The Cyber Resilience Act: A Guide for Manufacturers

Introduction

The Cyber Resilience Act (CRA) entered into force on 10 December 2024. While its main tenets will not apply until 11 December 2027, the reporting requirements will take effect earlier, starting on 11 September 2026. Though the CRA introduces mandatory cybersecurity requirements for both manufacturers and retailers, this blog will specifically address manufacturers and focus on the version published on 20 November 2024. We aim to clearly explain what the CRA entails and outline the key actions manufacturers must take to meet their obligations on time.

The Scope of CRA

The CRA (Cyber Resilience Act) aims to protect consumers and businesses that purchase software or hardware products with digital components. Manufacturers will be required to ensure the cybersecurity of these products within the EU. To achieve this, they must meet essential cybersecurity requirements and obligations.

The regulation covers all products with digital elements that are connected—either directly or indirectly—to another device or network. However, there are specific exclusions, such as certain open-source software and service-based products already governed by existing regulations. These include sectors like medical devices, aviation, and automotive.

Examples of products with digital components include laptops, smartphones, routers, switches, and industrial control systems (ICS). Some easily overlooked products are those provided by manufacturers for free under their own trademarks, as well as open-source software for commercial purposes.

CRA Timeline and Milestones

Although the CRA already came into effect on 10 December 2024, manufacturers still have time to prepare for complying with the essential cybersecurity requirements and obligations. The following chapters will explain these in more detail:

From 11 September 2026 – Reporting obligations take effect
Manufacturers must report, without undue delay, any actively exploited vulnerability in their products with digital elements, as well as any severe incident that impacts the security of those products.

From 11 December 2027 – Compliance with cybersecurity requirements becomes mandatory
The regulations will be fully applicable. Manufacturers must ensure their products meet all essential cybersecurity requirements and obligations by this date.

figure 1: CRA Timeline of Important Dates for Manufacturers

Essential Cybersecurity Requirements and Obligations

In short, manufacturers shall complete the following steps before their products are placed on the Union market:

1. Technical documentation – Manufacturers use this document to demonstrate how they comply with essential cybersecurity requirements and should include a software bill of materials (SBOM). Further details of this document’s content are in Annex VII of the CRA.
2. Conformity assessment procedures – Depending on the category of the product, a conformity assessment needs to be carried out by either the manufacturer or by a third-party notified body. In most cases, important products and critical products shall be assessed by a third-party notified body. Important products and critical products include routers, modems, switches, firewalls, etc. Further details can be found in Annex III and Annex IV of the CRA.
3. Declaration of conformity – This declaration mainly shows that the product itself has fulfilled the essential cybersecurity requirements. This shall contain the name and number of the notified body, if applicable. Further details of this content are in Annex V of the CRA.
4. Affixing the CE marking – The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008. By affixing the CE marking, the manufacturer indicates that he takes responsibility for the conformity of the product with all applicable requirements set out in the relevant Community harmonisation legislation providing for its affixing [Regulation – 765/2008 – EN – EUR-Lex].

To achieve the steps mentioned above, we have organized the main requirements and obligations for manufacturers as follows:

Figure 2: Main Requirements and Obligations for Manufacturers

Let’s break down the five categories listed above:

• Cybersecurity Assessment:
  Products need to fulfill the essential cybersecurity requirements, which can be split into cybersecurity requirements and vulnerability handling requirements. For manufacturers, it is necessary to have a formal procedure for cybersecurity assessments.

• Documents:
  Manufacturers need to compose technical documentation, information and instructions to the user, a declaration of conformity, and a SBOM. Regarding SBOMs, market surveillance authorities may request that manufacturers provide their SBOM. In addition, manufacturers are free to choose whether to provide the SBOM to users.

• Conformity Assessment:
  When the product belongs to the category of important or critical products, in most cases, a conformity assessment needs to be carried out by a third-party notified body. Given that, Member States shall strive to ensure by 11 December 2026 that there is a sufficient number of notified bodies in the Union to carry out conformity assessments. On the other hand, other than important or critical products, general products still need a conformity self-assessment that shall be carried out by the manufacturer himself.

• Product Regulations:
  After the Cybersecurity Assessment and Conformity Assessment, the manufacturer needs to affix the CE marking to indicate that they take responsibility for the conformity of the product with all applicable requirements set out in the relevant community harmonisation legislation. This includes important rules such as the rule that the support period of the product shall last at least five years. Where the product is expected to be in use for less than five years, the support period shall correspond to the expected use time. Moreover, the manufacturer shall ensure that each security update has been made available to users during the support period, and that it remains available for a minimum of 10 years after it has been issued or for the remainder of the support period, whichever is longer.

• Reporting Obligations:
  The manufacturer shall report any actively exploited vulnerabilities contained in the product with digital elements and any severe incidents having an impact on the security of the product with digital elements via the single reporting platform without undue delay. The single reporting platform shall be established by ENISA.
  • Actively exploited vulnerabilities concern instances where a manufacturer establishes that a security breach affecting its users, or any other natural or legal persons has resulted from a malicious actor making use of a flaw in one of the products with digital elements made available on the market by the manufacturer. Examples of such vulnerabilities could be weaknesses in a product’s identification and authentication functions. Vulnerabilities that are discovered with no malicious intent for purposes of good faith testing, investigation, correction or disclosure to promote the security or safety of the system owner and its users should not be subject to mandatory notification.
  • Severe incidents are those that impact the security of a product with digital elements. This includes cases where a cybersecurity incident disrupts the manufacturer’s development, production, or maintenance processes in a way that could increase cybersecurity risks for users or others. For example, if an attacker successfully injects malicious code into the release channel used for distributing security updates, it would be considered a severe incident.

