EU CRA Compliance: Essential Guide for UK IoT and Connected Product Makers

While the UK has stepped away from the European Union, one thing hasn’t changed for businesses looking to sell digital products across Europe: compliance with the EU’s Cyber Resilience Act (CRA).

In force since December 2024, the CRA is transforming cybersecurity standards for digital products sold in the EU market. For UK manufacturers, software developers, and connected product makers, it’s critical to understand how these new rules apply and how to avoid being shut out of one of the world’s largest digital markets.

Let’s unpack what the CRA means specifically for UK businesses and how you can prepare without duplicating compliance efforts or running afoul of new European rules.

Why UK Companies Can’t Ignore the CRA

Despite Brexit, UK businesses are still affected by EU laws when they place products on the EU market. The CRA applies to:

• Hardware manufacturers
• Software developers
• Any business creating Products with Digital Elements (PDEs)
  
  

If you’re selling into Europe, you must prove your products are secure by design and remain secure throughout their lifecycle. Otherwise, you risk:

• Fines of up to €15 million or 2.5% of global turnover (whichever is higher)
• Product recalls or bans from the EU market
• Damage to your reputation with EU customers and partners
  
  

Understanding the CRA

At its core, the CRA requires that all products with digital elements (PDEs)— both hardware and software—meet a defined set of cybersecurity standards. These standards cover the entire lifecycle of the product, from design and development to maintenance and end-of-life. 

Key expectations include:

• Designing products secure by default and secure by design
• Proactively identifying and managing vulnerabilities (including built-in capabilities for vulnerability management)
• Delivering timely security updates
• Ensuring supply chain transparency through tools like SBOMs (Software Bill of Materials)
  
  

Key CRA Timelines

While the CRA is already in force, there’s a transition period allowing organizations time to adapt. Here are the crucial dates:

• September 11, 2026 – Obligation to report identified vulnerabilities to relevant authorities begins. This means any security flaws identified must be disclosed appropriately and managed in accordance with the CRA framework.
  
  
• December 11, 2027 – Full compliance becomes mandatory, including conformity assessments and ongoing security management.
  
  

What This Means for Software-Defined Product Creators

Let’s break down the major impacts for teams building software-defined products.

1. Broader Security Responsibility for Developers

Under the CRA, software developers take on increased accountability. This goes well beyond just writing secure code—it means designing products with security built-in from the start, conducting formal risk assessments, and managing cybersecurity incidents and vulnerabilities long after the product has been deployed. Developers need to ensure their solutions are not only technically sound but also compliant with the regulatory expectations of the EU market.

In short, the CRA elevates cybersecurity to an ongoing business function, not a one-time engineering task.

2. Product Classification and Compliance Requirements

The CRA introduces a tiered risk classification system for products: 

• Default
• Important
• Critical

While lower-risk products (default) may undergo internal self-assessment, higher-risk categories (important and critical) must go through third-party conformity assessments. This means independent verification is required before these products can be placed on the EU market. 

The burden of proof now lies with the developer to show that their product meets all applicable security criteria.

3. Vulnerability Management is Mandatory

Under the CRA, manufacturers and software developers must implement robust vulnerability handling procedures, including:

• Establish vulnerability disclosure channels
• Respond swiftly to newly discovered security flaws
• Provide regular patches and updates, and maintain a secure update mechanism
• Monitor products for emerging threats—even years after launch

In short, there's now an expectation that developers actively monitor, respond to, and communicate about vulnerabilities in their product, even years after initial deployment. 

4. Supply Chain Visibility and SBOMs

Perhaps the most impactful—and practical—requirement is supply chain transparency via SBOMs. An SBOM details every software component in your product, including open-source libraries, third-party code, and their respective versions.

Why is this crucial?

• Traceability: Identify which products are affected when new vulnerabilities emerge.
  
  
• Regulatory Proof: Demonstrate compliance during audits or investigations.
  
  
• Customer Trust: Prove your software supply chain is secure.

For many organizations, building and maintaining SBOMs is a new and complex undertaking, especially when dealing with large codebases and diverse suppliers.

How UK Companies Should Prepare for the CRA

While Brexit reshaped many regulatory landscapes, UK businesses are not exempt from the CRA if they plan to sell products in the EU. Even if UK regulations diverge over time, the CRA’s requirements apply to any company entering the European market.

