The Cyber Resilience Act (CRA) will have its first direct regulatory impact in 2026. Manufacturers of digital devices, machines, and systems with an Internet connection will be required to comply with new reporting and security obligations. This is highlighted by ONEKEY, a Düsseldorf-based cybersecurity company that operates a platform for analysing device firmware for security vulnerabilities and CRA compliance.
Reporting requirement for manufacturers from 11th September 2026
The CRA officially came into force on 10th December 2024, setting out a key timeline for affected companies. From 11th September 2026, manufacturers will be required to actively report exploited vulnerabilities as well as serious security incidents. Under the regulation, manufacturers must notify the relevant authorities of security vulnerabilities and security-related incidents as soon as they become aware of them, and within strict time limits. To support this process, the EU Agency for Cybersecurity (ENISA) is establishing a centralised CRA single reporting platform (SRP), through which all reports must be submitted in future.
The CRA’s comprehensive requirements, including security by design, lifecycle management and CE marking under CRA conformity assessment, will apply in full from 11th December 2027. “The operational phase of the Cyber Resilience Act will begin in 2026,” said ONEKEY CEO Jan Wendenburg.
Starting on 11th June 2026, the first conformity assessment bodies (CABs) will start to check product conformity. These CABs are accredited, independent testing laboratories. This enables manufacturers to obtain external CRA conformity certification. Wendenburg explained the urgency of this process: “The manufacturers concerned must have their internal processes, documentation, technical evidence, and safety requirements in place by then at the latest so that a CAB can test their products.” External conformity assessment is mandatory for products with a high safety risk (CRA classes “critical” and “highly critical”), such as critical infrastructure components, IoT devices with high damage potential, and industrial control systems.
“However, a self-declaration is sufficient for around 90% of all networked products,” Wendenburg clarified. This is a declaration by the manufacturer that the digital product meets the CRA’s requirements and is being legally placed on the market. The declaration must include a detailed conformity assessment, which can be carried out via the ONEKEY platform. From 11th December 2027 onwards, products without such a declaration may no longer be sold on the EU market.
Manufacturers must act now
Wendenburg explained: “It’s time for manufacturers to subject their networked devices, machines, and systems to a CRA conformity assessment.” Based on his experience with relevant tests on the ONEKEY platform, he knows that “gaps often emerge, and many of them are difficult to resolve. Manufacturers should be prepared to invest the necessary time, money, and personnel to meet the legal requirements that will be imposed on them.” He cites vulnerabilities in external programs from partners outside the EU with little understanding of CRA compliance, as well as purchased components with incomplete documentation and open-source software, as examples.
Wendenburg added that the first step for manufacturers is to create a software bill of materials (SBOM) for each networked product, which is often challenging in practice. The purpose of an SBOM is to identify software components that may contain vulnerabilities that could be exploited by attackers, enabling them to be addressed quickly and systematically. To this end, the CRA requires a comprehensive inventory of all software elements, including programs, libraries, frameworks, and dependencies, along with their exact version numbers. Manufacturers must also document licensing information, authorship, and any known vulnerabilities or security gaps associated with each component. According to Wendenburg, many manufacturers struggle to meet these requirements because they do not receive sufficient or reliable information from their suppliers. “Many SBOMs are incomplete, outdated, or lack the necessary context around vulnerabilities,” he said. “Such SBOMs fail to meet the mandatory documentation standards under EU regulations and offer little practical value for compliance or security purposes.”
Most of the effort can be automated
CRA requirements, however, extend well beyond providing an accurate SBOM. Manufacturers must implement security measures during the design and development phases of their products. These requirements include secure software and hardware designs, clear vulnerability management guidelines, end-to-end risk management, and mandatory security updates throughout defined product lifecycles. “These measures must be implemented, evaluated, documented, and verified,” said Wendenburg, outlining the effort involved.
He concluded: “The first implementation phase of the Cyber Resilience Act is undoubtedly a milestone for digital security in Europe, but it also requires considerable effort from manufacturers.”