It is worth mentioning that when a manufacturer is aware of any actively exploited vulnerabilities contained in the product or any severe incidents having an impact on the security of the product, an early warning notification shall be submitted in 24 hours.

Next Steps: Recommendations for Manufacturers

1. Confirm whether the product is within the scope of the CRA and the category of the product
   If the product has been sold or will be sold in the EU and the product is able to connect directly or indirectly to another device or network, this product is most likely to fall within the scope of the CRA. You can also identify the category the product belongs to in Annex III and Annex IV of the CRA. In most cases, when the product belongs to the category of important or critical products, it needs to be assessed by a third-party notified body.On the other hand, even if the product is not sold in the EU, we still recommend complying with the following actions. As we know, many regulations use other important existing regulations as reference during the drafting stage. Since the CRA establishes essential cybersecurity requirements for general digital products, these requirements are highly universal and applicable. Therefore, early compliance with the CRA can reduce product security risks and support alignment with other regulations.
2. Establish and enforce a policy on coordinated vulnerability disclosure and conduct internal exercises to practice the reporting obligations procedure
   A manufacturer shall take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements and any third-party components it contains. These measures include providing a contact address for reporting vulnerabilities discovered in the product with digital elements, as well as sharing and publicly disclosing information about fixed vulnerabilities once a security update is available. A manufacturer should also establish Vulnerability Disclosure and Security Advisories policies that would allow customers and researchers to report vulnerabilities and access information about known issues.To comply with manufacturers’ reporting obligations, we recommend that manufacturers take proactive steps to stay informed about any actively exploited vulnerabilities in their products or any severe incidents that could impact product security. For example, they should consider attending related international and domestic CERT organizations to stay up to date.Upon becoming aware of an actively exploited vulnerability or a severe incident, the manufacturer shall submit an early warning notification within 24 hours, a vulnerability or incident notification within 72 hours, and a final report—within 14 days for actively exploited vulnerabilities or within 1 month for severe incidents. The manufacturer is required to submit all three documents for each actively exploited vulnerability or severe incident.Accordingly, the company’s incident-handling procedures should be drafted in advance, and internal exercises should be conducted. For detailed guidance and specific content requirements, please refer to Article 14 of the CRA. Notably, the final report due within 1 month must include, at a minimum, a detailed description of the incident, the type of threat or root cause, and all applied and ongoing mitigation measures.However, we know that most manufacturers’ OT environments lack OT visibility, so it is difficult for manufacturers to gain a comprehensive understanding of the entire incident and threat types in a short period of time. In terms of technical countermeasures, we recommend that manufacturers introduce a security information and event management (SIEM) system into their OT environment. As the need for Cyber-Physical Systems (CPS) in global industries increases, the OT environment requires a shift from network-centric to asset-centric security to ensure defense against the rapidly changing cyber threat landscape. Through the integration of network defense, endpoint protection, and security inspection solutions, we can effectively manage the CPS attack surface and implement detection and response.

   A clear and effective mitigation measure is the adoption of firewalls, intrusion prevention/detection systems (IPS/IDS), and endpoint anti-malware protection. However, in OT environments, two key considerations must be addressed: network solutions must support OT-specific protocols, and endpoint solutions must be compatible with legacy devices.

3. Identify essential cybersecurity requirements not met by products and establish a formal assessment process
   As mentioned earlier, products must comply with essential cybersecurity requirements. Manufacturers can refer to ANNEX I of CRA to review whether their products meet the defined requirements. One such requirement is the creation of a SBOM for their products, which helps identify and document vulnerabilities and components within products. To establish a formal assessment process for essential cybersecurity requirements, we can refer to the Cyber ​​Resilience Act Requirements Standards Mapping published by ENISA [https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber Resilience Act Requirements Standards Mapping – final_with_identifiers_0.pdf]. This mapping would outline the partial alignment between common existing international standards and the essential cybersecurity requirements of CRA, providing a jumping off point for developing an appropriate assessment framework.

Conclusion

The main obligations introduced by the Cyber Resilience Act (CRA) will not take effect until 11 December 2027. However, as a leading brand in OT cybersecurity, TXOne Networks has already undertaken a thorough and proactive review of all our products. Our network, endpoint, and other cybersecurity solutions are designed to fully meet the CRA’s essential cybersecurity requirements. This means we enforce stricter cybersecurity standards across our offerings and responsibly implement vulnerability handling processes.

Additionally, we actively participate in multiple international CERT organizations and comply with CVE Numbering Authority (CNA) obligations, enabling us to obtain cyber threat intelligence on companies and products as early as possible. This proactive approach allows us to effectively fulfill manufacturers’ reporting obligations by maintaining awareness of actively exploited vulnerabilities and severe security incidents.

On the manufacturers’ side, they should begin preparing to fulfill the CRA’s reporting obligations earlier, since those will apply from 11 September 2026. When a cybersecurity incident occurs, manufacturers must identify and understand the nature of the incident, determine the type of threat involved, and implement appropriate mitigation measures. TXOne Networks offers comprehensive OT cybersecurity solutions to help manufacturers achieve these goals. With SIEM systems designed for OT environments, manufacturers can gain a clear understanding of the postures and threats of their OT environments, enabling them to effectively detect and respond to any incidents. In addition, OT-specific firewalls, intrusion prevention systems (IPS), endpoint protection, and other solutions serve as powerful mitigation tools against a wide range of threats targeting OT environments.