{"id":15068,"date":"2026-07-01T16:35:26","date_gmt":"2026-07-01T14:35:26","guid":{"rendered":"https:\/\/www.bayootec.com\/?p=15068"},"modified":"2026-07-01T16:35:31","modified_gmt":"2026-07-01T14:35:31","slug":"cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027","status":"publish","type":"post","link":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/","title":{"rendered":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027"},"content":{"rendered":"<div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-padding-right:0px;--awb-padding-left:0px;--awb-padding-right-medium:9%;--awb-padding-left-medium:9%;--awb-padding-right-small:0%;--awb-padding-left-small:0%;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1352px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-padding-right-small:0px;--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:0%;--awb-margin-bottom-large:0px;--awb-spacing-left-large:0%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:0%;--awb-spacing-left-medium:0%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-title title fusion-title-1 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">What the Cyber Resilience Act Covers and Who It Affects<\/h2><\/div><div class=\"fusion-text fusion-text-1\"><p>The Cyber Resilience Act (Regulation (EU) 2024\/2847) is the first EU-wide regulation to establish minimum cybersecurity requirements for all products with digital elements. This includes any hardware or software that can be connected directly or indirectly to a device or network and is made available on the EU market (<a href=\"https:\/\/www.bsi.bund.de\/EN\/Themen\/Unternehmen-und-Organisationen\/Informationen-und-Empfehlungen\/Cyber_Resilience_Act\/cyber_resilience_act_node.html\" target=\"_blank\" rel=\"noopener noreferrer\">BSI: Cyber Resilience Act<\/a>). What matters, therefore, is not the industry but the product: the same logic applies to everything from inexpensive consumer gadgets to B2B software to complex industrial systems.<\/p>\n<p>Most products are considered standard products for which self-assessment is sufficient. The regulation lists categories that are more critical to security in Annexes III and IV as important and critical products, such as password managers, firewalls, smart card readers, and smart meter gateways. Stricter conformity assessment procedures apply to these products. Exceptions include products that are already regulated by other EU regulations, such as medical devices, motor vehicles, civil aviation products, and marine equipment.<\/p>\n<p>Important practical information regarding the CRA and software: Commercial open-source software is also fully subject to the regulation. Only non-commercial open-source projects are exempt. Anyone who integrates open-source components into commercial products is therefore also responsible for their security.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-2 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">The CRA Timeline: Three Key Deadlines<\/h2><\/div><div class=\"fusion-text fusion-text-2\"><p>The CRA took effect at the end of 2024, but its provisions are being phased in gradually. This phased implementation is actually the good news, as it gives manufacturers a clearly defined preparation period. Three dates should be included in the project calendar (<a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cra-summary\" target=\"_blank\" rel=\"noopener noreferrer\">European Commission: CRA Summary<\/a>):<\/p>\n<ul>\n<li><strong> June 2026: The <\/strong>regulations governing conformity assessment bodies (notified bodies) take effect. Member States designate the bodies that will subsequently be authorized to assess the conformity of more complex products.<\/li>\n<li><strong> September 2026: The <\/strong>reporting requirements take effect. Starting on this date, manufacturers must report actively exploited vulnerabilities and serious security incidents.<\/li>\n<li><strong> December 2027: The <\/strong>regulation will be fully in effect. Products newly placed on the market must meet all CRA requirements and bear the CE mark, which will also certify cybersecurity in the future.<\/li>\n<\/ul>\n<p>Three years may sound like a long time. But in the reality of complex, long-lived software systems, it rarely is. Security requirements cannot be reliably retrofitted without affecting the architecture and release schedule. Anyone who waits until 2027 runs the risk of having to overhaul entire product lines under time pressure.