The EU’s new Cyber Resilience Act (CRA) sets strict cybersecurity requirements for digital products – and the timetable is fast approaching.
What is the CRA, the Cyber Resilience Act?
The CRA is an EU-wide regulation aimed at improving the cybersecurity of digital products – including both devices and software – throughout their entire lifecycle. The regulation applies to all manufacturers, importers and distributors whose products contain digital elements. In practice, this means that all products that communicate digitally fall within the scope of the regulation.
The CRA’s requirements are mandatory and identical for all companies operating within the EU. If the requirements are not met by the set deadline, the product cannot be placed on the EU market, or it may be withdrawn from sale. In addition, violations may result in significant sanctions.
CRA timeline & key dates
The most important dates for your company are 11 September 2026, when the vulnerability reporting requirements enter into force, and 11 December 2027, when the essential cybersecurity requirements for products start to apply.
The list below outlines the key publication dates of the CRA and its related requirements:
- 11 December 2025: Deadline for technical documentation for important and critical products (Article 7).
- 30 August 2026: Publication of Type A standard (risk management and product cybersecurity measures). On the same day, the Type B standard on vulnerability handling will also be published.
- 11 September 2026: Vulnerability reporting requirements enter into force. Note: This requirement applies to existing products as well, not only those being placed on the market for the first time.
- 30 October 2026: Publication of the Type C standards for important/critical products (CRA Annexes III/IV) and the broader vertical standard for OT environments (ISA/IEC 62443).
- 30 October 2027: Publication of the Type B standard on general cybersecurity requirements.
- 11 December 2027: Essential cybersecurity requirements for products enter into force. These requirements apply to products placed on the market for the first time after 11 December 2027.
The European Commission has not yet issued standardisation requests or defined deadlines for other Type C standards.
What does the CRA mean for your company?
With the CRA, companies must assess the cybersecurity of their products, manage risks, and ensure that security is considered throughout the entire product lifecycle. This calls for new competencies, processes and documentation, as well as continuous development.
Our cybersecurity team is fully familiar with the CRA requirements and helps ensure that your company meets them correctly and on time. Our services include:
- Compliance assessment
- Secure software and product development processes
- Threat modelling and risk management
- Security training
- Support for meeting IEC 62443 requirements
- Security testing and vulnerability identification
