13th Jan 2026
Cyber Resilience Act – Manufacturers
The CRA acknowledges that manufacturers along the entire supply chain are responsible for security outcomes.
This is why the CRA does not only addresses final products, such as smartphones or apps, but also components, such as chips and operating systems.
What are the main rules?
Businesses selling hardware and software products must ensure that hardware and software has been designed to be foundationally secure. This includes, for instance, requirements on security by default (no more “password” as default password), access control, the use of cryptography as well as automatic updates. In addition, manufacturers will be required to maintain their products for the time the product is expected to be in use.
Before placing on the market
The first step for the manufacturer is to carry out a risk assessment, on the basis of which it has to define how to implement the appropriate essential cybersecurity requirements. Harmonised standards may further support manufacturers with this task. The manufacturer will need to explain how it complies with adequate cybersecurity requirements in the technical documentation and carry out a conformity assessment procedure.
At placement on the market
At the end of the process, the manufacturer can affix the CE marking and attach a declaration of conformity to its products. Furthermore, the manufacturer needs to indicate the support period, i.e. how long the product will be supported, and provide information and instructions for the use of the product.
After placement on the market
The manufacturer has to handle vulnerabilities for the indicated support period, and report actively exploited vulnerabilities and severe incidents affecting the security of the product.
For more information see link – https://digital-strategy.ec.europa.eu/en/policies/cra-manufacturers
Back to News