<\/p>\n<\/div><div class=\"fusion-image-element \" style=\"--awb-margin-bottom:20px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-1 hover-type-none\" style=\"border-radius:5px;\"><img decoding=\"async\" width=\"1366\" height=\"768\" title=\"BAYOOTEC Blog CRA\" src=\"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA.jpg\" alt class=\"img-responsive wp-image-15062\" srcset=\"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA-200x112.jpg 200w, https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA-400x225.jpg 400w, https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA-600x337.jpg 600w, https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA-800x450.jpg 800w, https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA-1200x675.jpg 1200w, https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA.jpg 1366w\" sizes=\"(max-width: 1100px) 100vw, 1366px\" \/><\/span><\/div><div class=\"fusion-title title fusion-title-3 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">What do I need to do under the Cyber Resilience Act? An overview of CRA obligations<\/h2><\/div><div class=\"fusion-text fusion-text-3\"><p>CRA obligations can be traced back to a simple principle: Cybersecurity must be ensured and demonstrated throughout a product\u2019s entire lifecycle, from planning through development and delivery to operation. In concrete terms, this involves five closely interrelated areas of responsibility.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-4 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:20;line-height:var(--awb-typography1-line-height);\">Security by Design Becomes Mandatory<\/h3><\/div><div class=\"fusion-text fusion-text-4\"><p>Until now, \u201cSecurity by Design\u201d has been a best practice; with the CRA, it becomes a \u201cSecurity by Design\u201d requirement. Products must be developed according to the \u201cSecure by Default\u201d principle from the very first design phase. This includes a minimal attack surface, secure default configurations, encrypted communication, the elimination of hard-coded passwords, and robust, signed update mechanisms. Security is thus not a feature that is added later, but rather an inherent characteristic of the architecture.<\/p>\n<\/div><div class=\"fusion-content-boxes content-boxes columns row fusion-columns-1 fusion-columns-total-1 fusion-content-boxes-1 content-boxes-icon-with-title content-left\" style=\"--awb-backgroundcolor:var(--awb-color4);--awb-border-radius-top-left:10px;--awb-border-radius-top-right:10px;--awb-border-radius-bottom-right:10px;--awb-border-radius-bottom-left:10px;--awb-body-color:var(--awb-color1);--awb-title-color:var(--awb-color1);--awb-item-margin-top:20px;--awb-item-margin-bottom:0px;--awb-hover-accent-color:var(--awb-color5);--awb-circle-hover-accent-color:var(--awb-color5);--awb-item-margin-bottom:40px;\" data-animationOffset=\"top-into-view\"><div style=\"--awb-backgroundcolor:var(--awb-color4);\" class=\"fusion-column content-box-column content-box-column content-box-column-1 col-lg-12 col-md-12 col-sm-12 fusion-content-box-hover content-box-column-last content-box-column-last-in-row\"><div class=\"col content-box-wrapper content-wrapper-background link-area-link-icon link-type-button content-icon-wrapper-yes icon-hover-animation-none\" data-animationOffset=\"top-into-view\"><div class=\"heading icon-left\"><a class=\"heading-link\" style=\"float:left;\" href=\"https:\/\/www.bayootec.com\/en\/it-services\/security-by-design\/\" target=\"_blank\" rel=\"noopener noreferrer\"><\/a><\/div><div class=\"fusion-clearfix\"><\/div><div class=\"content-container\">\n<p style=\"color: var(--awb-color1)\">For us at BAYOOTEC, this isn\u2019t a shift in mindset\u2014it\u2019s standard practice: Security by Design is one of our core USPs and is integrated into every project from the very first architectural decision. Especially in our regulated and security-critical projects\u2014such as those in the energy sector, critical infrastructure, and homeland security\u2014this approach has been standard practice for over 25 years. In other words, our teams are already implementing today what the CRA will require in the future.<\/p>\n<\/div><div class=\"fusion-clearfix\"><\/div><a class=\"fusion-read-more-button fusion-content-box-button fusion-button button-default fusion-button-default-size button- button-flat\" style=\"float:left;\" href=\"https:\/\/www.bayootec.com\/en\/it-services\/security-by-design\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span class=\"fusion-button-text\">Find out more<\/span><\/a><div class=\"fusion-clearfix\"><\/div><\/div><\/div><div class=\"fusion-clearfix\"><\/div><\/div><div class=\"fusion-title title fusion-title-5 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:0px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:20;line-height:var(--awb-typography1-line-height);\">Risk Analysis and SBOM as a Foundation<\/h3><\/div><div class=\"fusion-text fusion-text-5\"><p>The first step is risk assessment. For every product with digital elements, the manufacturer must analyze the cybersecurity risks and take the results into account throughout all phases of the product lifecycle. This forms the basis for the Software Bill of Materials (SBOM), a structured inventory of all components and dependencies used. The SBOM is mandatory but does not have to be published. Its practical benefit is that if a new vulnerability emerges in a library, it takes only minutes\u2014rather than days\u2014to determine which products are affected.