The EU Cyber Resilience Act: How to Get Ready by 2027

Many organizations still treat security as an afterthought in product development, and distributors often push products to market without verifying their security. With digital devices becoming deeply embedded in everyday life and cyberattacks growing more sophisticated, the EU decided it was time to raise the bar. The Cyber Resilience Act (CRA) was created to ensure that modern products are secure by design and remain protected throughout their entire lifecycle.

This article provides a clear overview of the CRA, what it means for manufacturers, distributors, and security teams, and the steps you need to take now to achieve compliance before the regulation fully takes effect.

Key Takeaways:

• The CRA fundamentally shifts security into the product design phase.
  Security can no longer be added at the end, while manufacturers must prove secure-by-design practices from planning to post-release support.

• Continuous vulnerability handling is now a legal requirement.
  Organizations must detect, document, and resolve vulnerabilities throughout the entire product lifecycle.

• SBOMs and supply-chain transparency are mandatory.
  Every component inside your product, including open-source and third-party modules, must be tracked, audited, and kept up to date to meet compliance expectations.

• Manufacturers, importers, and distributors all share responsibility.
  Each role in the supply chain must ensure that products meet essential cybersecurity requirements and carry CE marking.

• Full compliance is required by December 2027.
  The CRA applies not only to new releases after 2027 but also to existing products that undergo significant modifications.

What is the Cyber Resilience Act?

Think of the Cyber Resilience Act (CRA) as the EU entering a room full of insecure digital products that really should not connect to the internet, and realizing that the market is in chaos.

The EU Cyber Resilience Act sets obligatory cybersecurity requirements for any product with a digital element. If it can connect, compute, transmit, or quietly ping a server at 3 a.m., the CRA wants it to follow certain rules. The idea is simple yet ambitious — ensure that products entering the EU market have fewer vulnerabilities, follow secure-by-design principles, and receive ongoing security care throughout their lifecycle.

In practice, this means:

• Secure design and development — no more shipping devices with default passwords like “hello123.”
• Continuous vulnerability management — security updates can’t be optional.
• Transparency for buyers — users should be able to tell whether a product is actually secure, not just promoted as “smart.”
• Mandatory compliance assessments for critical products — an actual third-party check, not just taking manufacturers at their word.

In short, the Cyber Resilience Act is the EU’s attempt to make digital products as secure as possible to protect users and businesses from sensitive data leaks.

To explore how a risk-based cyber resiliency strategy can strengthen protection without unnecessary spend, take a look at our article on modern resiliency approaches.

Why Did the EU Introduce the CRA?

The EU introduced the CRA because the digital market created inconsistent obligations for manufacturers, unclear expectations for users, and a flourishing environment for vulnerabilities. That’s why the products built in one country could be shipped across the EU and pose security risks everywhere. Attackers don’t stop at borders because neither do insecure IoT devices.

The EU saw three main issues:

• Products were insecure by default. Many digital products entered the market with known vulnerabilities or without any plan for providing security updates. Manufacturers prioritized speed and price over safety, leaving consumers and businesses exposed.
• Users couldn’t tell secure products from risky ones. Product descriptions and marketing slogans rarely gave buyers meaningful information about cybersecurity. Everything was claimed to be “smart,” but nobody mentioned safety.
• A fragmented regulatory landscape. Each country introduced its own rules, and companies were confused by a variety of national requirements. Complying with one law didn’t guarantee compliance with another, which slowed innovation and increased development costs.

The CRA offers a unified framework that leaves no room for guessing whether a new smart watch follows the same rules in Germany and Spain. 

The CRA aims to:

• reduce vulnerabilities across all digital products,
• create a more predictable environment for manufacturers,
• make cybersecurity understandable for consumers.

Cybersecurity can’t depend on luck or last-minute patches. It needs rules that apply to everybody.

Cyber Resilience Implementation Deadlines

The EU structured the CRA rollout in phases because manufacturers need time to adapt. Here are the timeline details:

• December 10, 2024 — The CRA officially enters into force.
  The authorities created the regulation but haven’t enforced it yet.
• June 11, 2026 — Conformity assessment bodies step into the spotlight.
  These are the independent organizations that will verify whether high-risk digital products meet the CRA’s security standards before they are released to the market. From this date, the rules governing how these bodies operate officially apply.
• September 11, 2026 — Mandatory reporting of exploited vulnerabilities.
  Manufacturers must report any actively exploited vulnerabilities to supervisory authorities. No more “let’s quietly fix it and hope no one notices.” If attackers are already using a flaw, regulators must immediately know about it. This is the CRA making sure that transparency isn’t optional.
• December 11, 2027 — CRA is working at full scale.
  From this day on, all essential cybersecurity requirements rules apply in full.

