EU Cyber Resilience Act Requirements: Core Duties & Market Roles
Apr 21, 2026Cyber Security / Digital & Product Solutions / Digital TrustEU Cyber Resilience Act Requirements: Core Duties & Market Roles
Understanding the EU Cyber Resilience Act requirements (CRA) can feel complex, but its impact is straightforward: cybersecurity is becoming a key element for market access in the European Union.
Developed to harmonize cybersecurity across the EU, the CRA introduces clear legal obligations for manufacturers, importers, and distributors of products with digital elements. With the regulation becoming fully applicable on 11th December 2027, the clock for compliance is ticking. If you place digital products on the EU market, the question is no longer whether this regulation applies to you – but how it will impact your organization.
From Production to Market Placement: EU CRA Obligations for Manufacturers
The CRA introduces mandatory cybersecurity requirements for any digital product placed on the EU market. For manufacturers, it marks a real turning point - reshaping how products are designed, developed, and produced, while extending accountability directly into the device’s operational lifecycle. Cybersecurity is not a checkbox anymore, but a continuous responsibility for securing what matters most: people, organizations, and critical systems.
Against this backdrop, the CRA places the following set of core obligations on manufacturers, including:
From the earliest design decisions through development, manufacturers are expected to adopt a secure-first approach, embedding cybersecurity straight away into the product architecture. In practice, this means building devices with secure configurations and robust protections against unauthorized access, engineering security in from day one.
When third-party components are integrated, this responsibility doesn’t stop. Manufacturers must perform due diligence to ensure external components don’t compromise the overall cybersecurity of the device.
As risk assessment is a prerequisite for market access, manufacturers must go through a comprehensive cybersecurity risk assessment and document its outcomes within the technical file. Put simply, this means identifying and evaluating cybersecurity risks, capturing the findings in a technical report, and completing the required conformity assessment before placing the product on the EU market.
What happens once conformity is approved? Manufacturers affix the CE marking in the product, proving compliance with CRA.
Transparency is the backbone of the Cyber Resilience Act (CRA). To ensure that consumers can confidently access products with adequate cybersecurity assets, producers are called for providing clear identification details and easy-to-understand instructions. This includes:
- A product identifier that enables traceability.
- The product’s registered name or trademark.
- Relevant digital contact details.
- A website where the manufacturer can be reached, if applicable.
- Clear information and instructions that support secure use of the product.
CRA duties don’t end once the product reaches the market. Manufacturers are expected to actively notify exploited vulnerabilities and other severe incidents impacting the product’s security. This EU Cyber Resilience Act requirement applies to all devices with digital elements made available on the EU market – including those already placed before 11th December 2027.
EU Cyber Resilience Act Requirements: What it Means for Distributors
Distributors are an essential checkpoint in the supply chain. Before making a product available on the EU market, they must verify both manufacturers and importers have fulfilled their respective compliance obligations, including:
Completing the Distribution Channel: CRA Obligations for Importers
As importers place products from third countries in the EU market, they are expected to check those devices comply with the EU cyber resilience act requirement. Some key responsibilities of importers under the CRA are:
- Verification Before Market Placement: before placing a product on the EU market, importers must verify that it complies with CRA obligations. This cover reviewing that the necessary technical documentation is included and that the product contains clear instructions for use.
- Provide Technical Documentation: for at least 10 years after digital devices are placed on the EU market - or for the entire support period, whichever is longer - importers must retain a copy of the declaration of conformity and keep it available for market surveillance authorities.
Besides, they must be prepared to deliver all necessary information and technical documentation to demonstrate that the product complies with the essential cybersecurity requirements.
How to Prepare for Cyber Resilience Act Requirements?
Failing to comply with the EU Cyber Resilience Act requirements can come at a high cost. Non-compliance may lead to fines up to €15 million or up to 2.5% of global annual turnover – which could be even higher. Beyond financial penalties, delays in alignment with the regulation can negatively impact market access but also damage brand trust.
Preparing early isn't just about reducing risks – it actually gives you a competitive advantage. If you’re transitioning from RED-DA to the CRA framework or need to comply directly with CRA, understanding the game becomes essential.
Here’s how our experts support your product security journey:
- CRA Trainings: built on hands-on technical expertise, our training programs help your team understand the regulation and develop a clear, actionable CRA readiness strategy.
- CRA Evaluation Services: get well-structured evaluation services aligned with draft and harmonized standards, as well as other recognized frameworks mapped to the essential requirements of the regulation.
- CRA Third-Party Assessment & Certification: at DEKRA we will leverage our experience as Notify Body to support our clients throughout the conformity assessment and certification process.
The CRA timeline is moving. Get in touch with our experts and lead your organization through CRA compliance with confidence!