<\/p>\n<p>In our projects, a well-maintained SBOM is standard practice anyway, and automated security scans\u2014some of which are AI-powered\u2014are an integral part of our CI\/CD pipelines. For us, ensuring transparency regarding all components used is therefore not an extra burden for the CRA, but rather part of the normal development process.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-6 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:20;line-height:var(--awb-typography1-line-height);\">Updates and Vulnerability Management Throughout the Support Period<\/h3><\/div><div class=\"fusion-text fusion-text-6\"><p>Responsibility does not end with the sale. Throughout the entire support period\u2014which is typically at least five years and must be transparently communicated by the manufacturer\u2014security updates must be provided and continuous vulnerability management must be carried out. Within the organization, this task is best centralized in a PSIRT (Product Security Incident Response Team), which records, assesses, and coordinates the resolution of vulnerabilities.<\/p>\n<\/div><div class=\"fusion-content-boxes content-boxes columns row fusion-columns-1 fusion-columns-total-1 fusion-content-boxes-2 content-boxes-icon-with-title content-left\" style=\"--awb-backgroundcolor:var(--awb-color4);--awb-border-radius-top-left:10px;--awb-border-radius-top-right:10px;--awb-border-radius-bottom-right:10px;--awb-border-radius-bottom-left:10px;--awb-body-color:var(--awb-color1);--awb-title-color:var(--awb-color1);--awb-item-margin-top:20px;--awb-item-margin-bottom:0px;--awb-hover-accent-color:var(--awb-color5);--awb-circle-hover-accent-color:var(--awb-color5);--awb-item-margin-bottom:40px;\" data-animationOffset=\"top-into-view\"><div style=\"--awb-backgroundcolor:var(--awb-color4);\" class=\"fusion-column content-box-column content-box-column content-box-column-1 col-lg-12 col-md-12 col-sm-12 fusion-content-box-hover content-box-column-last content-box-column-last-in-row\"><div class=\"col content-box-wrapper content-wrapper-background link-area-link-icon link-type-button content-icon-wrapper-yes icon-hover-animation-none\" data-animationOffset=\"top-into-view\"><div class=\"heading icon-left\"><a class=\"heading-link\" style=\"float:left;\" href=\"https:\/\/www.bayootec.com\/en\/it-services\/support\/\" target=\"_blank\" rel=\"noopener noreferrer\"><\/a><\/div><div class=\"fusion-clearfix\"><\/div><div class=\"content-container\">\n<p>This is exactly the model we follow at BAYOOTEC: Support, monitoring, and preventive maintenance are an integral part of every project after go-live, backed by project-specific SLAs covering response times and availability. The support required by the CRA throughout the entire support period is therefore not a new concept for our customers, but rather a proven part of our long-term partnerships, which often last more than ten years.<\/p>\n<\/div><div class=\"fusion-clearfix\"><\/div><a class=\"fusion-read-more-button fusion-content-box-button fusion-button button-default fusion-button-default-size button- button-flat\" style=\"float:left;\" href=\"https:\/\/www.bayootec.com\/en\/it-services\/support\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span class=\"fusion-button-text\">Find out more<\/span><\/a><div class=\"fusion-clearfix\"><\/div><\/div><\/div><div class=\"fusion-clearfix\"><\/div><\/div><div class=\"fusion-title title fusion-title-7 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:0px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:20;line-height:var(--awb-typography1-line-height);\">Reporting Requirements to ENISA<\/h3><\/div><div class=\"fusion-text fusion-text-7\"><p>Starting September 11, 2026, actively exploited vulnerabilities and serious security incidents must be reported via a central platform operated by the EU Cybersecurity Agency (ENISA). The timeline is tight: an initial early warning within 24 hours, supplementary information within 72 hours, and a final report no later than 14 days after a security update is released or one month after the initial report in the case of incidents. Those who wait until an emergency to set up these processes will lose valuable hours.<\/p>\n<p>In addition, there are the formal requirements: technical documentation, conformity assessment, and CE marking, which must be kept up to date throughout the entire support period (<a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cra-conformity-assessment\" target=\"_blank\" rel=\"noopener noreferrer\">European Commission: Conformity Assessment<\/a>).