The EU just created the GDPR of product cybersecurity. If your company builds any connected device—from routers to smart home products—you have less than a year to prepare for mandatory cybersecurity requirements that will fundamentally change how products enter the European market.
Just as GDPR transformed how companies handle personal data, the EU Cyber Resilience Act (CRA) will transform product security requirements across Europe. Starting September 2026, manufacturers face vulnerability reporting obligations. By December 2027, full compliance becomes mandatory—with penalties reaching 2.5% of global revenue for non-compliance.
This isn’t another optional standard or best-practice guideline. It’s EU Regulation 2024/2847, applying directly in all member states. If you sell connected products in Europe, this affects you.
Why the EU Created the CRA: The Threat Landscape
According to ENISA (European Network and Information Security Agency), ransomware and threats against data availability remain top threats across Europe, targeting both consumers and critical infrastructure. The sophistication and frequency of cyberattacks continue growing exponentially.
The EU’s response? Raise the security bar for every connected product entering the market.
In practice, this means: Your router, IoT sensor, or smart device must now meet 23 essential cybersecurity requirements—from secure-by-default configurations to providing security updates for the product’s entire lifecycle plus five years.
The GDPR Parallel: Why This Comparison Matters
Calling the CRA “the GDPR of product cybersecurity” isn’t hyperbole. Consider the parallels:
- Direct EU Regulation: Like GDPR, CRA applies directly across all EU member states without requiring national implementation
- Significant Penalties: GDPR fines reach 4% of global revenue; CRA penalties hit 2.5%—both designed to ensure compliance
- Fundamental Business Changes: GDPR forced companies to redesign data handling processes; CRA requires redesigning product development and support lifecycles
- Market Access Control: Non-compliant products face market bans, just as GDPR non-compliance can halt data processing operations
- Global Impact: Just as GDPR influenced privacy laws worldwide, CRA will likely shape global product security standards
The key difference? GDPR protects personal data. CRA protects the security of products themselves—and by extension, the networks and systems they connect to.
What Products Are Affected?
The CRA applies to “products with digital elements”—essentially any hardware or software that can connect to devices or networks. This includes products connected physically via hardware interfaces or logically through network sockets, APIs, or files.
The regulation divides products into four classes, each with different conformity requirements:
Default Class
Most connected products fall here, including consumer IoT devices, smart home products (except security-specific ones), and general software applications. These require self-declaration of conformity.
Important Class I
This category includes critical infrastructure products with more stringent conformity options:
- Routers, modems, switches, and network gateways
- VPN products and network interfaces
- Operating systems and hypervisors
- Password managers and browsers
- Firewalls and intrusion detection systems
- Identity and access management systems
- Smart home security products (cameras, locks, alarms)
- Microprocessors and microcontrollers
- Boot managers and secure elements
- Network management systems
While third-party assessment is available, self-declaration remains possible when fully complying with EU harmonised standards—the practical path most manufacturers will take.
Important Class II
Higher-risk products requiring more stringent certification, including specialized industrial control systems and critical security components.
Critical Class
Products with the highest security requirements, typically involving critical infrastructure or essential services.
In practice, this means: If you manufacture routers, you’re in Important Class I and can self-declare conformity by following harmonised standards. Building a smart thermostat? You’re likely Default Class with straightforward self-declaration. The classification determines your conformity options, not mandatory third-party involvement.
Timeline: Two Key Deadlines
September 2026: Vulnerability reporting obligations begin. Manufacturers must:
- Report exploited vulnerabilities within 24 hours
- Establish coordinated vulnerability disclosure processes
- Maintain incident response capabilities
December 2027: Full compliance required, including:
- All 23 essential requirements implemented
- Conformity assessment completed
- CE marking with CRA compliance
- Technical documentation prepared
- Support commitments in place
The staggered timeline gives manufacturers time to adapt, but September 2026 is less than a year away. Products not aligned by these deadlines face market access restrictions.
