March 27, 2026

From buyer beware to manufacturer mandatory: What does the CRA and its integration with CE marking mean for you?

Introduction of the EU’s Cyber Resilience Act (CRA) has shifted the burden of cybersecurity from ‘Buyer Beware’ to ‘Manufacturer Mandatory’, with cybersecurity now on the same level as physical safety for OEMs and IoT device makers. There is still time to prepare but manufacturers must be ready to comply with incident reporting obligations by 11 September 2026, and the full CRA requirements will apply to products with digital elements from 11 December 2027.

Failure to comply has severe penalties. The CRA applies to all products that are directly or indirectly connected to another device or network with the only specified exclusions for open source software, medical devices, aviation and cars. Non-compliance could result in fines of up to €15 million or 2.5% of the offender’s total worldwide turnover for the preceding financial year.

What’s new?
The CRA introduces common cybersecurity rules for manufacturers and developers of products with digital elements across both hardware and software. The Act is set to ensure that wired and wireless products that are connected are more secure. Importantly, the CRA sets out that manufacturers remain responsible for cybersecurity throughout their products’ lifecycles – including for software. In addition, the CRA requires that customers are properly informed about the cybersecurity of the products they buy and use.

Everything from smart toys to industrial control systems is affected and surveillance authorities have the power to force product recalls and prohibit sales across all 27 EU nations simultaneously. Neglecting compliance therefore comes with a high financial cost but OEMs should view the CRA as not just another compliance burden. Instead, it’s an opportunity to enhance the trust factor of their products and their company’s reputation by achieving and demonstrating compliance with the Act via the expanded scope of the CE mark.

Making the mark: CRA compliant CE designation
The Act sets out that products carrying the CE mark meet a minimum level of cybersecurity checks so compliance with those will be needed. CRA requirements are embedded into the existing CE framework through the New Legislative Framework (NLF) that the EU has introduced. This expands the scope of the CE mark to encompass not only the physical integrity of products but also their software security lifecycle.

Article 30 of the CRA sets out the rules and conditions for affixing CE marking to products. Some of this is obvious such as the size, legibility and indelibility of the marking but for software, the marking should be on the declaration of conformity or the website accompanying the software product. In addition, the CE mark may also be followed by a pictogram indicating specific cybersecurity risks.

Article 29 of the CRA established that CE marking is subject to the principles set out in Article 30 and indicates that the product complies with the essential cyber security requirements of the CRA. The Article mandates that the marking must be affixed before the product is placed on the market and only after cybersecurity verification has been achieved. The logo can be affixed either to the product itself or, if not practical because of the nature of the product, to the packaging or accompanying documentation.

Which products are affected?
Importantly, the CRA adds much more rigorous cybersecurity requirements to protect devices, infrastructure, data and consumers. The new regulations mean that companies need to conduct cyber risk assessments before a product is introduced to the market and throughout its expected lifecycle, which could be a decade or more.

There is a risk-based hierarchy that extends from the default category of simple devices such as smart fridges or photo apps. These are expected to account for 90% of the market and will be handled via self-assessment by manufacturers. Next come products such as browsers or password managers which will have compliance checked via standards-based processes or audits. Class II, which encompasses firewalls and operating systems, will achieve compliance via a mandatory notified body audit. Products classed as critical, such as smart meter gateways and hardware security modules (HSMs) require full EU certification.

Key elements of CRA compliance
The Act sets out that compliant products must achieve vulnerability-free delivery with no known issues at the point of market entry. They must also be secure by default with protection active out-of-the-box with no need for user configuration. In addition, products must feature integrity protection and be hardened against unauthorized software or firmware changes. Finally, products must demonstrate vulnerability handling capability in the form of a mandatory policy for continuous security updates.

A significant element of the Act is that it requires manufacturers to demonstrate compliance across the entire software bill of materials (SBOM). The CRA mandates a machine-readable SBOM for every product that details every library, component and dependency associated with the product. Think of it as similar to a nutritional label on a food product but for the software ‘ingredients’ of a digital product. The machine-readable SBOM is intended to aid rapid incident response by enabling immediate identification of the product’s software dependencies.

From compliance burden to trust-builder
While the CRA is the first regulation of its kind, it is likely to be followed by similar initiatives in other regions. The effect of the CRA is it forces manufacturers globally to secure their products to EU standards if they want to access the single market. With 27 countries, this is a significant market that warrants extensive compliance efforts to assure continued market access. Much of the work needed to ensure CRA compliance, especially in relation to SBOM provenance, is likely to be applicable to future regulations in other jurisdictions and products that comply with EU CRA will achieve competitive advantage in global markets by being able to demonstrate compliance, enhancing the trust factor that users, even those outside the EU, associate with their products.

Without doubt, achieving compliance with the CRA is complex, costly and time-consuming but it provides an opportunity for vendors to demonstrate their commitment to cybersecurity and their status as trusted manufacturers of products with compliant cybersecurity postures. Consumers will increasingly seek out the CE mark as a recognised logo that assures them of the cybersecurity status of a product.