<\/p>\n<\/div><div class=\"fusion-title title fusion-title-8 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">Consequences of Noncompliance<\/h2><\/div><div class=\"fusion-text fusion-text-8\"><p>The CRA is not a toothless set of regulations. Violations of the essential safety requirements set forth in Annex I, as well as of the reporting and evaluation obligations, may be punishable by fines of up to 15 million euros or 2.5 percent of global annual revenue, whichever is higher. Violations of other obligations are subject to fines of up to 10 million euros or 2 percent of revenue, while providing false or misleading information to authorities is subject to fines of up to 5 million euros or 1 percent.<\/p>\n<p>In addition to the financial risk, market access is at stake: Products that are not CRA-compliant as of December 2027 may no longer be placed on the market in the EU. Added to this is the damage to a company\u2019s reputation\u2014which is difficult to quantify but very real\u2014if a product is publicly deemed unsafe.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-9 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">The CRA in Practice: Industry, the IoT, and Small and Medium-Sized Enterprises<\/h2><\/div><div class=\"fusion-text fusion-text-9\"><p>The CRA is particularly noticeable where physical products and software converge. In mechanical and plant engineering, control systems are now networked; in the smart home segment, nearly every device communicates with the cloud. It is precisely these networked products that are the focus of the regulation, and it is here in particular that update mechanisms and vulnerability management over long product lifecycles pose significant challenges.<\/p>\n<p>For small and medium-sized enterprises, the message is uncomfortable but clear: The CRA does not ask about company size. Any company offering connected products must establish structures for risk analysis, updates, and reporting channels early on. The workload is distributed much more effectively when it is integrated into ongoing development cycles rather than launched as a special project shortly before the deadline.<\/p>\n<p>Artificial intelligence can significantly reduce this effort. AI now provides reliable support in risk analysis and threat modeling, automated security scans, and reviewing dependencies for the SBOM.<\/p>\n<p>At BAYOOTEC, a significant portion of the new code is generated with the help of AI, and we use AI-powered automation for tasks such as pull request reviews and security scans. To ensure that AI remains compliant with regulations even in regulated environments, we have established an internal AI compliance officer with T\u00dcV certification who oversees its use. This allows us to accelerate CRA implementation without sacrificing control over security and traceability.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-10 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">From a Required Topic to a Competitive Edge<\/h2><\/div><div class=\"fusion-text fusion-text-10\"><p>As complex as implementation may be, the CRA has a strategic upside. Companies that demonstrably incorporate security into their products will be able to highlight this as a quality feature in the future. In a market where buyers and clients are increasingly demanding proof of security, CRA compliance becomes a differentiating factor. The CE mark for cybersecurity will then signal not only legal compliance but also robust product quality \u201cmade for Europe.\u201d<\/p>\n<p>This perspective aligns with our project experience: Incorporating security from the very beginning not only ensures compliance but also results in more stable, maintainable, and durable systems. That is precisely the essence of Security by Design.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-11 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">Conclusion: Start now, not in 2027<\/h2><\/div><div class=\"fusion-text fusion-text-11\"><p>The Cyber Resilience Act is changing how software is developed, operated, and placed on the market in Europe. The key CRA requirements\u2014risk analysis, security by design, SBOM, updates throughout the support period, PSIRT, and reporting obligations to ENISA\u2014are challenging but manageable. Those who take the timeline\u2014with deadlines in September 2026 and December 2027\u2014seriously and start early will avoid costly rework and turn security into an advantage rather than a burden.<\/p>\n<p>A good place to start is often a concise risk analysis or a clearly defined discovery phase, which makes it possible to identify the need for action and the required effort with a manageable level of resources before the major program begins.