Cyber Resilience Act: Who Is Affected and What Companies Need to Know Now

The Cyber Resilience Act (CRA) came into effect in December 2024 and will fundamentally change the regulatory framework for digital products in the EU. Since then, a transition period has been underway during which companies must adapt their products, development processes, and compliance structures to the new cybersecurity requirements. The first obligations for manufacturers to report vulnerabilities and security incidents will take effect as early as September 11, 2026. Starting December 11, 2027, all CRA requirements will then become mandatory. Many companies are not yet aware that they fall within the scope of the regulation at all. Software developers and providers of connected products, in particular, often do not view themselves as “manufacturers” in the regulatory sense. Below, we outline which products and stakeholders are covered and provide an initial overview of the CRA’s key obligations.

I. Who the CRA Applies To

1. Manufacturers

The manufacturer is the central figure of the CRA and, at the same time, the economic actor subject to the most far-reaching obligations. The definition in Art. 3 No. 13 CRA is decisive:

A manufacturer is any natural or legal person who develops or has a product with digital elements manufactured and places it on the market under their own name or brand. What is decisive, therefore, is not so much the actual technical manufacturing as the presence on the market.

Based on this, two requirements can be identified:

“A manufacturer is any natural or legal person who develops or has manufactured a product with digital elements and places it on the market under their own name or brand. What is decisive, therefore, is not so much the actual technical manufacture as the presence on the market.”

Second, the company must market the product under its own name or brand. This “placing on the market under its own label” is the central distinguishing criterion: whoever appears to market participants as the responsible provider is the manufacturer – regardless of whether the development was actually carried out in-house or entirely by third parties.

Against this background, the following scenarios in particular should be classified as manufacturers:

• Traditional manufacturers: Companies that develop hardware or software themselves and distribute it under their own name.
• Software developers: Companies that exclusively develop and distribute software (e.g., apps, operating systems, or other standalone software) are also manufacturers, provided that the software is made available as a standalone product.
• Quasi-manufacturers (white-label): Companies that have products or software developed or produced by third parties but distribute them under their own brand are also considered manufacturers.
• Platform or system providers: To the extent that they market their own products with digital elements under their own name (e. g., bundled hardware and software solutions), they are also classified as manufacturers.

Conversely, a manufacturer is not someone who is involved in the development or production but does not act as a supplier to the market themselves. Nor does it matter whether the product is provided for a fee or free of charge.

The legal presumptions of manufacturer status are also of particular practical relevance: An importer or distributor becomes a manufacturer if they place a product on the market under their own name or brand, or make a substantial change to a product. As a result, the role of manufacturer can “shift” along the supply chain, a fact that is often overlooked in practice.

Overall, the CRA’s definition of a manufacturer is deliberately broad. Companies that “only” develop software or distribute products under their own brand, in particular, should therefore carefully examine whether they are already classified as manufacturers under the Regulation, with the resulting comprehensive regulatory obligations.

2. Importers

An importer (Art. 3(16) CRA) is any natural or legal person established in the Union who places a product with digital elements from a third country on the Union market for the first time. The decisive factor is thus solely the function as a “point of entry” for non-EU products, not the company’s own involvement in development or manufacturing.

A prerequisite is that the product continues to be marketed under the name or brand of the third-country manufacturer. In this case, the original supplier remains the manufacturer, while the importing company is classified as the importer. In practice, therefore, importer status is often not permanent but may cease to apply due to rebranding or product modifications.

3. Distributor

A distributor (Art. 3(17) CRA) is any natural or legal person in the supply chain who makes a product with digital elements available on the Union market without altering its characteristics, without being a manufacturer or importer.

The defining characteristic is thus a purely distributive function. The distributor does not place products on the market themselves, but merely passes them on within the supply chain. This covers the entire distribution level, including wholesale, intermediate, and retail trade, as well as online distribution. As soon as a company modifies products or distributes them under its own name, it ceases to be a distributor and becomes a manufacturer. It is therefore decisive whether the activity remains limited to the unaltered transfer of products.