However, there’s a twist:

Products released before this date are not automatically safe.

If a company makes a significant change to an existing product — feature updates, architectural changes, etc. — the CRA kicks in for that product too.

So the timeline isn’t just a bureaucratic schedule — it’s a slow, deliberate improvement of product security.

EU CRA Enforcement and Penalties

Let’s talk fines, because the numbers are an inspiration for change.

1. Major cyber requirements: up to €15 million or 2.5% of global revenue.

Failures to meet the most critical obligations can cost a company up to €15,000,000

or 2.5% of worldwide annual turnover. For a large manufacturer, that’s not a slap on the wrist — that’s a punch in the gut.

2. Other CRA obligations: up to €10 million or 2% of global revenue.

If a company fails to meet secondary obligations, the fine can reach €10,000,000 or 2% of global turnover. Still enough to get executive attention.

3. Misleading authorities: up to €5 million or 1% of global revenue.

Providing incomplete, incorrect, or misleading information to regulators is subject to a fine. Companies caught doing this face fines of up to €5,000,000 or 1% of global turnover. So “we lost that report” stops being a viable strategy.

How do regulators calculate the fine? Fines aren’t one-size-fits-all. Authorities must consider:

• How serious the violation is
• Whether the company was fined before for similar issues
• The company’s size and market share
• The impact of the non-compliance.

So a small startup that forgot a document won’t be treated like a multinational corporation that knowingly shipped insecure firmware to millions of users.

As per EU-wide collaboration, whenever a fine is issued in one Member State, that information is shared across the EU’s surveillance network. No hiding mistakes in one corner of the continent since the whole regulatory team will get the memo.

Cyber Resilience VS Cyber Security

Understanding the distinction between cybersecurity vs cyber resilience helps interpret the purpose of the CRA, which aims to improve the security of digital products and the ability of organizations to withstand incidents.

Cybersecurity: Preventing Unauthorized Access and Reducing Risk

Cybersecurity is designed to protect systems and data from unauthorized access and damage. Its primary objective is to prevent breaches by establishing strong defense barriers.

Key elements include:

• Network security, including network integrity to prevent unauthorized access.
• Application security — processes and tools that protect software from exploitation.
• Information security protects sensitive data from theft, modification, or leaks.
• Endpoint protection applied to individual devices such as laptops, smartphones, or tablets.

Common threats addressed by cybersecurity include malware, ransomware, phishing campaigns, and exploitation of application vulnerabilities such as SQL injection. Cybersecurity is mostly proactive, aiming to stop attackers before they can cause harm.

Cyber Resilience: Ensuring Continuity and Recovery After an Incident

What is cyber resilience, then? Cyber resilience means an organization can keep running, bounce back quickly, and limit damage during a cyber attack. Assume that some incidents are unavoidable, so you need to prepare the organization to withstand them.

Key elements include:

• Business continuity planning to keep critical systems running even during an attack.
• Incident response frameworks to quickly detect, stop, and handle threats.
• System redundancies and backups to reduce downtime and restore systems fast.
• Crisis communication to keep employees, customers, and stakeholders informed.
• Disaster recovery procedures to restore systems and data after disruption.

Cyber resilience is proactive and reactive. It requires anticipating incidents, building organizational adaptability, and preparing for controlled recovery. Read an example on how to improve AWS cyber resilience with actionable steps.

Why Both Matter — and How the CRA Fits In

A reliable security strategy requires both prevention and resilience. Strong cybersecurity reduces the likelihood of an incident; strong resilience limits the impact when prevention fails. The CRA requires products to be secure by design (cybersecurity) and supported over their full lifecycle through timely updates, vulnerability handling, and maintenance obligations (resilience).

