EU CRA Adopted! What Manufacturers Need to Know About What’s Coming

As of October 10, 2024, the EU Cyber Resilience Act (CRA) is officially adopted, triggering a countdown for manufacturers to comply with its requirements. Although the CRA has a built-in transition period, companies need to begin complying with various reporting and notification requirements in mid-2026 and ensure their connected products are compliant by early 2027 if they wish to continue selling within the European market.

Here’s a quick refresher on what the CRA is and why manufacturers need to pay attention to its far-reaching impacts. 

What is the CRA?

The CRA is a landmark regulation designed to enhance the security of connected products like IoT devices, embedded systems, and critical infrastructure technologies. It sets baseline cybersecurity requirements for both hardware and software throughout their lifecycle, ensuring vulnerabilities are addressed in near real-time.

Similar to how the GDPR reshaped global data privacy practices, the CRA is expected to have far-reaching impacts not only in the EU but across global markets. All manufacturers (including those outside the EU) must adhere to these rules if they wish to sell their products in the EU. Suppliers to those manufacturers will also need to comply (and provide documentary evidence of their compliance) if they want to continue doing business with their manufacturing customers.

Key Requirements for Manufacturers

Under the CRA, manufacturers will need to:

• Design products with cybersecurity as a core feature throughout the development process
• Implement vulnerability management that includes continuous monitoring and regular assessments
• Provide regular security updates for the life of each product (a minimum of five years)
• Disclose known vulnerabilities and provide clear documentation of components used in products with a software bill of material (SBOM)

Why You Should Act Now

With the final adoption of the CRA, the clock is ticking for manufacturers to prepare. Given long development cycles and complex supply chains for connected products, it’s crucial to begin integrating compliance measures now. Products that are currently in development but expected to launch after the CRA’s requirements come into force need to comply with these new regulations now. Manufacturers should begin integrating security and compliance measures immediately to avoid potential delays or market access issues down the line.

• No Grandfathering of Existing Products – The CRA does not allow for any existing or in-development products to be “grandfathered” into compliance. Any of your products set to launch after early 2027 (and any substantial modifications to products launched before early 2027) will need to meet the CRA’s stringent cybersecurity requirements from day one. If your product lifecycle spans several years, waiting to implement these changes could result in costly delays or inability to access the EU market.
• Complexity of Security Integrations – Compliance is not a simple, one-time process. The CRA mandates a holistic approach to security that includes secure-by-design principles, vulnerability management, and long-term monitoring. Integrating these elements into existing development pipelines requires time, resources, and expertise. If you delay, you may face bottlenecks to retrofit security into products already deep in the development cycle.
• Compliance Costs Will Increase Over Time – The cost of compliance is always lower when it’s baked into the development process from the start. Early integration of security measures allows manufacturers to reduce costs by streamlining compliance efforts and avoiding expensive rework. Waiting until the enforcement date likely means higher expenses from rushed modification, third-party audits, and last-minute security patches.
• Regulatory Penalties are Steep – Non-compliance with the CRA results in fines up to €15,000,000 or 2.5% of global annual turnover (whichever is higher). Additionally, products that fail to meet the CRA’s requirements will be banned from sale within the EU, leading to potential loss of market share.
• Global Regulatory Ripple Effect – The CRA is expected to have a global impact, similar to the GDPR. Other markets, including the U.S., are already considering or implementing cybersecurity regulations targeting connected products (see the Department of Commerce’s proposed ruling for connected vehicles). Compliance with the CRA will help you be proactively compliant with emerging regulations in other regions.

Compliance with Finite State

The clock is ticking on CRA enforcement, and the time to act is now. By starting early, you can build compliance-ready products, cut costs, and avoid the last-minute scramble to meet regulations.

This is where Finite State can make a difference. Our comprehensive software supply chain security solution helps you meet the CRA’s requirements – from secure-by-design development and SBOM management to continuous vulnerability monitoring and real-time remediation. With our platform, compliance isn’t just a box to check – it’s integrated into every step of your product’s lifecycle.

Backed by government-grade expertise and a deep understanding of connected device ecosystems, Finite State ensures your products meet the CRA’s strict standards. Our experience in securing IoT ecosystems and navigating the complexity of software supply chains means we understand the specific challenges you face. With Finite State, build secure, resilient products for the future.

Talk to an in-house expert to learn more.