EN 
FR 
DE 
IT CRA Obligations for Manufacturers: What You Must Do Before 2027
All Cyber Resilience Act obligations explained for digital product manufacturers. Deadlines, classification, technical documentation, and penalties.
If you manufacture products with digital elements — connected hardware, software, IoT components — the Cyber Resilience Act imposes precise and binding obligations. Here is everything you need to know and implement before the 2026 and 2027 deadlines.
1. Who is considered a manufacturer?
The CRA defines a manufacturer as any natural or legal person who designs or manufactures a product with digital elements, or has such a product designed or manufactured, and markets it under their name or trademark. This includes software publishers, connected hardware manufacturers, integrators branding products, and embedded component suppliers.
2. Pre-market obligations
2.1 Risk analysis and classification
Before placing a product on the market, you must conduct a complete cybersecurity risk analysis, classify your product according to CRA categories (Class I, Class II, or outside class), and determine the applicable conformity assessment procedure.
2.2 Technical documentation (Annex VII)
The technical documentation file must include: detailed product description and intended use, design plans and architecture, technical specifications and harmonized standards applied, cybersecurity risk analysis, security measures implemented (Annex I), SBOM, and vulnerability management procedures.
2.3 Security by design (Annex I)
The CRA requires products to be designed with security built in from the start: secure default configuration, secure update mechanisms, personal data protection, strong authentication and access management, and minimized attack surface.
3. Post-market obligations
3.1 Vulnerability management
You must establish an ongoing vulnerability management process covering the entire product lifecycle: monitoring vulnerability sources (CVEs, ENISA databases), impact analysis on your products (triage), VEX production, and security patch deployment.
3.2 Incident reporting (Article 14)
From September 11, 2026: 24-hour early warning for actively exploited vulnerabilities or severe incidents, 72-hour detailed notification via the Single Reporting Platform, 14-day final comprehensive report.
4. Timeline
- September 11, 2026: Article 14 reporting obligations apply
- December 11, 2027: Full application — mandatory compliance for all products
- After 2027: Market surveillance, penalties, and potential withdrawals
5. Penalties for non-compliance
Penalties are designed to be dissuasive: fines up to 15 million euros or 2.5% of global annual turnover, mandatory product withdrawal from the EU market, and potential criminal liability for directors in certain member states.
Do not underestimate the time required. Full compliance takes 6 to 18 months depending on product complexity. Start now with a free diagnostic.