EU Cyber Resilience Act: June and September 2026 Reporting Deadlines Loom for Manufacturers of Products with Digital Elements
As manufacturers of connected products, IoT devices, and software-enabled hardware race toward critical compliance deadlines, the European Union's Cyber Resilience Act (CRA) is about to fundamentally transform cybersecurity requirements for products with digital elements. With actively exploited vulnerability reporting required from June 2026 and security incident reporting beginning in September 2026, manufacturers face an unprecedented mandate to integrate security throughout the product lifecycle—from design and development through post-market monitoring and incident response.
Executive Summary
The Cyber Resilience Act (Regulation (EU) 2024/2847), adopted by the European Parliament on March 12, 2024 and entering into force in phases through 2027, establishes binding cybersecurity requirements for hardware and software products with digital elements placed on the EU market. Unlike voluntary frameworks or sector-specific regulations, the CRA creates horizontal cybersecurity obligations affecting virtually every industry that manufactures or distributes products with connectivity, software, or digital functionality.
Key aspects include:
- Universal scope: Applies to all products with digital elements unless specifically exempted
- "Security by design" mandate: Cybersecurity must be integrated from initial product conception
- Ongoing obligations: Post-market monitoring, vulnerability management, incident reporting throughout product support lifecycle
- Critical deadlines:
- June 2026: Manufacturers must report actively exploited vulnerabilities
- September 2026: Security incident reporting obligations begin
- December 2027: Full CRA compliance required for new products placed on market
- Substantial penalties: Up to €15 million or 2.5% of global annual turnover for serious violations
- Supply chain implications: Obligations extend to distributors, importers, and economic operators
The CRA represents the EU's most ambitious effort to address the cybersecurity of consumer and industrial products, aiming to reduce the prevalence of vulnerable devices in the marketplace and create accountability throughout the product supply chain.
What is the Cyber Resilience Act?
Legislative Context
The CRA forms part of the EU's comprehensive strategy to enhance cybersecurity resilience:
Related EU Regulations:
- NIS2 Directive: Network and information security requirements for entities
- AI Act: Regulation of artificial intelligence systems
- Data Act: Access and use of data from connected products
- General Data Protection Regulation (GDPR): Personal data protection
- Radio Equipment Directive (RED): Radio equipment and telecommunications terminal equipment
Together, these create a layered regulatory framework addressing cybersecurity from multiple angles: entity-level security (NIS2), product security (CRA), data governance (GDPR, Data Act), and sector-specific requirements.
Core Objectives
The CRA aims to:
1. Improve Security of Products with Digital Elements
- Reduce cybersecurity vulnerabilities in hardware and software
- Mandate security-by-design and security-by-default principles
- Create accountability for product security throughout lifecycle
2. Enable Users to Make Secure Choices
- Require clear information about product security features
- Mandate disclosure of support duration
- Create transparency about security update availability
3. Facilitate Vulnerability Disclosure and Coordination
- Establish vulnerability handling requirements for manufacturers
- Create coordinated vulnerability disclosure framework
- Enable security researchers to report vulnerabilities without legal risk
4. Strengthen Market Surveillance
- Empower authorities to monitor product security compliance
- Enable testing and assessment of products
- Create enforcement mechanisms for non-compliant products
What Products Are Covered?
Definition: "Product with Digital Elements"
Any hardware or software product where:
- The product or any of its components has data processing capability
- Connectivity enables communication with other devices or networks (directly or indirectly)
Practical Examples:
Consumer Electronics:
- Smartphones and tablets
- Smart home devices (thermostats, cameras, doorbells)
- Wearables (smartwatches, fitness trackers)
- Connected appliances (refrigerators, washing machines)
- Gaming consoles
- Smart TVs
Industrial Equipment:
- Industrial IoT sensors
- Building management systems
- Connected machinery
- Logistics tracking devices
- Medical devices with connectivity
Software:
- Operating systems
- Browsers
- VPN software
- Antivirus and security software
- Password managers
- Enterprise software applications
- Mobile applications
Important Exemptions:
Medical Devices:
Covered by Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR); CRA does not apply to avoid regulatory duplication.
Automotive:
Vehicles and their components covered by UN Regulation No. 155 on cybersecurity and software update management systems; CRA exemption to avoid conflict.
Aviation:
Aircraft components regulated under aviation safety framework; exempt from CRA.
Exclusively National Security/Defense:
Products used solely for national security or defense purposes.
Open-Source Software (Specific Conditions):
Non-commercial open-source software developed and supplied outside the course of a commercial activity.
Custom/Bespoke Products:
Products manufactured for own use or under specific customer contract not intended for market placement.
Key Requirements of the Cyber Resilience Act
1. Essential Cybersecurity Requirements (Annex I)
Security by Design and Security by Default:
What it Means:
- Security must be integrated from initial product design, not retrofitted
- Products must be configured securely "out of the box"
- Default credentials, insecure default settings, and unnecessary open ports prohibited
- Security features enabled by default
Practical Implications:
- No more default passwords like "admin/admin"
- Automatic security updates enabled by default
- Least privilege access controls from initial configuration
- Secure boot and firmware integrity verification
Risk-Based Security Measures:
Requirement:
Manufacturers must implement security measures appropriate to the risks posed by the product, considering:
- Nature and sensitivity of data processed
- Connectivity and exposure to attacks
- Product's role in broader systems (e.g., critical infrastructure)
- Foreseeable misuse scenarios
Examples:
- Authentication mechanisms (passwords, biometrics, multi-factor)
- Encryption of data at rest and in transit
- Access controls and user permission management
- Audit logging for security-relevant events
- Protection against unauthorized modification (firmware integrity)
Vulnerability Handling:
Obligation:
- Identify, document, and remediate vulnerabilities throughout product lifecycle
- Provide security updates in timely manner
- Communicate vulnerabilities and patches to users
- Maintain vulnerability disclosure policy
Timeline:
- Critical vulnerabilities: Patches within days to weeks (risk-dependent)
- Less severe vulnerabilities: Coordinated disclosure and patch release
- End-of-support planning to address vulnerabilities when updates cease
Resilience Against Cyber Attacks:
Requirement:
Products must withstand common attack techniques:
- Input validation to prevent injection attacks (SQL, command injection, etc.)
- Protection against buffer overflows and memory corruption
- Denial-of-service attack mitigation
- Protection of cryptographic keys and credentials
Secure Development:
Process Requirements:
- Use of secure coding practices
- Automated security testing (SAST, DAST)
- Third-party component security assessment (software composition analysis)
- Security review and testing before product release
2. Documentation and Transparency Requirements
CE Marking:
Requirement:
Products meeting CRA essential cybersecurity requirements bear CE marking indicating compliance.
