CRA Obligations for Manufacturers: What You Must Do Under the Cyber Resilience Act

Manufacturers carry the most extensive responsibilities under the Cyber Resilience Act (CRA). Whether inside or outside the EU, if you design, develop or market a product with digital elements under your own name, you are considered a manufacturer. The full CRA compliance framework applies to you from the moment you begin planning the product.

This article clarifies your obligations, enriched with the CRA FAQ nuances.

Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.

Who Is a Manufacturer Under the CRA?

Under the CRA, a manufacturer is any natural or legal person who:

• designs or develops a product with digital elements
• has it designed or manufactured by another party
• markets it under their own brand or trademark

Location does not matter. What counts is under whose name the product enters the EU market. If the product carries your brand, you must comply with the CRA from the design stage onward.

Obligations for Manufacturers Under the Cyber Resilience Act

The CRA embeds secure by design and secure by default principles throughout the product lifecycle. Your responsibilities begin long before launch and continue to the last day of the declared support period.

Below is a clear breakdown of what the law requires, with expanded insight from the CRA FAQ.

Meet the Essential Cybersecurity Requirements (Design → Delivery)

You must ensure the product meets essential cybersecurity requirements during:

• planning
• design
• development
• production
• delivery
• maintenance

This includes the full ecosystem of your product, such as remote data processing or backend components that influence security.

A cybersecurity risk assessment is mandatory.

Your risk assessment must:

• identify cybersecurity risks linked to the product
• consider intended purpose, foreseeable misuse and operating environment
• determine which CRA requirements apply and how they are implemented
• document how vulnerability handling processes meet CRA requirements
• remain recorded, maintained and updated throughout the entire support period

The CRA does not mandate a specific methodology. Your approach must simply allow authorities to verify how risks are identified and addressed.

Third-party components

You must exercise due diligence to ensure that all integrated components, including open source, do not compromise cybersecurity.

The FAQ clarifies key points:

• You may use CE marked third party components, but CE marking is not a full liability shield. You remain responsible for ensuring the final product meets CRA requirements.
• If the component is not CE marked, you must validate its security using risk based due diligence. Examples include reviewing SBOMs, vulnerability history, update practices or conducting your own security testing.
• If you patch a vulnerability in an open source component, you must share the fix upstream when appropriate.

This reinforces the CRA principle that manufacturers remain responsible for the security of the final integrated product.

Record All Cybersecurity Risks in Technical Documentation

Technical documentation must show how your product meets CRA obligations, including:

• the complete cybersecurity risk assessment
• design and development decisions
• implemented security controls
• vulnerability handling processes
• evidence supporting your declared support period

Authorities rely on this documentation to verify conformity and investigate incidents, so it must be kept accurate and up to date.

Perform a Conformity Assessment

Before placing the product on the EU market, you must complete a conformity assessment demonstrating that:

• the product meets essential cybersecurity requirements
• secure by default configurations are implemented at launch
• the product does not contain known exploitable vulnerabilities
• security updates can be delivered through an appropriate mechanism

This assessment forms the basis for CE marking.

Apply the Correct Labelling and Information

Manufacturers must ensure the product carries:

• type, batch or serial number
• visible, legible and indelible CE marking

The packaging or accompanying documentation must include:

• name, trade name or trademark
• postal address and digital contact details
• company website
• single point of contact for vulnerability reporting
• location of the coordinated vulnerability disclosure policy
• intended purpose and security relevant instructions
• month and year of the end of the support period

This is not just administrative detail. It is part of what allows users and regulators to understand your product’s security posture.

Declare the Support Period

You must specify, with month and year, the end of the support period during which security updates will be provided.

The FAQ introduces two important nuances:

• The support period must be at least five years unless the expected use time is shorter.
• For long lived products, five years is not enough. You must set a support period that reflects real world use, the operating environment and the support cycles of integrated components.

Authorities may request justification for your declared duration.

Vulnerability Handling Obligations

Once placed on the market, your product must remain secure throughout the support period.

Manufacturers must:

• provide free security updates as soon as possible
• enable automatic installation by default unless users opt out
• maintain a coordinated vulnerability disclosure process
• track vulnerabilities in all components, including transitive dependencies
• maintain a machine readable SBOM for top level components
• disclose fixed vulnerabilities publicly in an appropriate manner

The FAQ clarifies two important points:

• Remedies do not always need to be patches. Mitigations, configuration guidance or documentation updates can also be used when appropriate.
• Products used in industrial or operationally sensitive environments may justifiably avoid automatic updates when they could cause disruption.

If a serious vulnerability cannot be remedied, withdrawal or recall may be required.

Reporting Obligations (Starting September 2026)

From 11 September 2026 manufacturers must report:

• actively exploited vulnerabilities
• severe cybersecurity incidents

This applies to all in scope products, including those placed on the market before December twenty twenty seven.

Deadlines for actively exploited vulnerabilities:

• within 24h → early warning
• within 72h → vulnerability notification
• within 14 days → final report after remediation is available

Reports must include:

• details of the vulnerability
• evidence of exploitation
• mitigation steps taken
• actions users can take

Deadlines for severe cybersecurity incidents:

• within 24h → early warning
• within 72h → incident notification
• within 1 month → final incident report

Patching legacy products is not always an obligation under the CRA

The FAQ clarifies that the CRA does not require manufacturers to patch legacy products when it is no longer technically feasible.

This typically applies to situations where:

• the product relies on outdated architectures or dependencies that cannot be modified without a full redesign
• required security fixes would fundamentally break the product or introduce disproportionate risks
• the product has reached the end of its support period as defined by the manufacturer

In such cases, the CRA does not force manufacturers to perform impossible or unreasonable engineering work on legacy products. Instead, manufacturers are expected to demonstrate that they exercised due care by:

• defining a clear support period upfront
• assessing feasibility as part of their cybersecurity risk assessment
• documenting why remediation is no longer technically possible
• informing users of residual risks where relevant

More importantly, this does not remove all obligations. Even when patching is no longer feasible, reporting obligations for actively exploited vulnerabilities may still apply, and manufacturers remain accountable for decisions taken during the product’s lifecycle.

This clarification confirms that the CRA is not a retroactive-patch-everything-forever-regulation, but a proportional, risk based framework grounded in technical reality rather than theoretical perfection.

Why Manufacturers Must Take CRA Obligations Seriously

The Cyber Resilience Act marks a shift from voluntary best practices to enforceable product security obligations. For manufacturers, this means:

• deeper documentation
• ongoing risk management
• secure by design and secure by default requirements
• strict vulnerability reporting timelines

It also creates a market where trustworthy, secure products have a clear advantage in Europe.

Tools such as ScanDog help streamline CRA readiness by automating vulnerability detection, SBOM visibility, evidence collection and compliance reporting workflows, reducing the operational burden on engineering and security teams.

---