The European Union is introducing mandatory requirements for vulnerability management and reporting of security incidents for products with digital components from 11 September 2026 when it introduces the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847). The CRA’s comprehensive cybersecurity and transparency requirements will be fully implemented starting December 2027. However, from autumn 2026 onwards, important requirements will set new standards for manufacturers, importers and distributors of digital products.
Who is affected by the CRA?
The CRA applies to all operators who place products with digital elements on the EU market – from IoT devices to software and embedded systems. Exemptions exist for products intended exclusively for national security, medical devices, vehicles or aviation.
Whitepaper
What manufacturers of connected devices need to know now
Learn how the new EU Cyber Resilience Act is changing the requirements for manufacturers of connected devices.
What will be mandatory from September 2026?
Vulnerability management and reporting obligations
- Immediate reporting of security incidents: Manufacturers and other business stakeholders must report actively exploited vulnerabilities and relevant security incidents to national authorities and ENISA within 24 hours of becoming aware of them. A complete follow-up report with details is mandatory within 72 hours at the latest. The reporting obligations apply to all stakeholders along the supply chain – including importers and distributors.
- Systematic vulnerability management: Companies must establish procedures for identifying, assessing, addressing and coordinating vulnerabilities. Mandatory risk assessments will only take effect following the end of the transition period. However, early implementation is beneficial for effective vulnerability management.
- Coordinated disclosure: Processes for appropriate and secure disclosure of vulnerabilities must be implemented.
Documentation requirements
- Immediate provision of documentation: Manufacturers must provide complete technical documentation of vulnerability management, implemented security measures and digital products. These documents must be made available to the competent authorities immediately upon request to ensure transparency and compliance.
- Customer access to information: Security documentation containing relevant details of cybersecurity measures must also be made accessible to customers. This includes providing clear guidance on security updates, vulnerability reports and possible mitigation measures.
- Regular updates: Technical documentation must be continuously updated to ensure compliance with the latest security standards. Changes to the product, such as new software updates, must be noted in the documentation.
- Accessibility in machine-readable format: Documentation and security-related information should be provided in a structured, machine-readable format to simplify processing by authorities and partners.
Additional CRA requirements apply from December 2027
The remaining extensive cybersecurity obligations will come into force on 11 December 2027:
- CE marking and conformity assessment: Products with digital components must bear a CE marking. The type of conformity assessment (internal or external) depends on the cybersecurity risk of the product.
- Security by Design and Security by Default: Cybersecurity will be integrated into product development and default settings on a mandatory basis.
- Software Bill of Materials (SBOM): A software bill of materials must be created and maintained for each product. The SBOM lists all software components and libraries in detail, significantly improving vulnerability management and transparency.
- Regular security updates: Manufacturers are obliged to provide security updates free of charge for the support period defined by the manufacturer (at least five years).
- Market surveillance: Authorities are being granted extended powers to monitor and enforce compliance with the new requirements.
bbv Academy on EU regulations
Get your team ready for the CRA
The EU is enacting various laws on cybersecurity. This particularly affects product developers. This course will give you a clear understanding.
Advantages for companies: Compliance as a competitive edge
Companies that view the CRA not only as an obligation but as a strategy benefit twice over.
- Strengthen trust in companies: Customers prefer safety-certified products.
- Create security and build trust: Comprehensive vulnerability management protects against downtime and reputational damage.
- Seize market opportunities: Compliance with cybersecurity standards will be the ticket to the European single market.
What companies should do now
Companies should start now to introduce organisational and technical measures to comply with CRA requirements.
- Product screening: Identify which of your products are subject to the CRA.
- Technical documentation: Create complete transparency concerning security features and software components (SBOM).
- Establish update processes: Ensure provision of proactive patches and updates.
- Set up a reporting platform: Implement clear reporting lines for vulnerabilities and security incidents.
- Train your team: Make cybersecurity a core competency of your teams and processes.
Checklist
For successful implementation of the Cyber Resilience Act
Our Cyber Resilience Act checklist offers you clear guidance to efficiently plan and implement all necessary steps.
Conclusion: Ensure compliance early on
The mandatory reporting and vulnerability management obligations that will become mandatory on 11 September 2026 require companies to act immediately. At the same time, companies should carefully prepare for further comprehensive implementation of the CRA requirements from December 2027 to ensure lasting security, market opportunities and regulatory compliance. The implementation of a comprehensive security and transparency concept is the key to sustainable success in the EU’s digital single market.
THIS MIGHT ALSO INTEREST YOU
Cybersecurity: Stronger regulation of product safety
Cybersecurity protection for radio equipment