Category	Cybersecurity	Cyber Resilience
Goal	Prevent unauthorized access and breaches.	Maintain operations and recover quickly when an incident occurs.
Core Question	“How do we keep attackers out?”	“How do we keep operating even if attackers get in?”
Focus Areas	Network protection, app security, information and endpoint defenses	Business continuity, incident response, breach recovery, crisis communication
Approach	Mostly proactive, focus on blocking threats before they cause harm	Proactive and reactive, prepares for incidents and manages recovery
Risks Addressed	Ransomware, malware, phishing	Operational disruption, data loss, downtime, reputational damage
CRA Connection	Requires “secure by design” products and risk-based security controls	Requires lifecycle support, updates, vulnerability handling

Does the CRA Apply to You?

The EU CRA applies to the companies that build the products and to those that import or distribute them. If your organization plays a role in creating, delivering, or reselling digital products within the EU, the CRA likely applies to you.

1. Manufacturers

A manufacturer is any individual or organization that develops, designs, or manufactures products with digital elements, or has them produced under its name or trademark. This definition includes:

• companies that design and build hardware or software products,
• businesses that outsource technical development but promote the product under their brand,
• organizations offering such products for profit or free of charge.

Manufacturers must comply with the most extensive set of responsibilities under the CRA, including secure design, lifecycle maintenance, conformity assessments, documentation, and vulnerability reporting.

2. Importers

An importer is any EU-based company that places a product with digital elements that carries the brand of an organization located outside the EU on the market. For example:

• a distributor bringing smartphones produced in Asia into the EU,
• a company importing smart home devices manufactured in the United States,
• EU supplier introducing third-party software or hardware to European customers.

Importers must ensure that non-EU products comply with Cyber Resilience Act requirements before they can be made available in the European market.

3. Distributors

A distributor is anyone in the supply chain (except manufacturers or importers) who sells a digital product in the EU without changing it. This includes:

• retailers selling connected devices,
• online marketplaces offering digital products,
• wholesalers supplying hardware or software to vendors.

Distributors must check that products have the required compliance labels and documents before selling them.

In short, if you sell, build, or deliver digital products in the EU, the CRA likely applies to you.

Core CRA Obligations for Manufacturers and Distributors

These are the basic requirements that determine whether a product can be sold in the EU. Manufacturers have the most responsibilities, but importers and distributors must also verify compliance before selling products.

Security-by-design and secure development

Manufacturers must build cybersecurity into products from the start. This includes:

• Conducting risk assessments for each product.
• Designing systems to reduce attack surface.
• Setting secure defaults that users can reset anytime.
• Using development practices that minimize vulnerabilities.

Vulnerability management and updates

Products with known security flaws cannot be sold in the EU. Products must:

• Support timely security updates (automatic by default).
• Notify users of available patches and let them postpone if needed.
• Allow users to erase all data and restore the device to factory settings.
• Track security events like unauthorized access and data changes.
• Manufacturers must fix vulnerabilities found after release during the product’s support period.

Data protection and integrity controls

Products must have technical measures to ensure:

• Confidentiality of stored and transmitted data, using strong encryption.
• Integrity of programs, commands, configurations, and data.
• Processing only the data needed for the product’s purpose.
• Protection against unauthorized access through authentication and identity management.

If you need support integrating real cyber resilience into your security operations, see how UnderDefense, in partnership with Accedian, can help strengthen your defenses.

Resilience and Incident Mitigation

Products must keep working during security incidents. This includes:

• Protection against denial-of-service attacks.
• Not affecting other connected systems.
• Using techniques to reduce the impact of successful attacks.

Technical documentation, conformity assessments & CE marking

Manufacturers must prepare documentation proving compliance, including risk assessments, testing records, design justifications, and security controls used during development.

Depending on the product category (“important,” “critical,” or “standard”), manufacturers may need a third-party assessment. After this, the product must display the CE marking to be sold in the EU.

Obligations for importers and distributors

Importers must verify that manufacturers have completed the required assessment, provided all mandatory documentation, and ensured the product meets CRA security requirements. Distributors must not sell products if documentation, CE marking, or instructions are missing, or if the product appears insecure.

Practical Steps to Get Ready for CRA Compliance

The following cyber resilience plan transforms the CRA’s legal obligations into actionable steps.

1. Categorize and inventory your products

Identify which products fall within the scope of the European Cyber Resilience Act. Sort them into default, “important,” and “critical” categories (the last two may need third-party assessment). Keep an updated list of all digital products and their variants.