II. Key Obligations

The obligations under the CRA are largely tied to the respective role in the supply chain, with the manufacturer facing the most comprehensive set of obligations. Central to this are, in particular, cybersecurity requirements throughout the entire product lifecycle, including secure product design, vulnerability management, and the provision of security updates.

In contrast, importers and distributors are subject to graduated due diligence and verification obligations. They may only make products available on the market if they meet the CRA’s requirements and must, in particular, verify compliance with formal conformity requirements.

All economic operators are required to take action in the event of identified risks or security incidents and to cooperate with manufacturers and authorities. The specific scope of these obligations depends crucially on the respective classification as a manufacturer, importer, or distributor.

III. Current Developments

An important step toward the practical implementation of the CRA was taken on March 3, 2026, with the publication of a draft guidance document by the European Commission. The guidance aims to make the regulation’s requirements – which have so far been somewhat abstract – more tangible for companies and to provide early guidance for the ongoing transition phase. Given that many companies still underestimate their role as manufacturers and the scope of their obligations, this document is of considerable practical importance.

In terms of content, the guidance specifically clarifies the requirements for secure product development (“secure by design” and “secure by default”). The Commission makes it clear that cybersecurity should not be an afterthought but must be systematically considered as early as the design and development phases. This includes, for example, structured risk analyses, secure default settings, and processes to minimize attack surfaces. Companies must therefore frequently conduct fundamental reviews and document their development processes.

Another key focus is on vulnerability management. The guidelines describe in detail how manufacturers must handle vulnerabilities – from establishing internal processes for identification and assessment, through coordinated disclosure procedures, to the timely provision of security updates. Particular emphasis is placed on the obligation to maintain a functioning vulnerability management system throughout the entire product lifecycle. In doing so, the Commission clarifies one of the most practically relevant and, at the same time, most resource-intensive sets of obligations under the CRA.

In addition, the Commission addresses questions regarding the scope of application. It clarifies that the CRA must be interpreted broadly and, in particular, regularly covers pure software products as well. In doing so, the guidance confirms the broad scope already inherent in the text of the Regulation and once again underscores that software providers, in particular, must closely examine their potential classification as manufacturers.

The guidance also provides further details regarding reporting obligations. In particular, it clarifies the requirements regarding the content, deadlines, and recipients of reports. This is of great importance for companies, as the relevant obligations will take effect as early as September 2026 and must be coordinated in practice with existing reporting obligations, e. g., from the NIS 2 Directive or the GDPR. The guidance already suggests that parallel compliance with multiple regimes may be necessary as long as harmonization does not occur.

In this regard, the European Commission is working within the framework of the so-called Digital Omnibus to achieve a comprehensive simplification of digital law reporting obligations. The goal is to harmonize existing reporting obligations more closely and, in the long term, to consolidate them through central contact points (we reported on this in Data Protection Update No. 221 and No. 236). For companies, this could lead to a noticeable reduction in administrative burden in the medium term. In the short term, however, the legal landscape remains fragmented, meaning that the various reporting obligations must continue to be observed in parallel and coordinated organizationally.

IV. Conclusion and Outlook

The CRA already necessitates significant action today – especially for companies that have not yet recognized that they may be classified as manufacturers under the Regulation. The transition periods should therefore be actively utilized to clarify one’s own role and implement the necessary technical and organizational measures in a timely manner.

The guidance published by the Commission provides important direction in this regard but is not yet final. Companies currently still have the opportunity to participate in its further development: The Commission is conducting a consultation and accepting comments on the guidance until April 13, 2026.

In light of further developments – particularly within the framework of the Digital Omnibus – a progressive clarification and partial standardization of the requirements is also to be expected. Nevertheless, it must be noted: Companies must set the course for CRA compliance now. 

This article was created in collaboration with our student employee Emily Bernklau.