The 23 Essential Requirements: What Engineers Need to Know
The CRA mandates 23 essential cybersecurity requirements. Here are the critical ones for engineering teams:
Risk Assessment and Security by Design
Every product must be designed based on a documented cybersecurity risk assessment. In practice, this means:
- Identify potential threats specific to your product (network attacks, physical tampering, supply chain risks)
- Assess the likelihood and impact of each threat scenario
- Design security controls proportional to the identified risks
- Document and update your risk assessment throughout the product lifecycle
- Ensure security decisions trace back to actual identified risks
Secure by Default
Products must ship with secure configurations out of the box. In practice, this means:
- No default passwords (each device needs unique credentials)
- Minimal attack surface (disable unnecessary services)
- Security features enabled without user intervention
- Principle of least privilege for all components
Security Support Lifecycle
Manufacturers must provide security updates for the product’s expected lifetime plus five years minimum. This requires:
- Clear support period communication to users
- Automated or simplified update mechanisms
- Timely patches for discovered vulnerabilities
- End-of-support notifications
Vulnerability Handling
Establish processes for:
- Identifying and documenting vulnerabilities
- Developing and distributing patches
- Coordinated disclosure with security researchers
- Maintaining a Software Bill of Materials (SBOM)
Resilience and Recovery
Design products to:
- Limit impact of security incidents
- Recover from attacks or failures
- Maintain essential functions during incidents
- Log security-relevant events for analysis
Demonstrating Conformity: Your Options
The path to CRA compliance depends on your product classification. For Default Class and Important Class I products—representing the vast majority of connected devices—you have practical, accessible options:
Default Class: Straightforward Self-Declaration
Most connected products fall here. The process is direct:
- Conduct internal risk assessment
- Document compliance with the 23 essential requirements
- Create technical documentation package
- Apply CE marking with CRA reference
- No third-party involvement required
Important Class I: Self-Declaration with Harmonised Standards
For routers, operating systems, VPNs, firewalls, and other Important Class I products, the most practical path is self-declaration through standards compliance:
- Fully comply with applicable EU harmonised standards (e.g., ETSI EN 304 626 for operating systems, ETSI EN 304 627 for routers/modems)
- Document your standards compliance internally
- Create comprehensive technical documentation
- Apply CE marking with CRA reference
- No mandatory third-party assessment when using harmonised standards
Alternative option: If you prefer external validation or don’t fully comply with harmonised standards, third-party conformity assessment remains available through accredited bodies. This involves product testing, evaluation, and certification—but it’s optional when you meet standards requirements.
Higher Classifications (Important Class II & Critical)
These categories require certification through European cybersecurity schemes and involve more complex conformity procedures. They represent a small percentage of products and typically include specialized industrial control systems and critical infrastructure components.
The key insight: Most manufacturers can self-declare conformity. The harmonised standards provide a clear technical roadmap, eliminating the need for expensive third-party assessments for Important Class I products. Standards like ETSI EN 304 626 and ETSI EN 304 627 are under development but will provide the definitive path to compliance when published.
Consequences of Non-Compliance
The CRA includes enforcement teeth:
- Market Ban: Non-compliant products cannot be sold in the EU
- Financial Penalties: Up to 2.5% of global annual revenue
- Corrective Actions: Mandatory recalls or updates for non-compliant products
- Reputational Impact: Public disclosure of non-compliance
Unlike voluntary standards, CRA compliance isn’t optional for EU market access. Products lacking proper conformity face immediate market restrictions.
Preparing Your Products: Where to Start
With September 2026 approaching fast, engineering teams should begin preparation now:
- Classify Your Products: Determine which CRA class applies to each product line
- Gap Analysis: Compare current security practices against the 23 essential requirements
- Development Process Updates: Integrate security-by-design into your Secure Software Development Lifecycle (SSDL)
- Documentation Systems: Establish processes for technical documentation and SBOM generation
- Vulnerability Management: Implement coordinated disclosure and incident response procedures
- Support Planning: Define security support timelines and update delivery mechanisms
Early alignment provides competitive advantage. While competitors scramble to meet deadlines, prepared manufacturers can highlight CRA compliance as a market differentiator.
The Path Forward
The Cyber Resilience Act represents the EU’s most comprehensive product security regulation to date. Like GDPR before it, CRA will likely influence global security standards as manufacturers adapt their products for the world’s second-largest economy.
For engineers and product teams, this isn’t just another compliance checkbox. It’s an opportunity to build more secure products from the ground up, establishing practices that benefit users worldwide.
The countdown to September 2026 has begun. Smart manufacturers are starting their CRA journey now, building compliance into their product roadmaps rather than scrambling for last-minute fixes.
Ready to navigate CRA complexity? Easynorm helps manufacturers understand and implement CRA requirements efficiently. Our platform translates the regulation’s 71 articles and 23 essential requirements into actionable engineering tasks. Learn how we can accelerate your CRA compliance journey or contact us to discuss your CRA compliance needs.