Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027

Anyone who brings software or connected products to the European market will have no choice starting at the end of 2027: The Cyber Resilience Act makes cybersecurity a legal requirement throughout the entire product lifecycle. The first binding deadline takes effect as early as September 2026. For companies in industrial and highly regulated environments, this is not an abstract compliance issue, but a concrete requirement for architecture, development processes, and operations.

This article outlines what the CRA requires of manufacturers, which deadlines really matter, and what steps need to be taken now to ensure that a mandatory requirement doesn’t become a risk—and, in the best-case scenario, turns into a competitive advantage. We’ll share how we’re already implementing these key requirements in our own projects today—often long before they became mandatory.

Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027

Anyone who brings software or connected products to the European market will have no choice starting at the end of 2027: The Cyber Resilience Act makes cybersecurity a legal requirement throughout the entire product lifecycle. The first binding deadline takes effect as early as September 2026. For companies in industrial and highly regulated environments, this is not an abstract compliance issue, but a concrete requirement for architecture, development processes, and operations.

This article outlines what the CRA requires of manufacturers, which deadlines really matter, and what steps need to be taken now to ensure that a mandatory requirement doesn’t become a risk—and, in the best-case scenario, turns into a competitive advantage. We’ll share how we’re already implementing these key requirements in our own projects today—often long before they became mandatory.

What the Cyber Resilience Act Covers and Who It Affects

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first EU-wide regulation to establish minimum cybersecurity requirements for all products with digital elements. This includes any hardware or software that can be connected directly or indirectly to a device or network and is made available on the EU market (BSI: Cyber Resilience Act). What matters, therefore, is not the industry but the product: the same logic applies to everything from inexpensive consumer gadgets to B2B software to complex industrial systems.

Most products are considered standard products for which self-assessment is sufficient. The regulation lists categories that are more critical to security in Annexes III and IV as important and critical products, such as password managers, firewalls, smart card readers, and smart meter gateways. Stricter conformity assessment procedures apply to these products. Exceptions include products that are already regulated by other EU regulations, such as medical devices, motor vehicles, civil aviation products, and marine equipment.

Important practical information regarding the CRA and software: Commercial open-source software is also fully subject to the regulation. Only non-commercial open-source projects are exempt. Anyone who integrates open-source components into commercial products is therefore also responsible for their security.

The CRA Timeline: Three Key Deadlines

The CRA took effect at the end of 2024, but its provisions are being phased in gradually. This phased implementation is actually the good news, as it gives manufacturers a clearly defined preparation period. Three dates should be included in the project calendar (European Commission: CRA Summary):

  • June 2026: The regulations governing conformity assessment bodies (notified bodies) take effect. Member States designate the bodies that will subsequently be authorized to assess the conformity of more complex products.
  • September 2026: The reporting requirements take effect. Starting on this date, manufacturers must report actively exploited vulnerabilities and serious security incidents.
  • December 2027: The regulation will be fully in effect. Products newly placed on the market must meet all CRA requirements and bear the CE mark, which will also certify cybersecurity in the future.

Three years may sound like a long time. But in the reality of complex, long-lived software systems, it rarely is. Security requirements cannot be reliably retrofitted without affecting the architecture and release schedule. Anyone who waits until 2027 runs the risk of having to overhaul entire product lines under time pressure.

What do I need to do under the Cyber Resilience Act? An overview of CRA obligations

CRA obligations can be traced back to a simple principle: Cybersecurity must be ensured and demonstrated throughout a product’s entire lifecycle, from planning through development and delivery to operation. In concrete terms, this involves five closely interrelated areas of responsibility.

Security by Design Becomes Mandatory

Until now, “Security by Design” has been a best practice; with the CRA, it becomes a “Security by Design” requirement. Products must be developed according to the “Secure by Default” principle from the very first design phase. This includes a minimal attack surface, secure default configurations, encrypted communication, the elimination of hard-coded passwords, and robust, signed update mechanisms. Security is thus not a feature that is added later, but rather an inherent characteristic of the architecture.

Risk Analysis and SBOM as a Foundation

The first step is risk assessment. For every product with digital elements, the manufacturer must analyze the cybersecurity risks and take the results into account throughout all phases of the product lifecycle. This forms the basis for the Software Bill of Materials (SBOM), a structured inventory of all components and dependencies used. The SBOM is mandatory but does not have to be published. Its practical benefit is that if a new vulnerability emerges in a library, it takes only minutes—rather than days—to determine which products are affected.

In our projects, a well-maintained SBOM is standard practice anyway, and automated security scans—some of which are AI-powered—are an integral part of our CI/CD pipelines. For us, ensuring transparency regarding all components used is therefore not an extra burden for the CRA, but rather part of the normal development process.

Updates and Vulnerability Management Throughout the Support Period

Responsibility does not end with the sale. Throughout the entire support period—which is typically at least five years and must be transparently communicated by the manufacturer—security updates must be provided and continuous vulnerability management must be carried out. Within the organization, this task is best centralized in a PSIRT (Product Security Incident Response Team), which records, assesses, and coordinates the resolution of vulnerabilities.

Reporting Requirements to ENISA

Starting September 11, 2026, actively exploited vulnerabilities and serious security incidents must be reported via a central platform operated by the EU Cybersecurity Agency (ENISA). The timeline is tight: an initial early warning within 24 hours, supplementary information within 72 hours, and a final report no later than 14 days after a security update is released or one month after the initial report in the case of incidents. Those who wait until an emergency to set up these processes will lose valuable hours.