<\/p>\n<p>At BAYOOTEC, we combine \u201cSecurity by Design\u201d with over 25 years of experience in regulated and security-critical environments\u2014from risk analysis and architecture to secure operations. In addition, we boast an exceptionally high track record of successful implementation: We have successfully brought every project we\u2019ve started to date into production. Feel free to contact us, and we\u2019ll schedule a meeting to get to know each other.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-12 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-top:20px;--awb-margin-top-small:10px;--awb-margin-right-small:0px;--awb-margin-bottom-small:10px;--awb-margin-left-small:0px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"font-family:var(--awb-typography1-font-family);font-weight:var(--awb-typography1-font-weight);font-style:var(--awb-typography1-font-style);margin:0;--fontSize:44;line-height:1.2;\">FAQ: Cyber Resilience Act<\/h2><\/div><div class=\"accordian fusion-accordian\" style=\"--awb-border-size:1px;--awb-icon-size:20px;--awb-content-font-size:var(--awb-typography4-font-size);--awb-icon-alignment:left;--awb-hover-color:var(--awb-color2);--awb-border-color:rgba(26,26,26,0.25);--awb-background-color:var(--awb-color1);--awb-divider-color:var(--awb-color3);--awb-divider-hover-color:var(--awb-color3);--awb-icon-color:var(--awb-color8);--awb-title-color:var(--awb-color8);--awb-content-color:var(--awb-color8);--awb-icon-box-color:var(--awb-color8);--awb-toggle-hover-accent-color:var(--awb-color8);--awb-title-font-family:var(--awb-typography1-font-family);--awb-title-font-weight:var(--awb-typography1-font-weight);--awb-title-font-style:var(--awb-typography1-font-style);--awb-title-font-size:var(--awb-typography4-font-size);--awb-content-font-family:var(--awb-typography4-font-family);--awb-content-font-weight:var(--awb-typography4-font-weight);--awb-content-font-style:var(--awb-typography4-font-style);\"><div class=\"panel-group fusion-toggle-icon-unboxed\" id=\"accordion-15068-1\"><div class=\"fusion-panel panel-default panel-b0c99b06f40bff023 fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_b0c99b06f40bff023\"><a aria-expanded=\"false\" aria-controls=\"b0c99b06f40bff023\" role=\"button\" data-toggle=\"collapse\" data-target=\"#b0c99b06f40bff023\" href=\"#b0c99b06f40bff023\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">What is the Cyber Resilience Act?<\/span><\/a><\/h2><\/div><div id=\"b0c99b06f40bff023\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_b0c99b06f40bff023\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>The Cyber Resilience Act (Regulation (EU) 2024\/2847) is the first EU-wide regulation to establish mandatory cybersecurity requirements for all products with digital elements. It applies to hardware and software made available on the EU market and requires manufacturers to ensure and demonstrate security throughout the entire product lifecycle.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-55b81721147712d07 fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_55b81721147712d07\"><a aria-expanded=\"false\" aria-controls=\"55b81721147712d07\" role=\"button\" data-toggle=\"collapse\" data-target=\"#55b81721147712d07\" href=\"#55b81721147712d07\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">What do I need to do in light of the Cyber Resilience Act?<\/span><\/a><\/h2><\/div><div id=\"55b81721147712d07\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_55b81721147712d07\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>Manufacturers must incorporate cybersecurity from the design phase onward: conduct a risk analysis, develop products according to the &#8220;security by design&#8221; principle, maintain an SBOM, provide security updates throughout the entire support period, and implement vulnerability management. In addition, there are reporting requirements to ENISA, as well as technical documentation, conformity assessment, and CE marking prior to placing the product on the market.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-bbfe19251f47113df fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_bbfe19251f47113df\"><a aria-expanded=\"false\" aria-controls=\"bbfe19251f47113df\" role=\"button\" data-toggle=\"collapse\" data-target=\"#bbfe19251f47113df\" href=\"#bbfe19251f47113df\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">When does the Cyber Resilience Act take effect?<\/span><\/a><\/h2><\/div><div id=\"bbfe19251f47113df\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_bbfe19251f47113df\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>The CRA took effect at the end of 2024 but is being implemented in phases. The rules for conformity assessment bodies have been in effect since June 11, 2026. As of September 11, 2026, the reporting requirements for actively exploited vulnerabilities and serious incidents will apply. The regulation will be fully applicable as of December 11, 2027.