Martin Walian
Martin Walian, MBA & Certified Export Control Manager (CECM)
Cyber Resilience Act 2027:
What US Hardware Companies Need to Know
The Cyber Resilience Act (CRA) is the EU's most significant cybersecurity regulation for products with digital elements. It takes effect in December 2027, and there is no grandfathering. If your product is on the EU market after that date, it must comply. This guide explains what the CRA requires, who it affects, and what you need to do now.
1. What Is the Cyber Resilience Act?
The Cyber Resilience Act (EU) 2024/2847 is an EU regulation that establishes mandatory cybersecurity requirements for all products with digital elements sold in the European Union. It was published in the Official Journal in November 2024 and enters into force in stages, with full enforcement beginning December 11, 2027.
Unlike previous regulations that focused on specific product categories, the CRA applies horizontally — it covers virtually every product that contains software or connects to a network. This includes IoT devices, smart home products, industrial sensors, networking equipment, and consumer electronics with firmware.
The CRA shifts cybersecurity responsibility to the manufacturer. You must design, develop, and maintain your product with security in mind throughout its entire lifecycle, not just at the point of sale.
2. Why Does the CRA Matter for US Companies?
If you sell hardware into the EU — directly or through distributors — the CRA applies to you regardless of where your company is headquartered. The regulation targets the product, not the company's location.
The key impacts:
-
Market access. After December 2027, non-compliant products cannot legally be sold in the EU. No CE marking, no market access — period. -
Vulnerability handling. Manufacturers must actively handle and disclose vulnerabilities for the expected product lifetime or a minimum of 5 years, whichever is longer.
-
Incident reporting. Actively exploited vulnerabilities must be reported to ENISA within 24 hours. This is not optional and applies from September 2026.
-
Software updates. You must provide free security updates for the entire support period. Users must be able to install them easily and in a timely manner.
-
Penalties. Non-compliance can result in fines up to €15 million or 2.5% of global annual turnover, whichever is higher. Member states can also restrict or withdraw products from the market.
3. What Are the Key Requirements?
The CRA establishes essential cybersecurity requirements across the full product lifecycle. Products must be designed with security by default — no known exploitable vulnerabilities at the time of release, secure default configurations, protection against unauthorized access, and data confidentiality and integrity.
Manufacturers must also perform a cybersecurity risk assessment, maintain technical documentation that demonstrates conformity, provide a Software Bill of Materials (SBOM), and ensure their products can receive and install security updates. For most products, self-assessment against harmonized standards is sufficient, but "important" and "critical" product categories require third-party conformity assessment.
4. Which Products Are Affected?
The CRA applies to virtually all products with digital elements placed on the EU market. The regulation categorizes products into three tiers based on risk:
selling directly on Amazon EU marketplaces. You likely already have CE marking and a technical file from your manufacturing process. GPSR now additionally requires a named representative on your listing.
Since Brexit, the UK is a non-EU country. If you previously sold into the EU without a separate representative, that arrangement is no longer compliant. You need a dedicated EU Authorised Representative.
If you’re expanding from domestic sales to European Amazon marketplaces, retailers, or your own EU-facing Shopify store, you need a named representative before your first EU sale.
If your product falls under the Radio Equipment Directive, you likely already have an EAR through your CE marking process. However, the new RED cybersecurity requirements (EN 18031) may require updated documentation and Notified Body involvement.
Note: Open-source software developed outside commercial activity and SaaS products (where software is not delivered to the user) are generally excluded. However, if your SaaS relies on on-premise components, those components fall under the CRA.
5. What Happens If You Don't Comply?
The consequences are significant and multi-layered:
Amazon has been enforcing GPSR compliance across all EU marketplaces since December 2024. Sellers without a named representative in their listing are being delisted. eBay, Etsy, and other platforms are following.
Distributors, retailers, and fulfilment partners in the EU may refuse to work with you without a compliant representative in place.
EU market surveillance authorities can order product recalls, impose market bans, or issue fines.
6. How to Prepare Your Products
Preparing for the CRA requires action across product development, documentation, and organizational processes. Starting now gives you time to address gaps before the December 2027 deadline.
Key preparation steps:
-
Conduct a product inventory and gap analysis. Map every product you sell in the EU that contains software or firmware. Identify which CRA category each product falls into and assess current cybersecurity controls against the essential requirements.
-
Implement secure development practices. Establish or formalize a secure software development lifecycle (SSDLC). The CRA requires security to be integrated into design, development, production, and maintenance — not bolted on afterward.
-
Establish vulnerability handling processes. You need a documented process for receiving, evaluating, and addressing vulnerability reports. This includes a coordinated disclosure policy and the ability to issue security updates within the required timeframes.
-
Prepare technical documentation. The CRA requires comprehensive technical documentation including a cybersecurity risk assessment, SBOM, description of security architecture, conformity assessment records, and instructions for secure installation and use.
7. CRA vs Existing Regulations (RED, GPSR)
The CRA does not replace existing regulations — it adds to them. If your product is a radio device, it still needs to comply with the Radio Equipment Directive (RED) and its delegated act on cybersecurity (EN 18031). If it is a consumer product, GPSR still applies. The CRA sits on top of these requirements.
However, the CRA provides a single horizontal cybersecurity framework. Where the CRA and other regulations overlap on cybersecurity requirements, meeting the CRA's requirements will generally satisfy the cybersecurity aspects of other directives. The EU is working to align harmonized standards across these regulations to minimize duplication.
8. Timeline and Next Steps
The CRA is already in force. Key dates:
-
1. November 2024 — CRA published in the Official Journal and enters into force.
-
2. September 11, 2026 — Vulnerability reporting obligations begin. Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours.
-
3. June 11, 2026 — Rules on conformity assessment bodies and notification apply.
-
4. December 11, 2027 — Full enforcement. All products placed on the EU market must fully comply with all CRA requirements.
-
5. Contact EUUK Compliance for a CRA readiness assessment — we review your product portfolio, identify gaps, and provide a clear compliance roadmap.
9. Frequently Asked Questions
-
Does the CRA apply to products already on the market? Products placed on the EU market before December 11, 2027 are not required to comply retroactively — but any product placed on the market after that date must comply, even if it was designed earlier. There is no grandfathering for new placements.
-
Do I need a third-party assessment? For default-category products, self-assessment is permitted if you apply harmonized standards. For Class I "important" products, self-assessment is allowed under the same condition. Class II products and critical products require mandatory third-party assessment by a notified body.
-
How does the CRA affect my CE marking? The CRA adds cybersecurity as a component of CE marking for products with digital elements. Your Declaration of Conformity must include CRA compliance. Without it, your product cannot carry the CE mark and cannot be sold in the EU.
-
My product is also covered by RED — do I need to comply with both? Yes. However, the EU is aligning the cybersecurity requirements across CRA and RED to minimize duplication. Where CRA requirements fully cover the cybersecurity aspects of RED's delegated regulation, compliance with CRA should satisfy those RED requirements. Consult a compliance specialist to confirm for your specific product.
-
What is an SBOM and do I need one? A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components in your product, including open-source libraries. The CRA requires manufacturers to identify and document components at minimum at the top-level dependency level. The SBOM is part of your technical documentation.
-
Can EUUK Compliance help with CRA preparation? Yes. We offer CRA readiness assessments, gap analysis, EN 18031 cybersecurity testing, technical documentation support, and ongoing compliance monitoring. Contact us for a free consultation to discuss your product portfolio.