date, manufacturers will be required to notify actively exploited vulnerabilities and severe security incidents affecting products with digital elements within the deadlines prescribed by the CRA, including for products that are already on the market.

Given the limited time remaining before these reporting obligations take effect, organisations should already assess:

  • whether their products fall within the scope of the CRA;
  • which obligations apply to them;
  • which vulnerabilities and incidents may trigger reporting obligations; and
  • what internal processes are needed to ensure timely compliance.

Do you have questions about the applicability of the CRA to your organisation or about preparing for the upcoming reporting obligations? Contact our Technology & Data lawyers.

Share via:
Facebook
X
LinkedIn