Long announced — now adopted
On October 10, 2024, the Cyber Resilience Act (CRA) has been adopted. This means that from November 2027, new EU-wide minimum security requirements will apply to a large number of networked devices and their software.
Vulnerability reporting obligations will even apply from August 2026, with product manufacturers in particular being held accountable: They must ensure that their products meet the security criteria for the European market — with a few exceptions — regardless of the industry.
There are three things you should consider now!
First: Setting up a rapid response team for emergencies
If manufacturers become aware that vulnerabilities in their products are being exploited, they must in future notify the European Union Agency for Cybersecurity (ENISA): They must issue an initial warning within 24 hours and provide further details on the nature of the vulnerability and possible countermeasures within 72 hours. Apart from this, they must be available at all times for people who wish to report security vulnerabilities and keep an eye on whether vulnerabilities become known in a supplied software component.
All this is part of the tasks of a Product Security Incident Response Team (PSIRT): Manufacturers who have not yet established a PSIRT should urgently address this, as the obligations mentioned must be fulfilled from June 2026 for all products on the market — even those that were launched long before the CRA came into force!
Safer than ever!
The DEFENDERBOX analyzes your network automatically — around the clock: Strengthen your company’s resistance to hacker attacks, especially in your own environment!
Would you like to know how secure your company is? Find out with a test setup! Book now:
Secondly: Threat and risk analyses as a central instrument
Essentially, the CRA requires manufacturers to regularly analyze their products for security risks and integrate security measures adapted to these risks. Companies must firmly integrate the performance of threat and risk analyses for all products into the development process: In this way, they systematically identify threats, assess the respective security risk and derive informed and targeted protective and countermeasures.
The security level of the software can thus be increased continuously and, above all, appropriately. Developers gain a new level of security awareness and expensive but actually unnecessary measures are even avoided.
Thirdly: Overview by analyzing the current status
The first two steps are important, but not enough: companies need to know exactly which requirements of the Cyber Resilience Act (CRA) they already meet — both in their internal processes in the product life cycle and in their specific products. Even if there are still no uniform standards for the CRA, experts agree that the existing standard for industrial cyber security, IEC 62443, provides good guidance. Companies should therefore not wait and see, but should carry out an analysis of their current status now.
This allows you to derive measures and prepare for the implementation of the CRA at an early stage, which saves valuable time!
EN 
DE