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-832a9ea70dd3cf8f5 fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_832a9ea70dd3cf8f5\"><a aria-expanded=\"false\" aria-controls=\"832a9ea70dd3cf8f5\" role=\"button\" data-toggle=\"collapse\" data-target=\"#832a9ea70dd3cf8f5\" href=\"#832a9ea70dd3cf8f5\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">Who is affected by the Cyber Resilience Act?<\/span><\/a><\/h2><\/div><div id=\"832a9ea70dd3cf8f5\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_832a9ea70dd3cf8f5\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>This applies to anyone who makes products with digital elements available on the EU market, regardless of industry. This includes manufacturers of software, IoT devices, industrial equipment, and consumer products, as well as importers and distributors. Commercial open-source software is also covered. Excluded are products already covered by other EU regulations, such as medical devices or motor vehicles.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-a69e0abdf9ad7c351 fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_a69e0abdf9ad7c351\"><a aria-expanded=\"false\" aria-controls=\"a69e0abdf9ad7c351\" role=\"button\" data-toggle=\"collapse\" data-target=\"#a69e0abdf9ad7c351\" href=\"#a69e0abdf9ad7c351\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">What penalties apply for violations of the CRA?<\/span><\/a><\/h2><\/div><div id=\"a69e0abdf9ad7c351\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_a69e0abdf9ad7c351\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>Violations of the essential safety requirements and reporting obligations may be punishable by fines of up to 15 million euros or 2.5 percent of global annual revenue, whichever is higher. For other breaches of obligations, fines of up to 10 million euros or 2 percent of revenue may be imposed.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-bafe48e09fef885ab fusion-toggle-no-divider\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_bafe48e09fef885ab\"><a aria-expanded=\"false\" aria-controls=\"bafe48e09fef885ab\" role=\"button\" data-toggle=\"collapse\" data-target=\"#bafe48e09fef885ab\" href=\"#bafe48e09fef885ab\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">What is an SBOM, and is it mandatory?<\/span><\/a><\/h2><\/div><div id=\"bafe48e09fef885ab\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_bafe48e09fef885ab\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>An SBOM (Software Bill of Materials) is a structured list of all components and dependencies of a software product. The CRA requires manufacturers to maintain one, but it does not have to be published. The SBOM creates transparency in the supply chain and makes it possible to quickly identify affected components when new vulnerabilities are discovered.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-panel panel-default panel-1cb069903177c5dc0 fusion-toggle-no-divider\" style=\"--awb-title-color:var(--awb-color8);--awb-content-color:var(--awb-color8);\"><div class=\"panel-heading\"><h2 class=\"panel-title toggle\" id=\"toggle_1cb069903177c5dc0\"><a aria-expanded=\"false\" aria-controls=\"1cb069903177c5dc0\" role=\"button\" data-toggle=\"collapse\" data-target=\"#1cb069903177c5dc0\" href=\"#1cb069903177c5dc0\"><span class=\"fusion-toggle-icon-wrapper\" aria-hidden=\"true\"><i class=\"fa-fusion-box active-icon awb-icon-minus\" aria-hidden=\"true\"><\/i><i class=\"fa-fusion-box inactive-icon awb-icon-plus\" aria-hidden=\"true\"><\/i><\/span><span class=\"fusion-toggle-heading\">What does Security by Design mean in the CRA?<\/span><\/a><\/h2><\/div><div id=\"1cb069903177c5dc0\" class=\"panel-collapse collapse \" aria-labelledby=\"toggle_1cb069903177c5dc0\"><div class=\"panel-body toggle-content fusion-clearfix\">\n<p>Security by Design means that security is an integral part of product development from the very first design phase, rather than being added as an afterthought. Among other things, the CRA requires a minimal attack surface, secure default configurations, encrypted communication, the elimination of hard-coded passwords, and secure update mechanisms. It thus moves from being a best practice to a legal requirement.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Anyone who brings software or connected products to the European market will have no choice starting at the end of 2027: The Cyber Resilience Act makes cybersecurity a legal requirement throughout the entire product lifecycle. The first binding deadline takes effect as early as September 2026. For companies in industrial and highly regulated environments, this is not an abstract compliance issue, but a concrete requirement for architecture, development processes, and operations.  <\/p>\n<p>This article outlines what the CRA requires of manufacturers, which deadlines really matter, and what steps need to be taken now to ensure that a mandatory requirement doesn\u2019t become a risk\u2014and, in the best-case scenario, turns into a competitive advantage. We\u2019ll share how we\u2019re already implementing these key requirements in our own projects today\u2014often long before they became mandatory. <\/p>\n","protected":false},"author":8,"featured_media":15059,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[100],"tags":[465,463,464],"job-standort":[],"job-bereich":[],"job-arbeitszeit":[],"job-gmbh":[],"class_list":["post-15068","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-465","tag-cra","tag-cyber-resilience-act"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.8 (Yoast SEO v27.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027<\/title>\n<meta name=\"description\" content=\"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027\" \/>\n<meta property=\"og:description\" content=\"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/\" \/>\n<meta property=\"og:site_name\" content=\"BAYOOTEC\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-01T14:35:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-01T14:35:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1366\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"svenjamahl\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"svenjamahl\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/\"},\"author\":{\"name\":\"svenjamahl\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#\\\/schema\\\/person\\\/a006ce1780ca7bdaccec04c64c43b006\"},\"headline\":\"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027\",\"datePublished\":\"2026-07-01T14:35:26+00:00\",\"dateModified\":\"2026-07-01T14:35:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/\"},\"wordCount\":5038,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2026\\\/07\\\/BAYOOTEC-Blog-CRA_Header.jpg\",\"keywords\":[\"2027\",\"cra\",\"Cyber Resilience Act\"],\"articleSection\":[\"BLOG\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/\",\"url\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/\",\"name\":\"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2026\\\/07\\\/BAYOOTEC-Blog-CRA_Header.jpg\",\"datePublished\":\"2026-07-01T14:35:26+00:00\",\"dateModified\":\"2026-07-01T14:35:31+00:00\",\"description\":\"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2026\\\/07\\\/BAYOOTEC-Blog-CRA_Header.jpg\",\"contentUrl\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2026\\\/07\\\/BAYOOTEC-Blog-CRA_Header.jpg\",\"width\":1366,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/en\\\/blog-en\\\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.bayootec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.bayootec.com\\\/\",\"name\":\"BAYOOTEC GmbH\",\"description\":\"Wir entwickeln Enterprise Software\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.bayootec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#organization\",\"name\":\"BAYOOTEC GmbH\",\"url\":\"https:\\\/\\\/www.bayootec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2023\\\/06\\\/BAYOOTEC-Softwareentwicklung-fuer-Enterprise-Software-1.svg\",\"contentUrl\":\"https:\\\/\\\/www.bayootec.com\\\/wp-content\\\/uploads\\\/sites\\\/2\\\/2023\\\/06\\\/BAYOOTEC-Softwareentwicklung-fuer-Enterprise-Software-1.svg\",\"width\":1180,\"height\":165,\"caption\":\"BAYOOTEC GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/bayootec-bu\\\/\"],\"description\":\"IT-Dienstleister f\u00fcr individuelle Enterprise Softwareentwicklung. Spezialisiert auf digitale Plattformen, Cloud-Native-Entwicklung, UX\\\/UI Design und digitale Transformation f\u00fcr gro\u00dfe und mittelst\u00e4ndische Unternehmen im DACH-Raum\",\"email\":\"info@bayootec.com\",\"telephone\":\"+49615186180\",\"legalName\":\"BAYOOTEC GmbH\",\"foundingDate\":\"2021-12-01\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"51\",\"maxValue\":\"200\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.bayootec.com\\\/#\\\/schema\\\/person\\\/a006ce1780ca7bdaccec04c64c43b006\",\"name\":\"svenjamahl\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g\",\"caption\":\"svenjamahl\"},\"url\":\"https:\\\/\\\/www.bayootec.com\\\/en\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027","description":"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027","og_description":"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.","og_url":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/","og_site_name":"BAYOOTEC","article_published_time":"2026-07-01T14:35:26+00:00","article_modified_time":"2026-07-01T14:35:31+00:00","og_image":[{"width":1366,"height":768,"url":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg","type":"image\/jpeg"}],"author":"svenjamahl","twitter_card":"summary_large_image","twitter_misc":{"Written