If your product has a digital component and you sell it into the EU, the Cyber Resilience Act applies to you, even if you are based in India, Taiwan, or the US. The deadlines are closer than most manufacturers realise, and \”we’ll handle it later\” is not a strategy.

If your product has a digital component (firmware, software, any network connectivity) and you sell it into the European Union, the Cyber Resilience Act (CRA) applies to you. It does not matter if you are headquartered in India, Taiwan, Japan, or the United States. It applies when the product enters the EU market.

The CRA entered into force in December 2024. Most obligations apply from December 2027. That sounds far away. It is not, once you account for product development cycles, certification lead times, and supply chain ripple effects. Manufacturers who have not started this conversation yet are already behind.

What the CRA actually requires

Three core obligations, at a high level.

1. Essential cybersecurity requirements

Products with digital elements must be designed, developed, and delivered in a way that ensures an appropriate level of cybersecurity. The CRA lists requirements including:

• No known exploitable vulnerabilities at time of placing on market.
• Secure-by-default configuration.
• Ability to deliver security updates (and do so).
• Protection of processed data and functions.
• Access control.
• Confidentiality and integrity protection of stored and transmitted data.
• Logging and monitoring capability.
• Resilience against denial-of-service.

These are product-level, not organisation-level, obligations. The product itself must meet them, and the documentation must prove it.

2. Vulnerability handling

Manufacturers must:

• Identify and document vulnerabilities in their product and its components (including third-party components).
• Remediate vulnerabilities without delay, free of charge, for the expected product lifetime (generally a minimum of five years, unless a shorter lifetime is properly justified).
• Have a coordinated vulnerability disclosure (CVD) policy.
• Publicly disclose fixed vulnerabilities, including descriptions and mitigations.

That “expected product lifetime” language is a big deal. Manufacturers can no longer ship and forget. Support obligations now extend years post-sale.

3. Incident reporting

Manufacturers must report:

• Actively exploited vulnerabilitieswithin 24 hours of becoming aware.
• Severe incidentsinvolving their product within 24 hours.
• With follow-up notifications at 72 hours and final reports at 14 days.

Reports go to ENISA and to the national CSIRT. If you have never had a relationship with either, now is the time.

Who classifies as what, and why it matters

The CRA tiers products based on criticality:

• Default-class products.Self-declaration of conformity is allowed.
• Important products (Class I and II).Third-party conformity assessment or harmonised standard compliance required.
• Critical products.Highest scrutiny; European cybersecurity certification scheme required.

Industrial equipment (PLCs, SCADA software, network appliances for OT) generally falls in the Important or Critical tiers. If you are an equipment vendor, assume third-party assessment is required unless your lawyer tells you otherwise.

What this means in practice

For OT equipment manufacturers:

• Your product development lifecycle needs formal security activities: threat modelling, secure coding, security testing, pre-release security review. Informal is not enough.
• You need an SBOM (Software Bill of Materials) for every product. Third-party components are no longer someone else’s problem.
• You need a PSIRT (Product Security Incident Response Team) or equivalent. Vulnerability disclosure cannot be handled ad hoc by whoever is free.
• You need a vulnerability disclosure page, a CVD policy, and a mechanism for researchers to report issues.
• Your documentation needs to demonstrate compliance. The CRA is not a checkbox. It expects a paper trail that would survive an audit.

For fabs and industrial operators (buyers):

• Your procurement process should require CRA conformity documentation from EU-bound suppliers.
• Your supplier contracts need vulnerability disclosure, patching, and security update obligations aligned to CRA.
• Your asset inventory should capture the SBOMs your suppliers provide, because they are the raw material for vulnerability management.

How the CRA relates to other standards

• IEC 62443-4-1(Secure product development lifecycle) and -4-2(Technical requirements for components). These are the natural “how” behind the CRA’s “what.” Compliance to 62443-4-1/4-2 is not automatic CRA compliance, but it is roughly 70% of the way there.
• ETSI EN 303 645(Consumer IoT). The baseline for consumer devices, separate from industrial products but overlapping in scope for the CRA.
• SEMI E187/E188/E191.Semiconductor-specific, pre-existing, complementary to the CRA for equipment sold into EU fabs.

A realistic 18-month plan for manufacturers

• Months 1 to 3.Legal review of which products are in scope. SBOM generation for your current portfolio. Gap assessment against CRA requirements.
• Months 4 to 9.Stand up a product security program (if you do not have one), including PSIRT, CVD policy, secure SDLC practices.
• Months 10 to 15.Fix the highest-priority product gaps. Prepare conformity documentation. Establish relationships with notified bodies if you need third-party assessment.
• Months 16 to 18.Conformity assessment, final documentation, sales enablement and customer communications.

This plan assumes you start now. Start later and it gets expensive fast.

What happens if you do not comply

The fines are serious: up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious breaches. More immediately, products that are not CRA-compliant can be withdrawn from the EU market by regulators. That is not a theoretical penalty. It is the end of your EU sales channel until you fix the problem.

RelyBlue provides CRA readiness assessments and product cybersecurity program design for OT and semiconductor equipment manufacturers. Get in touch to scope a CRA engagement.