EU's Cyber Resilience Act tightens rules for digital product security
The EU’s Cyber Resilience Act (CRA) has been in force since December 2024. The law sets strict security rules for all products with digital components sold in the EU, affecting manufacturers, importers and distributors alike. The CRA demands that security be built into products from the very first stages of design. Companies must also report any actively exploited vulnerabilities or serious incidents within set deadlines. These reporting rules will become mandatory in September 2026.
Manufacturers carry full responsibility for the security of all embedded third-party elements in their products. Non-compliance poses serious risks, as executives can face personal liability. While the law aims to strengthen cybersecurity, Germany’s draft implementation has drawn criticism for not offering enough support to smaller businesses. To help ease the burden, the EU’s SECURE programme provides €16.5 million in direct funding for SMEs. The goal is to assist them in improving the security of their digital products. Businesses that meet the CRA’s requirements may also gain a competitive advantage in the market.
The CRA now applies across the EU, setting clear security obligations for digital products. Companies must act quickly to meet the rules, with reporting deadlines approaching in 2026. Financial support is available, but concerns remain about the challenges for smaller firms.
