Who must comply cyber resilience act shown via a cybersecurity compliance dashboard on a laptop with an EU flag background.

Who Must Comply Cyber Resilience Act Requirements

If you sell a digital product in Europe, a new law now says it has to be secure. That’s the Cyber Resilience Act.

It covers manufacturers, importers, and distributors. The rules apply to things like smart home devices, mobile apps, and business software. The point is to build security in from the start, and to keep providing updates that fix vulnerabilities.

We’re already working this way on our projects. Security checks happen during design now, not just at the end.

You should figure out if this law applies to you. The next section explains who in the supply chain is responsible.

Cyber Resilience Act Compliance Highlights

Before looking at the details, it helps to understand the main ideas behind the Cyber Resilience Act and who it affects.

  • Any organization placing a product with digital elements on the EU market must comply with the EU Cyber Resilience Act.
  • Compliance obligations apply to manufacturers, importers, distributors, and even non-EU vendors targeting EU customers.
  • Security responsibilities extend across the product lifecycle, including vulnerability management, incident reporting, and ongoing security updates.

Who Has to Follow the Cyber Resilience Act?

If you sell a digital product in Europe, the Cyber Resilience Act applies to you. It’s a new law for the EU market.

The European Parliament created this law to cover cybersecurity across many industries, not just one. It applies to almost any product that can connect to a network.

So, what is a “product with digital elements”? It’s any item, hardware or software, that relies on code and can connect to a network, even indirectly. The European Commission says these products are a major target for attackers today.

As highlighted by the Federal Office for Information Security

“The Cyber Resilience Act is the first European regulation to set a minimum level of cybersecurity for all connected products available on the EU market… This includes low-cost consumer products as well as B2B software and complex high-end industrial systems.” – Federal Office for Information Security

In simple terms, the scope includes:

  • Smart devices like Wi-Fi routers, security cameras, and smart home gadgets.
  • Standalone software, such as mobile apps and business tools.
  • Industrial control systems are used in factories and operational technology (OT) settings.
  • Connected hardware like Internet of Things (IoT) sensors and gateways.

Many of our teams now define it as “anything that runs code and talks to a network.” That definition covers most modern products, making this law much broader than older IT security rules.

This wide scope is on purpose. The European Union Agency for Cybersecurity (ENISA) has warned for years that poor security in everyday devices creates risks for the entire European market.

Who Exactly Needs to Comply?

The law assigns clear duties to three main roles in the supply chain: manufacturers, importers, and distributors. Penalties for getting it wrong can be huge, up to €15 million or 2.5% of a company’s worldwide revenue.

It’s easy to underestimate how your role affects what you need to do. EU product laws place the heaviest burden on the companies at the beginning of the chain, the manufacturers.

As noted by the European Commission

“The new rules will rebalance responsibility towards manufacturers, who will have to ensure that products with digital elements made available on the EU market are cyber secure… Those that place these products on the market must be held responsible for their safety.” – European Commission

Each operator has to work with market surveillance authorities and help prove their products meet the rules.

Here’s a quick summary of the responsibilities:

Operator RoleMain JobCommon Examples
ManufacturerDesign secure products and prove they complySoftware companies, device makers
ImporterCheck that products from outside the EU meet the CRA rulesA distributor bringing in IoT hardware
DistributorMake sure only compliant products are soldOnline retailers, resellers, app stores

This structure matters for a few clear reasons.

  • The company that creates the product carries the main weight of responsibility.
  • Their duty to ensure security doesn’t expire; it lasts as long as the product exists.
  • From start to finish, everyone involved needs to keep proper records for market surveillance checks.

ENISA will also manage a system for reporting vulnerabilities and serious incidents. They believe this centralized approach will help Europe respond faster to large-scale cyber threats.

What Makes You a “Manufacturer”?

Credits: Codific

You are a manufacturer if you design, develop, brand, or significantly change a digital product before it’s sold in the EU. This means software developers and hardware companies have the same legal duties.

We’ve worked with many teams who thought “manufacturer” only meant a company that builds physical devices. The regulation’s definition is actually much wider.

You’re probably considered the manufacturer if you control a product’s design or put your name on it. Common examples are:

  • Companies making hardware with built-in firmware.
  • Publishers of desktop, mobile, or business software.
  • SaaS providers that require users to install a client agent.
  • Any business that rebrands a white-labeled digital product.

