Turning the Cyber Resilience Act into an advantage

Talk with our experts
Colleagues of Cyber Security
The Cyber Resilience Act has been on the books since 2024, but its requirements apply in different phases, and a key implementation deadline, related to exploited and severe incidents reporting, is arriving in September 2026. Full compliance is expected by the end of 2027. For anyone who makes or sells connected hardware and software products, now is a good moment to look at what it means. 

The CRA sets cybersecurity requirements for products with digital elements sold on the EU market, and those requirements run across the product lifecycle. Anything that connects to a device or a network most likely falls within scope, even when the manufacturer sits outside the EU. 
 

What does the CRA require?

At its core, the CRA is about looking after connected products properly, throughout their lifecycle. The main obligations: 

  • Security flaws fixed for at least five years, with updates kept available for ten 
  • A support period stated clearly, on the product or an easily found webpage, so customers know how long protection lasts 
  • Actively exploited vulnerabilities flagged to the authorities within 24 hours, followed by a fuller report within 72 hours 
  • A conformity route that fits the product, with stricter checks for those classed as important or critical 

Non-compliance can cost up to €15 million, or 2.5% of turnover, whichever is higher. 

When does it enter into force?

The CRA rolls out in phases: 

  • December 2024: the CRA entered into force 
  • December 2025: the list of important and critical products is published 
  • September 2026: reporting for exploited vulnerabilities/severe incidents and patching obligations start to apply 
  • December 2027: full compliance required 

Starting early gives organisations time to classify products, assess cybersecurity risks, define support periods, adapt vulnerability handling processes and prepare the required conformity documentation before the 2027 deadline. 

An obligation that can work in your favour

A requirement like this can also play to your advantage. It’s a legal requirement, yes. But it also hands you something very useful: a clear, comparable signal of quality, trust and cyber resilience. It signals a product built to last, and a maker who stands behind it. 

The regulation also leaves useful flexibility. Products designed before the CRA can stay on the market as they are, provided a cybersecurity risk assessment shows the existing measures already cover the relevant risks. In many cases, CRA readiness does not necessarily mean starting from scratch and measures are already in place. The key is to assess whether these measures sufficiently address the CRA requirements for each product and to document the outcome in a defensible way. 

How BDO helps

Getting to grips with the CRA is easier with a partner who keeps things practical. BDO's cyber security experts take a hands-on, pragmatic approach. That means you get clear, workable guidance, not a thick framework to decode first. 

Every organisation is different, and your route through the CRA should be too. Together we shape it around your products and your reality, working as one team with yours. Whatever comes up, we tackle it together, rather than facing the regulation on your own. 

From the first product classification and risk assessment through to conformity, reporting and ongoing patching, our experts are here to guide you. 

Wondering how the Cyber Resilience Act applies to your products?  

Get in touch with our cyber security experts.

Mathias Lambrechts

Mathias Lambrechts

Senior Consultant
View bio