2. Create comprehensive technical documentation

The CRA requires detailed documentation that must be kept for 10 years. This includes:

• Threat models and cybersecurity risk assessments.
• Design decisions related to security controls.
• Testing results and verification evidence.
• A complete and updated software bill of materials (SBOM).
• Patch logs and update deployment records.
• Documentation must be clear and ready for inspection by market authorities.

3. Set up a vulnerability management program

You need a structured process covering the full vulnerability lifecycle:

• How to receive vulnerability reports from researchers, customers, or internal teams.
• How to score severity and prioritization.
• Patch development and release timelines that meet CRA expectations.
• Notify authorities within 24 hours when vulnerabilities are actively exploited.

4. Update user instructions and security guidance

User documentation must be clear, complete, and aligned with CRA rules. This includes:

• Instructions for secure configuration (for businesses and consumers).
• Clear explanations of user responsibilities.
• Translations for EU markets.

5. Strengthen supply chain and vendor agreements

Update contracts to include CRA security requirements. Audit high-risk suppliers for CRA readiness and strong security. Remember: supply chain weaknesses are now your regulatory liability under the CRA.

6. Prepare for CE marking and compliance assessments

Build compliance checks into your engineering process. Set aside time and budget for internal or third-party assessments. Document security measures applied before and after launch.

7. Reuse existing regulatory work where possible

Many organizations already comply with frameworks such as GDPR, NIS 2, DORA, ISO 27001, or IEC 62443. These can reduce the workload:

• Extend GDPR risk assessments to include product-level cyber risks.
• Reuse risk logs, impact assessments, and documentation from NIS 2 and DORA.
• Create shared governance structures that serve multiple regulations at once.

8. Build continuous monitoring and update systems

CRA compliance doesn’t end at launch. You should:

• Track real-time threats relevant to your products.
• Keep SBOMs and documentation updated.
• Monitor products for security issues.
• Define clear roles for post-market surveillance and maintenance.

What the CRA Means for Security & Product Teams

For security leads, engineers, and product owners, the CRA reshapes everyday workflow (and occasionally opens a can of worms). Here’s what changes behind the scenes:

Security permanently moves upstream

The era of “we’ll fix it before release” is officially over. Under the CRA, security has to be integrated into every phase of development. Threat modeling becomes part of architecture discussions, not post-mortems, while risk assessments are required before new features ship. 

If devs once saw security as something that blocks Friday deployments, now it’s something that shapes Monday planning.

SBOMs become your source of truth

If you’ve ever said, “I’m not totally sure what’s inside this product,” the CRA says: fix that. Teams must maintain a living SBOM that is updated automatically with every build. On top of that, it should cover open-source, commercial, and internal components and show vulnerabilities with clear ownership.

This isn’t just a dev task anymore — product, compliance, and security teams all need to be aligned on what’s in the stack at any moment.

Vulnerability handling becomes a daily discipline

Teams will need to adopt a continuous vulnerability intake and triage workflow, document timelines for issuing security patches, and monitor for new, post-release issues. 

Supply chain risk is now your responsibility

If your product includes someone else’s code, you’re accountable for its security. You need to ensure ongoing monitoring of third-party suppliers, build security clauses and updates within SLAs, and require SBOMs from every vendor.

Security teams will need to treat their supply chain like part of their own codebase.

How UnderDefense Can Help

Meeting the requirements of the CRA becomes much easier when security and compliance work hand in hand. UnderDefense brings both together.

Our compliance experts, powered by the UnderDefense MAXI AI platform, automate gap assessments, generate audit-ready documentation, and continuously monitor your security posture across key frameworks like ISO 27001, SOC 2, NIST, GDPR, HIPAA, and PCI DSS. Instead of treating compliance as a checkbox, we help turn it into a long-term business advantage.

With MAXI, you can reach 40% audit readiness in the first 40 minutes, run realistic AI-driven audit simulations, and avoid costly surprises. Our team also handles detailed reporting, communications with auditors, and ongoing compliance scoring so you can stay focused on growth. 

If you want to strengthen your CRA readiness and build a resilient, future-proof security program, reach out to our experts.

The post The EU Cyber Resilience Act: How to Get Ready by 2027 appeared first on UnderDefense.