Manufacturers have the longest list of jobs because they control security from the very start.

Their main jobs are to:

  • Build security into their development process from the design phase.
  • Keep detailed technical documentation and records of their risk assessments.
  • Issue an official EU Declaration of Conformity.
  • Provide security updates for the product’s supported lifetime.

In our own training, we’ve found the best first step is to strengthen secure coding practices. When developers make security checks, validate software dependencies, and manage a Software Bill of Materials (SBOM) as part of their normal work, meeting the CRA’s requirements later becomes much simpler. 

Many teams start by understanding the cyber resilience act overview for developers so they know where security expectations begin in the development lifecycle.

Standards organizations like CEN and CENELEC are also creating official harmonized standards. Following these will help manufacturers prove they comply with the law.

What Do Importers Have to Do Under the CRA?

Who must comply cyber resilience act includes importers verifying IoT devices and digital products in an EU warehouse.

If your company is based in the EU and you bring in digital products from outside the EU to sell, you are an importer. Your job is to check that these products follow the CRA rules before they hit the market.

The European Commission sees importers as a crucial checkpoint. You make sure non-compliant products don’t enter the European Single Market.

Specifically, you must verify a few key things:

  • The manufacturer has gone through the proper conformity assessment procedure.
  • That the product has the correct CE marking.
  • That a valid EU Declaration of Conformity exists, and you can get it if needed.

You also have to keep records so the product can be traced, and you must cooperate with market surveillance authorities if there are any problems.

Let’s say a company in Asia makes smart sensors and sells them through your EU-based distribution business. You become the importer. You are responsible for checking the Asian manufacturer’s technical documentation to confirm their security measures are up to standard.

From what we’ve seen, an importer’s workflow usually involves three steps:

  1. Validating all the manufacturer’s paperwork.
  2. Confirming the product has the right labels and CE marking.
  3. Keeping your own records for at least 10 years, in case regulators ask to see them.

These steps come straight from the European Commission’s guidance. Their goal is to protect the EU market by making importers the gatekeepers.

What About Distributors and Resellers?

Distributors make sure only compliant products get to customers. You must check for CE marking and basic documentation before you sell a product in the EU.

Many online retailers and app stores think they have no real responsibility under this law. That’s wrong. Even though you don’t design the product, you are still part of the chain that gets it to users.

Your main duties are straightforward:

  • Check that the CE marking is present and looks correct.
  • Make sure the product comes with the required user instructions and safety info.
  • Do not sell a product if you know it doesn’t comply.

You also have a role to play if something goes wrong. If a serious security flaw is found, you might need to:

  • Stop selling the product immediately.
  • Help organize a product recall with the authorities.
  • Assist with any investigation into the incident.

The European Commission expects distributors to help with incident reporting and fixing problems. This responsibility is getting more important as supply chains for things like smart devices and software become more complex.

What If My Company Isn’t In the EU?

Who must comply cyber resilience act covers global tech teams targeting EU market access with unified cybersecurity standards.

Yes, you still need to comply. If you sell a digital product to users in the European Union, the Cyber Resilience Act applies to you, no matter where your headquarters are located.

The law is designed to protect EU users. Jurisdiction is based on where the product is available, not where your company is based.

This means it affects many types of global businesses:

  • Software developers who let EU users download their apps.
  • IoT device makers who sell connected hardware through EU retailers.
  • SaaS companies that provide an installable agent or client software to EU customers.

Most non-EU companies handle this by setting up a simple structure:

  • Appointing an authorized representative based inside the EU to act for them.
  • Completing the required conformity assessment procedure for their product.
  • Keeping all their technical documentation and security advisories up to date and available.

In our training, we’ve helped teams prepare for this. The most practical thing you can do is build security in from the start with good secure coding practices and keep a clear software bill of materials (SBOM). 

Doing this foundational work makes the later compliance steps for risk management and handling vulnerabilities much easier to manage. Many organizations also review how the cyber resilience act affects software development so global teams understand how compliance changes engineering workflows.

The European Union Agency for Cybersecurity (ENISA) also runs systems for reporting vulnerabilities, and they encourage companies to engage with their security incident response teams proactively.

What’s Not Covered by the CRA?

