EU Cyber Resilience Act: What Connected Product Manufacturers Must Do
If your company manufactures, imports or distributes any product with digital elements — a connected controller, an embedded system, an IoT device, smart hardware or any product with firmware and network connectivity — the EU Cyber Resilience Act (CRA) applies to you.
The CRA entered into force on December 10, 2024 and will fully apply on December 11, 2027. That gives manufacturers a transition window — but it is shorter than it looks, and the first hard obligations arrive before the final deadline.
See EU Cybersecurity policies
What is the EU Cyber Resilience Act and who does it affect?
The CRA is a horizontal EU regulation that applies to any hardware or software product with digital elements placed on the EU market — including components sold separately. A product is in scope when its intended use includes a direct or indirect connection to a device or network.
In practical terms, this includes:
- Any hardware or software with network connectivity sold in the EU
- Connected ECUs, embedded controllers and industrial automation hardware
- IoT devices, smart sensors and firmware-driven products
- Smart displays, telematics units and connectivity modules
- E-bikes and light mobility components with connected features
Key deadlines: earlier than most manufacturers think
Most teams assume everything happens in 2027. The first hard obligations arrive significantly earlier:
- June 2026 — Conformity assessment body provisions begin to apply
- September 2026 — Vulnerability and incident reporting becomes mandatory
- December 2027 — Full CRA compliance required — CE marking, documentation, conformity assessment
Products lawfully placed on the EU market before December 2027 are generally exempt — unless they undergo substantial modification after that date. New product lines in development must be CRA-compliant from the design phase.
What CRA compliance requires in practice
From December 2027, manufacturers must assess cybersecurity risks and mitigate them across the full product lifecycle — planning, design, development, production, delivery and maintenance. Concretely:
- Security-by-design architecture from the concept phase
- Risk assessment methodology (equivalent to TARA for connected products)
- Vulnerability management process throughout the product lifecycle
- Technical documentation demonstrating compliance
- Incident and vulnerability reporting from September 2026
- CE marking under CRA for products placed on the EU market
Around 90% of products fall under the default category — manufacturers can self-assess without third-party certification. But this self-assessment requires robust internal processes and documentation to hold up under market surveillance.
Why starting now matters
OTC Engineering supports manufacturers of connected electronic products through the full CRA compliance path:
Gap analysis — mapping your current product and process against CRA essential requirements to identify exactly what needs to change and in what order.
Secure-by-design architecture — integrating cybersecurity requirements into your product development process from the concept phase, not as a retrofit.
Documentation and technical file — building the technical documentation and evidence required for CE marking under the CRA, audit-ready from the first review.
Vulnerability management process — defining the organisational process for managing vulnerabilities and reporting incidents from September 2026 onwards.
At OTC Engineering we support manufacturers of connected electronic products through the full EU Cyber Resilience Act compliance path — from gap analysis and secure-by-design architecture to technical documentation and vulnerability management process — working as an embedded engineering team alongside your R&D, not as consultants who hand over a report.
The starting point is a fixed-scope gap analysis: a structured engagement that maps your current product and process against CRA essential requirements, identifies exactly what needs to change, and defines the clearest path to compliance before your next product milestone.
Start with a fast diagnosis — a fixed-scope engagement that maps your CRA exposure and defines the clearest path to compliance before your next product milestone.
→ Contact us:
