, , ,

Cyber Resilience Act enters delivery phase

Europe’s product cyber rules have reached a first implementation milestone as member states begin designating bodies to assess compliance.

Cyber Resilience Act enters delivery phase
Summary
  • The Cyber Resilience Act’s conformity-assessment provisions apply from 11 June 2026.
  • Member states must designate notifying authorities and prepare conformity bodies before full CRA application.
  • Hardware and software suppliers face a staged route towards cyber-by-design market-access rules.

The European Commission has reached a first practical milestone in the rollout of the Cyber Resilience Act, with provisions on notifying conformity assessment bodies applying from 11 June 2026.

The date does not bring the full regime into force, although it starts building the machinery that will decide whether many digital products can demonstrate compliance when the Act fully applies. Member states must designate notifying authorities responsible for assessing, designating, and notifying conformity assessment bodies.

The Cyber Resilience Act applies to hardware and software products with digital elements made available on the EU market. Its reach covers final products and components placed separately on the market, spanning connected devices, software, industrial technology, enterprise systems, and products used across public-sector environments.

The Commission’s implementation timetable shows the staged nature of the regime. Reporting obligations are due to apply from 11 September 2026, while full application follows on 11 December 2027.

Cyber security is therefore moving closer to formal product compliance. Manufacturers will need to meet essential cybersecurity requirements, manage vulnerabilities during the support period, provide secure-use information, carry out the appropriate conformity assessment, and in many cases draw up an EU declaration of conformity before placing products on the market.

That is a different model from the familiar pattern in which security updates, vulnerability disclosures, and patching obligations are handled mainly through contracts, customer pressure, or sector-specific rules. The Cyber Resilience Act turns baseline cyber obligations into part of the legal route to market for products with digital elements.

Enterprise technology suppliers will need to absorb the compliance burden into software development, product management, documentation, vulnerability handling, and customer-support processes. Security teams cannot treat CRA compliance as a certificate to be acquired at the end of the process. Product roadmaps, component inventories, support-period commitments, and technical files will need to be aligned before products reach customers.

The conformity-assessment milestone is particularly relevant for suppliers of important and critical products, where third-party assessment or recognised cybersecurity certification may be required. The capacity and consistency of notified bodies will affect how quickly businesses can move products through compliance without creating a bottleneck in the market.

The Act also raises practical questions for open-source software, components, and smaller suppliers. Businesses that rely heavily on third-party components will need a clearer picture of responsibility when vulnerabilities are found in shared dependencies, while importers and distributors will need to understand their own duties rather than assuming compliance sits only with manufacturers.

The direction of travel is now settled. Europe wants digital products sold into the single market to carry explicit cyber obligations throughout their lifecycle. Suppliers still have time before full application, but the administrative infrastructure is being assembled now. Waiting until 2027 to map products, dependencies, reporting processes, and conformity routes would leave too little room for engineering, documentation, and customer-contract changes.