In addition, there are the formal requirements: technical documentation, conformity assessment, and CE marking, which must be kept up to date throughout the entire support period (European Commission: Conformity Assessment).

Consequences of Noncompliance

The CRA is not a toothless set of regulations. Violations of the essential safety requirements set forth in Annex I, as well as of the reporting and evaluation obligations, may be punishable by fines of up to 15 million euros or 2.5 percent of global annual revenue, whichever is higher. Violations of other obligations are subject to fines of up to 10 million euros or 2 percent of revenue, while providing false or misleading information to authorities is subject to fines of up to 5 million euros or 1 percent.

In addition to the financial risk, market access is at stake: Products that are not CRA-compliant as of December 2027 may no longer be placed on the market in the EU. Added to this is the damage to a company’s reputation—which is difficult to quantify but very real—if a product is publicly deemed unsafe.

The CRA in Practice: Industry, the IoT, and Small and Medium-Sized Enterprises

The CRA is particularly noticeable where physical products and software converge. In mechanical and plant engineering, control systems are now networked; in the smart home segment, nearly every device communicates with the cloud. It is precisely these networked products that are the focus of the regulation, and it is here in particular that update mechanisms and vulnerability management over long product lifecycles pose significant challenges.

For small and medium-sized enterprises, the message is uncomfortable but clear: The CRA does not ask about company size. Any company offering connected products must establish structures for risk analysis, updates, and reporting channels early on. The workload is distributed much more effectively when it is integrated into ongoing development cycles rather than launched as a special project shortly before the deadline.

Artificial intelligence can significantly reduce this effort. AI now provides reliable support in risk analysis and threat modeling, automated security scans, and reviewing dependencies for the SBOM.

At BAYOOTEC, a significant portion of the new code is generated with the help of AI, and we use AI-powered automation for tasks such as pull request reviews and security scans. To ensure that AI remains compliant with regulations even in regulated environments, we have established an internal AI compliance officer with TÜV certification who oversees its use. This allows us to accelerate CRA implementation without sacrificing control over security and traceability.

From a Required Topic to a Competitive Edge

As complex as implementation may be, the CRA has a strategic upside. Companies that demonstrably incorporate security into their products will be able to highlight this as a quality feature in the future. In a market where buyers and clients are increasingly demanding proof of security, CRA compliance becomes a differentiating factor. The CE mark for cybersecurity will then signal not only legal compliance but also robust product quality “made for Europe.”

This perspective aligns with our project experience: Incorporating security from the very beginning not only ensures compliance but also results in more stable, maintainable, and durable systems. That is precisely the essence of Security by Design.

Conclusion: Start now, not in 2027

The Cyber Resilience Act is changing how software is developed, operated, and placed on the market in Europe. The key CRA requirements—risk analysis, security by design, SBOM, updates throughout the support period, PSIRT, and reporting obligations to ENISA—are challenging but manageable. Those who take the timeline—with deadlines in September 2026 and December 2027—seriously and start early will avoid costly rework and turn security into an advantage rather than a burden.

A good place to start is often a concise risk analysis or a clearly defined discovery phase, which makes it possible to identify the need for action and the required effort with a manageable level of resources before the major program begins.

At BAYOOTEC, we combine “Security by Design” with over 25 years of experience in regulated and security-critical environments—from risk analysis and architecture to secure operations. In addition, we boast an exceptionally high track record of successful implementation: We have successfully brought every project we’ve started to date into production. Feel free to contact us, and we’ll schedule a meeting to get to know each other.

FAQ: Cyber Resilience Act

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first EU-wide regulation to establish mandatory cybersecurity requirements for all products with digital elements. It applies to hardware and software made available on the EU market and requires manufacturers to ensure and demonstrate security throughout the entire product lifecycle.

Manufacturers must incorporate cybersecurity from the design phase onward: conduct a risk analysis, develop products according to the “security by design” principle, maintain an SBOM, provide security updates throughout the entire support period, and implement vulnerability management. In addition, there are reporting requirements to ENISA, as well as technical documentation, conformity assessment, and CE marking prior to placing the product on the market.

The CRA took effect at the end of 2024 but is being implemented in phases. The rules for conformity assessment bodies have been in effect since June 11, 2026. As of September 11, 2026, the reporting requirements for actively exploited vulnerabilities and serious incidents will apply. The regulation will be fully applicable as of December 11, 2027.

This applies to anyone who makes products with digital elements available on the EU market, regardless of industry. This includes manufacturers of software, IoT devices, industrial equipment, and consumer products, as well as importers and distributors. Commercial open-source software is also covered. Excluded are products already covered by other EU regulations, such as medical devices or motor vehicles.

Violations of the essential safety requirements and reporting obligations may be punishable by fines of up to 15 million euros or 2.5 percent of global annual revenue, whichever is higher. For other breaches of obligations, fines of up to 10 million euros or 2 percent of revenue may be imposed.

An SBOM (Software Bill of Materials) is a structured list of all components and dependencies of a software product. The CRA requires manufacturers to maintain one, but it does not have to be published. The SBOM creates transparency in the supply chain and makes it possible to quickly identify affected components when new vulnerabilities are discovered.

Security by Design means that security is an integral part of product development from the very first design phase, rather than being added as an afterthought. Among other things, the CRA requires a minimal attack surface, secure default configurations, encrypted communication, the elimination of hard-coded passwords, and secure update mechanisms. It thus moves from being a best practice to a legal requirement.