If you’re working on an open source project as a hobby, and you’re not making money from it, you probably don’t need to worry about the new EU rules. The law, the Cyber Resilience Act, was written to leave non-commercial developers alone. The goal is to keep community projects going without a lot of paperwork.

But it’s not a blanket free pass for all open source code.

Here are the main things that are usually exempt:

  • Open source software that isn’t part of any business.
  • Pure services (like consulting) that don’t involve selling a physical or digital product.
  • Products already covered by other strict EU laws, like those for medical devices or cars.

The tricky part comes when free software meets commerce.

  • That open source library gets packaged into a smart home device you sell.
  • The free operating system you modified comes pre-installed on a laptop.
  • A company pays you to maintain and support your project.

Let’s say you build a cool tool and put the code on GitHub for anyone to use. Under the CRA, you’re likely fine. But if a big company takes your code, puts it inside their new internet router, and sells it across Europe, they are now responsible. They have to make sure that the router meets all the security rules.

The idea is simple: the company making the final product is accountable for its security.

Figuring Out If Your Team Needs to Follow the CRA

Who must comply cyber resilience act infographic covering manufacturers, importers, distributors, and enforcement penalties.

So, does this new law apply to your work? If your organization sells any digital product that connects to a network in Europe, it probably does. The rules cover the whole journey of a product, from the first line of code to years after it’s on the market.

For many teams, the first step is simply understanding the CRA scope and applicability so they can determine whether their products fall within the regulation and what responsibilities follow.

Here’s a straightforward way to check.

Ask yourselves these questions:

  • Does our product run on software?
  • Do we sell or distribute it in the European Union?
  • Is this part of our business (commercial activity)?
  • Are we the maker, the importer, or the distributor?

This table can help you decide quickly.

Question for Your TeamWhat It Likely Means
Does the product run software?It’s probably a “product with digital elements.”
Is it sold in the EU?The CRA likely applies to you.
Is this for your business?You’ll need to comply.

In our own training, we’ve found that teams that already practice secure coding and manage their software components well have a much easier time. If you’re already thinking about security from the start and keeping a list of what’s in your software (an SBOM), you’re already on the right path.

FAQ

Who must comply with the Cyber Resilience Act in the European Union?

The Cyber Resilience Act applies to companies that place products with digital elements on the European Union market. This includes manufacturers of connected digital products, importers, and distributors of digital products. 

If a business sells a product with digital elements in the European Single Market, it must follow CRA requirements, meet cybersecurity requirements, and maintain product security during the entire product lifecycle.

Do small companies or open source developers need to follow CRA requirements?

Small companies and software developers may still fall under the EU Cyber Resilience Act if they sell digital products or connected product devices. The law focuses on market activity, not company size. 

Some open source software projects may have limited obligations. However, organizations that distribute products with digital elements must still manage Cybersecurity Risks and follow required security requirements.

What security responsibilities exist after selling digital products in the EU?

The Cyber Resilience Act requires companies to maintain security after a product is sold. Businesses must provide security updates, perform vulnerability management, and handle vulnerabilities when issues appear. 

If data breaches or severe incidents occur, companies must complete incident reporting and follow reporting obligations. These actions support risk management and protect users from new cyber threats.

How do companies prove their products meet CRA cybersecurity requirements?

Companies must complete a conformity assessment procedure required by this EU Regulation. The assessment checks whether a product with digital elements meets the essential cybersecurity requirements and security measures listed in Annex I. Some critical products require review by a notified body. 

After approval, the company prepares technical documentation, issues a declaration of conformity, and applies the CE mark.

Which authorities enforce the Cyber Resilience Act in EU Member States?

Enforcement is handled by market surveillance authorities in Member States of the European Union. These authorities review CE marking, check technical documentation, and confirm that companies follow conformity processes. 

They may also examine vulnerability management, incident reporting, and other cybersecurity requirements. Coordination with the European Commission helps ensure consistent enforcement across the European Single Market.

Preparing Your Team for Cyber Resilience Act Compliance

Regulation is coming, but readiness does not start with policy documents. It starts with developers who understand secure code. Teams that practice security every day move faster, fix fewer issues later, and ship software people trust.

If you want practical experience, consider joining the Secure Coding Practices Bootcamp. It is two focused days of real coding labs, OWASP Top 10 lessons, and clear habits developers can carry back to their teams immediately and confidently.

References

  1. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
  2. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_6168

Related Articles