Cyber Resilience Act: new obligations for digital products from September 2026

What is the Cyber Resilience Act

Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), establishes mandatory cybersecurity requirements for hardware and software products with digital elements — essentially anything that connects to a network. This covers IoT devices, enterprise software, networking equipment, and embedded systems.

The CRA entered into force on 10 December 2024. Most obligations apply from 11 December 2027, but the first key obligation arrives in just four months — 11 September 2026.

What changes in September 2026

From 11 September 2026, manufacturers of digital products must report actively exploited vulnerabilities and severe incidents through ENISA's single reporting platform. The deadlines are strict:

• 24 hours for an early warning
• 72 hours for the main notification
• 14 days for a final report after a corrective measure becomes available

This reporting obligation applies to products already on the market — not just new ones. If a manufacturer sold software in 2020 and an actively exploited vulnerability surfaces in 2026, they must report it.

Product categories

The CRA defines four risk-based categories:

• Default products — manufacturer self-assessment (Module A)
• Important products, Class I — self-assessment only when harmonised standards are applied; otherwise third-party assessment
• Important products, Class II — mandatory third-party assessment
• Critical products — mandatory third-party assessment or EU cybersecurity certification scheme

The specific product classification is defined in Commission Implementing Regulation (EU) 2025/2392.

What this means for IT teams

The CRA primarily binds manufacturers, importers, and distributors. But for IT departments that procure and operate these products, it changes the landscape significantly — CE marking will now also certify cybersecurity compliance.

In practice:

• Review supplier contracts — require vendors to demonstrate CRA compliance, especially for critical components
• Update due diligence — add CRA compliance to vendor selection criteria
• Track support periods — manufacturers must clearly state end-of-support dates including month and year; security updates must remain available for at least 10 years
• Monitor vendor reporting — verify that suppliers fulfil their reporting obligations to ENISA

How to prepare

Before September 2026, we recommend:

1. Map your portfolio of digital products and identify suppliers in CRA scope
2. Open dialogue with vendors about their readiness for reporting obligations
3. Incorporate CRA requirements into internal procurement policies
4. Connect CRA with existing NIS2 processes — the regulation complements the framework NIS2 establishes at the organisational level

The CRA is the next building block in the EU's cybersecurity architecture. For organisations already working toward NIS2 compliance, it is a natural extension — this time targeting the supply chain and the products your services depend on.