The Cyber Resilience Act: Why Manufacturers Must Act Now

The clock is ticking for the Cybersecurity Resilience Act

Europe’s Cyber Resilience Act (CRA) became law on Dec. 10, 2024, and its full application begins on Dec. 11, 2027. While that may sound distant, some critical obligations start much earlier, such as:

• June 11, 2026 – Application of rules for conformity assessment bodies
• Sept. 11, 2026 – Mandatory reporting of actively exploited vulnerabilities within 24 hours, followed by detailed reports within 72 hours and final reports within 14 days.
• Dec. 11, 2027 – Compliance with CRA requirements required for all products with digital elements to remain on the EU market.

Manufacturers that miss these deadlines risk fines up to 10 million euros or 2% of global turnover, product recalls or loss of market access.

The harmonized standards myth

On April 3, 2025, the European Commission’s Standardization Request for the CRA was officially accepted by the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC) and European Telecommunications Standards Institute (ETSI).

These organizations are tasked with developing harmonized standards that will provide manufacturers with a presumption of conformity to CRA requirements. The commitment is clear: deliver these standards at least one year before the CRA enters full application in December 2027. However, manufacturers shouldn’t wait. Instead, they should build secure-by-design practices, vulnerability management systems and prioritize supply chain due diligence now. Delays in standard publication could leave businesses exposed.

It’s important to note that harmonized standards under the CRA are voluntary, not mandatory. Manufacturers may choose alternative standards that demonstrate compliance with the Essential Requirements in Annex I. In many cases, these alternatives may require only minor adjustments (“deltas”) to achieve full conformity.

Commonly referenced standards may include ISO/SAE 21434, EN IEC 62443, EN 18031 series, and ETSI EN 303 645.

Many manufacturers are waiting for harmonized standards to be finalized before acting. That may lead to challenges such as missed timelines. While CEN/CENELEC, and ETSI have committed to delivering these standards at least one year before full CRA application, delays are possible and preparation for manufacturers shouldn’t wait.

Details for standardization include:

• Standardization Request Accepted: April 3, 2025, by CEN, CENELEC and ETSI.
• Mandate – Develop 41 harmonized standards (15 horizontal and 25 vertical) to support CRA compliance
• Types of standards that are being developed can also act as guidelines to conformity assessment requirements:
• Horizontal standards – Product-agnostic, covering secure-by-default configurations and vulnerability handling:
  • Part 1: Principles of Cyber Resilience – Deadline: Aug. 30, 2026
    • EN40000-1-1 Vocabulary – “Providing the terms and conditions commonly used in the cybersecurity requirements”
    • EN40000-2-1 Principles of Cyber Resilience – “General cybersecurity principles and general risk management activities for all products, including generic elements to support the development of vertical standards. Addresses the process activities for security risk management during the total product lifecycle.”
  • Part 2: Generic Security Requirements – Deadline: Oct. 30, 2027
    • EN40000-1-4 Generic Security Requirements addressing:
      • Translates CRA Essential Product Requirements (Annex I part I) into:
        • Essential Product Requirements
        • Library of security controls with their objectives and assessment criteria
        • Mapping the essential requirements to the security controls
        • Building upon the EN18031-x series of standards with additional security controls
  • Part 3: Vulnerability Handling (Cybersecurity requirements for products with digital elements – Part 1‑3: Vulnerability Handling) – Deadline Aug. 30, 2026
    • Vulnerability handling – Specifies vulnerability handling both at process and product levels, and covers:
      • Vulnerability intake
      • Triage and validation
      • Remediation
      • Coordinated disclosure
      • Post‑release monitoring
      • Draft published: Published as prEN in Dec.  2025 2025
      • Targeted for harmonized EN status by Aug. 2026. 2026
• Vertical standards: Vertical standards are being developed by CEN/CENELEC and ETSI:
  • Deadline has been set for vertical standards to Oct. 30, 2026.
  • The request was to develop 28 standards
  • Cross-vertical (“common topics”) are identified and coordination is ongoing across all streams to ensure coherence during parallel drafting.
  • Vertical product-specific requirements are elaborated on, and underway through the working groups:
    • Developed by CEN/TC 224 WG17, which include “Personal Identification and related personal devices with Secure Element, systems, operations and privacy in a sectorial environment”
      • Important Class I – Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometrics (#16)
      • Critical – Hardware Devices with Security Boxes (#39)
      • Critical – Smart Card Applications (#41b)
    • Developed by ETSI TC Cyber User which includes:
      • Important Class I – Standalone and embedded browsers (#17): password managers (#18) software that searches for, removes, of quarantines malicious software (#19) products with digital elements with the function of virtual private networks (#20): network management systems (#21); physical and virtual network interfaces (#25) security information and event management (SIEM) systems (#22); boot managers (#23); operating systems (#26); Public key infrastructure and digital certificate issuance software (#24): routers, modems intended for the connection to the internet, and switches (#27): smart home general purpose virtual assistants (#31); smart home products with security functionality (#32); certain internet connected toys (#33); personal wearable products (#34);
      • Important Class II: Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments (#35); firewalls, intrusion detection and/or prevention systems (#36).
    • Developed by CLC/TC 47X WG1-4 Semiconductors and Trusted Chips Implementation:
      • Important Class I – Microprocessors and microcontrollers with security-related functionalities (#28, #29)
      • Important Class II – Tamper-resistant microprocessors and microcontrollers (#37 and #38)
      • Critical: Smartcard or similar devices, including secure elements (shared with CEN/TC 224) (#41)
    • Developed by CLC/TC 65X WG3 “Industrial-process measurement, control and automation”
      • Developments based on EN IEC 62443 based on the existing projects to update the broad verticals
        • EN IEC 62443-4-1:2018/prAA
        • EN IEC 62443-4-2:2019/prAA
      • Implementations include:
        • Important Class I – Products with digital elements with the function of virtual private networks (VPN) (#20), Network management systems (#21), security information and event management (SIEM) systems (#22), physical and virtual network interfaces (#25), routers, modems intended for the connection to internet, and switches (#27)
        • Important Class II – Firewalls, intrusion, detection and/or prevention systems, including specifically those intended for industrial use (#36)
    • Developed by CEN/CLC/JTC 13/WG6 “Product Security”
      • Critical: Smart meter gateways within smart metering (#40)
• Delivery Commitment: Harmonized standards to be published at least one year before Dec. 11, 2027 (full CRA application date).
• Summary of expected milestones:
  • Type A principles standard – August 2026
  • Horizontal standards – October 2027
  • Vertical standards – October 2026