Here’s how UK developers should start preparing:

• Audit your product portfolio: Conduct full-spectrum cybersecurity risk assessments for each product destined for the EU market.
• Review your supply chain: Identify suppliers outside the EU whose components could trigger CRA compliance issues.
• Align vulnerability disclosure processes: Establish or enhance internal vulnerability management workflows and update internal security incident protocols.
• Implement SBOM management and documentation processes: Create and maintain clear documentation that evidences compliance, including technical files and security testing reports.
• Establish relationships with EU Notified Bodies: Partner with notified bodies (for higher-risk products) to facilitate required third-party assessments and clarify how UK testing labs or certification partners fit into EU conformity assessments.
  
  

The Broader Regulatory Landscape

The EU CRA doesn’t exist in isolation. 

The regulations listed below may apply to your organization and often overlap, but they generally work in harmony to achieve similar cybersecurity objectives. The CRA is intended to serve as a baseline framework; however, if any of these other regulations apply and impose stricter requirements, those requirements will take precedence over the CRA.

1. NIS2 Directive (Directive (EU) 2022/2555)

• Focus: Sets cybersecurity requirements for essential and important entities across sectors such as energy, health, and digital infrastructure.
  
  
• Status: In force since January 2023; Member States had to transpose it by October 2024.
  
  
• Relation to CRA: NIS2 targets organizational cybersecurity; CRA targets product cybersecurity.
  
  

2. General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

• Focus: Protects personal data and privacy of individuals within the EU.
  
  
• Relation to CRA: Both emphasize security by design and risk management concerning personal data.
  
  

3. Radio Equipment Directive (RED) (Directive 2014/53/EU)

• Focus: Ensures safety and compliance of radio and wireless equipment.
  
  
• Update: Cybersecurity requirements have been included since 2022 for devices connected to the internet.
  
  
• Overlap with CRA: CRA may complement or overlap with RED's cybersecurity mandates.
  
  

4. EU Cybersecurity Act (Regulation (EU) 2019/881)

• Focus: Establishes a cybersecurity certification framework for ICT products, services, and processes.
  
  
• Authority: Strengthens the role of ENISA (European Union Agency for Cybersecurity).
  
  
• CRA Link: CRA may leverage certification schemes developed under this Act.
  
  

5. Machinery Regulation (Regulation (EU) 2023/1230)

• Focus: Regulates the safety of machinery, including digital and connected systems.
  
  
• Effective Date: Applies from January 2027.
  
  
• CRA Connection: Some products will need to comply with both CRA and this regulation.
  
  

6. Artificial Intelligence Act (AI Act – pending final approval)

• Focus: Regulates AI systems based on their risk category, including requirements for safety, transparency, and cybersecurity.
  
  
• CRA Overlap: High-risk AI systems may require CRA-compliant cybersecurity measures.

How Finite State Helps UK Companies Navigate the CRA

Finite State offers a comprehensive platform designed to empower UK-based companies in navigating the complexities of the Cyber Resilience Act. Our platform offers:

• Automated Software Bill of Materials (SBOM) Generation: Finite State automates the creation and maintenance of accurate SBOMs, providing granular visibility into all software components, including open-source and third-party libraries. This directly supports the CRA's supply chain transparency requirements, enabling efficient vulnerability tracing.
• Proactive Vulnerability Management: The Finite State platform identifies and prioritizes vulnerabilities across your product's attack surface, leveraging advanced binary analysis and deep code insights. This facilitates timely patching and robust incident response, aligning with the CRA's demands for continuous vulnerability management.
• Continuous Risk Assessment and Monitoring: Finite State provides ongoing security posture assessments, highlighting potential compliance gaps and emerging threats throughout the product lifecycle. This empowers manufacturers to maintain a "secure by design" approach and demonstrate continuous adherence to CRA cybersecurity standards.
• Evidence Generation for Conformity Assessments: Our platform generates comprehensive security reports and documentation that can be leveraged to demonstrate compliance during internal self-assessments or third-party conformity assessments, streamlining the certification process.
• Operationalizing Secure Development Lifecycles: By integrating security into every stage of the development pipeline, Finite State helps organizations shift left, embedding security practices from design to deployment, thereby enabling true "security by design" as mandated by the CRA.

For UK-based companies—or any organization selling digital products into the EU—these capabilities not only simplify compliance but also build a stronger security posture and market trust.

Final Thoughts

The CRA is more than just a regulatory hurdle and another layer of post-Brexit complexity; it represents a move toward creating a stronger, more resilient digital infrastructure across Europe. 

For UK-based software-defined product creators, this presents an opportunity not only to comply but also to lead by example. By embedding robust security practices into the development lifecycle, UK-based developers can future-proof their products, build trust with their customers, and maintain access to one of the world’s largest digital markets.

Ready to future-proof your products for CRA compliance? Contact Finite State today to learn how we can help.