EU Cyber Resilience Act Forces Software Providers to Rethink Product Security as 2026 Reporting Deadline Nears

The first deadlines of the European Cyber Resilience Act (CRA) are looming. Companies that sell digital products in the European Union are facing a September 11 deadline to comply with the CRA’s reporting requirements. Industry leaders working with embedded software, however, warn that many are not prepared. 

Passed into law in 2024, the CRA makes cybersecurity a basic product safety requirement rather than a voluntary best practice. Under the CRA, companies must embed cybersecurity across the entire product lifecycle, from design and development to updates and vulnerability reporting, or face steep fines. It’s a move that fundamentally changes the way that products are designed, says Giuseppe Guagliardo, senior product manager for NXP Semiconductors. 

A digital product can no longer earn a CE (Conformité Européenne) mark without being secure, which affects both new products and those that have been on the market for years. 

“Cybersecurity becomes a condition for CE marking, rather than something to be added later in the process. This means product design teams must adopt security-by-design from the very start and security can no longer be an afterthought,” Guagliardo said. “This shifts security from a feature to be optimized into a continuous responsibility embedded across the entire product lifecycle.”

The law requires manufacturers to design products with security in mind, monitor and fix vulnerabilities throughout a product’s lifecycle, provide security updates, and quickly report actively exploited vulnerabilities and major cyber incidents to authorities. 

Moving Beyond Compliance and Into Security-First Design

According to industry leaders, one of the biggest challenges with the CRA has been going beyond a compliance mindset. Preparing for the CRA involves more than checking boxes or implementing a few new security features, says Radoslaw Kotewicz, embedded services delivery director at software development partner Software Mind. 

“(Adopting the Cyber Resilience Act) requires rethinking the entire product design and development process. Security must be embedded across the full lifecycle of the product, from architecture and development to deployment, updates, and vulnerability management,” Kotewicz said.

In some cases, this means a radical overhaul of an organization’s structure. 

For example, the CRA requires detailed documentation and regularly updated Software Bills of Materials (SBOMs). In order to have complete visibility into its software supply chain and to generate complete SBOMs, every department in an organization has to be connected. However, this is often not the case, says Matt Soltau, vice president of global strategy & operations for integration platform-as-a-service company IntelliPaaS, which works with German auto suppliers and sports car brands. Most organizations’ departments are siloed, he said.

“You want to make sure that engineering, security, procurement, legal, and regulatory are all connected,” he said. “These departments, from engineering to regulatory, they never talk to each other. But they must.” 

According to Soltau, the CRA is often looked at as a hardware or product security problem. In reality, he said, it is a data lineage problem. 

“If your embedded systems cannot talk securely to your central data layer, you will probably fail an audit–regardless of how good your deployed hardware might be,” he said.

The Countdown to CRA Compliance

Organizations need to take action now to prepare for CRA adoption, but industry leaders say that many companies are lagging behind. 

“Most organizations have built none of the internal infrastructure this demands, and the September 2026 reporting deadline arrives before the technical requirements even take full effect,” said Collin Hogue-Spears, senior director of product management for Black Duck.

The CRA grew out of concerns in the EU about insecure connected devices and software, which created cross-border cybersecurity risks and exposed gaps in product security regulations. Drafting began in 2021, with the European Commission releasing a proposal in 2023. After review and approval by the European Parliament and Council, the law was formally adopted in 2024. Implementation is phased, with full CRA compliance for all digital products sold in the EU becoming mandatory by December 17, 2027. 

The CRA applies to all products with digital elements, but lands with particular force on embedded and connected devices: exactly the kinds of products that helped trigger EU concerns in the first place.

One of the most challenging parts of CRA compliance for connected products is ensuring that a product’s entire supply chain is secure and compliant, including chips, firmware, operating systems, and other digital elements.

“While the legal responsibility remains with the manufacturer placing the product on the EU market, this increases the importance of choosing suppliers that can provide transparent security documentation and long-term support,” Guagliardo said. “For example, NXP supports this by providing secure-by-design technologies and detailed security documentation and evidence, including SESIP and Common Criteria certificates, application notes, and more to help manufacturers address these upstream dependencies.”

Although the act is technically in force right now, it’s being implemented in phases. Some of the CRA’s requirements go into effect soon. Specifically, the September 11 mandatory reporting deadline. Starting on that date, companies are required to report actively exploited vulnerabilities and cybersecurity incidents to authorities within 24 hours. Noncompliant organizations may face fines of up to €15 million or 2 to 4% of their global annual turnover.

“If I was a CIO, CTO, or CEO, that September 11 deadline would keep me up at night if I didn’t regularly have it on my board's agenda,” Soltau said. 

Ideally, organizations should have started preparing for CRA adoption in 2025, but for those that haven’t, Soltau offers some advice: classify everything, from connected products to internal processes. 

“Most organizations will need to (re-)discover what's in their own products. The SBOM forces vendors to be self-aware and assume liability for all elements that are commercially used, including open-source code. Depending on complexity, this discovery can take months,” he said. 

It’s important for organizations to map out a plan for SBOMs, specifying who owns them and how they will be maintained. Soltau also noted the tight reporting windows about to go into effect in September. 

“The discovery of vulnerabilities needs to be automated as much as possible,” he said. “You want to be one step ahead. The last thing you want is your company’s name on a vulnerability board.”