Approach to compliance for CRA

Due to the complexity and comprehensive nature of the CRA, demonstrating compliance will also require focused and sustained effort from manufacturers. Instead of waiting for the onset of harmonized standards, here are steps to take now:

• Implement secure-by-design integration across product development
• Integrate vulnerability management systems capable of 24-hour reporting
• Create software bill of materials (SBOM) for every product and component
• Align supply chains, including third-party and open-source components

Supply chain due diligence addresses hidden risks

CRA introduces a cascading chain of responsibility. Manufacturers are accountable not only for their own products but also for all integrated components, including firmware, hardware and open-source software. To meet these requirements, manufacturers must:

• Perform rigorous vendor risk assessments.
• Implement processes for documented vulnerability handling.
• Continuously monitor third-party components.

Failing to manage supply chain security could derail compliance, even if your own systems are robust.

A practical approach to CRA compliance

Review these steps for what manufacturers should do now to prepare for the publication of harmonized standards.

Awareness and readiness

• Subscribe to real-time regulatory updates, for example, UL Solutions Global Compliance Management Software.
• Launch training programs to build internal expertise, including the EU Cyber Resilience Act (CRA) Training or request custom or product-specific training workshops.

Gap assessment

• Conduct a CRA gap analysis to establish a baseline against a number of existing standards or processes available
• Map vulnerabilities and compliance gaps across the product portfolio

Supply chain alignment

• Implement due diligence processes for all vendors, including free and open-source software components that have not been made available on the market. The appropriate level of due diligence depends on the nature and the level of cybersecurity risk associated with a given component, and should include one or more of the following actions:
  • Verifying, as applicable, that the manufacturer of a component has demonstrated conformity with this Regulation, including by checking if the component already bears the CE marking
  • Verifying that a component receives regular security updates, such as by checking its security update history
  • Verifying that a component is free from vulnerabilities registered in the European vulnerability database
    
    Reference: Guidance note: (34 Regulation - 2024/2847 - EN - EUR-Lex)
• Require SBOMs and security attestations from suppliers and engage in best practice principles towards compliance 

Technical preparation

• Begin testing against existing horizontal and vertical standards
• Develop secure-by-design practices and vulnerability reporting workflows 

Documentation and certification 

• Prepare technical files for pre-certification gap analysis
• According to risk categories of products, leverage compliance options

Life cycle management

• Plan for ongoing surveillance and compliance audits post-certification.

Why a turn-key delivery model is the answer

This approach can provide end-to-end coverage, from awareness to certification and life cycle support. Process management frameworks with structured support and progress metrics help build shared accountability among manufacturers, component vendors and chip suppliers. Ultimately, this reduces time-to-market while advancing regulatory alignment. 

Supporting your CRA compliance strategy 

Because the CRA represents a significant regulatory shift and it’s crucial that manufacturers don’t put off compliance efforts until the publication of harmonized standards. Early action, combined with a turn-key delivery model, helps support compliance readiness,  strengthen cybersecurity and position your brand as a trusted leader in an increasingly security-conscious market.

At UL Solutions, we offer manufacturers comprehensive support to help understand CRA challenges, support compliance efforts and make measurable progress. Let’s connect and get started.