by":"svenjamahl","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#article","isPartOf":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/"},"author":{"name":"svenjamahl","@id":"https:\/\/www.bayootec.com\/#\/schema\/person\/a006ce1780ca7bdaccec04c64c43b006"},"headline":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027","datePublished":"2026-07-01T14:35:26+00:00","dateModified":"2026-07-01T14:35:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/"},"wordCount":5038,"commentCount":0,"publisher":{"@id":"https:\/\/www.bayootec.com\/#organization"},"image":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#primaryimage"},"thumbnailUrl":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg","keywords":["2027","cra","Cyber Resilience Act"],"articleSection":["BLOG"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/","url":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/","name":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027","isPartOf":{"@id":"https:\/\/www.bayootec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#primaryimage"},"image":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#primaryimage"},"thumbnailUrl":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg","datePublished":"2026-07-01T14:35:26+00:00","dateModified":"2026-07-01T14:35:31+00:00","description":"The Cyber Resilience Act will make cybersecurity mandatory starting in 2027. Find out what CRA deadlines apply and what manufacturers should be doing now.","breadcrumb":{"@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#primaryimage","url":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg","contentUrl":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2026\/07\/BAYOOTEC-Blog-CRA_Header.jpg","width":1366,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/www.bayootec.com\/en\/blog-en\/cyber-resilience-act-cra-what-software-manufacturers-must-implement-by-2027\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.bayootec.com\/"},{"@type":"ListItem","position":2,"name":"Cyber Resilience Act (CRA): What Software Manufacturers Must Implement by 2027"}]},{"@type":"WebSite","@id":"https:\/\/www.bayootec.com\/#website","url":"https:\/\/www.bayootec.com\/","name":"BAYOOTEC GmbH","description":"Wir entwickeln Enterprise Software","publisher":{"@id":"https:\/\/www.bayootec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.bayootec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.bayootec.com\/#organization","name":"BAYOOTEC GmbH","url":"https:\/\/www.bayootec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.bayootec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2023\/06\/BAYOOTEC-Softwareentwicklung-fuer-Enterprise-Software-1.svg","contentUrl":"https:\/\/www.bayootec.com\/wp-content\/uploads\/sites\/2\/2023\/06\/BAYOOTEC-Softwareentwicklung-fuer-Enterprise-Software-1.svg","width":1180,"height":165,"caption":"BAYOOTEC GmbH"},"image":{"@id":"https:\/\/www.bayootec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/bayootec-bu\/"],"description":"IT-Dienstleister f\u00fcr individuelle Enterprise Softwareentwicklung. Spezialisiert auf digitale Plattformen, Cloud-Native-Entwicklung, UX\/UI Design und digitale Transformation f\u00fcr gro\u00dfe und mittelst\u00e4ndische Unternehmen im DACH-Raum","email":"info@bayootec.com","telephone":"+49615186180","legalName":"BAYOOTEC GmbH","foundingDate":"2021-12-01","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"51","maxValue":"200"}},{"@type":"Person","@id":"https:\/\/www.bayootec.com\/#\/schema\/person\/a006ce1780ca7bdaccec04c64c43b006","name":"svenjamahl","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6e31d1bb7eab4d487335e7acfe3d621bbf81e754c6088fdfadd688143d79add7?s=96&d=mm&r=g","caption":"svenjamahl"},"url":"https:\/\/www.bayootec.com\/en"}]}},"_links":{"self":[{"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/posts\/15068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/comments?post=15068"}],"version-history":[{"count":3,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/posts\/15068\/revisions"}],"predecessor-version":[{"id":15076,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/posts\/15068\/revisions\/15076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/media\/15059"}],"wp:attachment":[{"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/media?parent=15068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/categories?post=15068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/tags?post=15068"},{"taxonomy":"job-standort","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/job-standort?post=15068"},{"taxonomy":"job-bereich","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/job-bereich?post=15068"},{"taxonomy":"job-arbeitszeit","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/job-arbeitszeit?post=15068"},{"taxonomy":"job-gmbh","embeddable":true,"href":"https:\/\/www.bayootec.com\/en\/wp-json\/wp\/v2\/job-gmbh?post=15068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}