Cyber Resilience Act - More Than Just Product Security

Is the Cyber Resilience Act Only About Products?

Many manufacturers believe the Cyber Resilience Act is primarily concerned with ensuring products are secure when they are made available on the market. But the CRA requires the manufacturer to be responsible for the security of the product throughout its entire lifecycle.

The CRA specifies several requirements that are not necessarily tied to a single product. Vulnerability handling, incident reporting, long-term support and disclosure are some examples of activities that become mandatory for manufacturers.

Ongoing Responsibilities

The CRA is clear that security is not static and compliance cannot be treated as a one-time event. Non-compliance can occur even if the product was compliant at the time it was made available on the market.

To meet the regulation, manufacturers must be ready to:

• Continuously test and review the security of their products.
• Know their supply chain, including the components in use (via Software Bill of Materials, or SBOMs) and whether those components remain supported.
• Provide long-term security updates throughout the entire support period (min 5 years), ensuring customers are not left with vulnerable products.

Manufacturers that view the CRA as merely another “certification step” risk failing their customers and falling short of compliance.

Helpful Standards to Build On

A new horizontal EU standard on vulnerability handling, designed to align directly with the CRA, is expected to be released in 2026.

However, there are currently several existing standards that give practical guidance on how to meet some of the requirements.

• ETSI TR 103 838 – Coordinated Vulnerability Disclosure
• ISO/IEC 29147 – Vulnerability Disclosure
• ISO/IEC TR 5895 – Vulnerability Handling

Starting now not only ensures a smoother transition once the CRA becomes mandatory but also provides customers with assurances that their products are secure.

Why Reporting Matters

One of the most challenging parts of the CRA is its reporting requirement. Suppose a manufacturer becomes aware of a vulnerability that is being actively exploited in one of their products. They must report it within 24 hours. Significant incidents must also be reported quickly, and the manufacturer must provide follow-up updates as more information is gathered.

Meeting the deadlines for reporting is not as simple as it may look. Without the necessary internal processes, manufacturers may not have the necessary information ready within the required timeframe. Manufacturers must strengthen their internal communication and escalation practices.

For customers, this is good news. Faster reporting means vulnerabilities are addressed more quickly, and transparency is no longer optional. Instead of hidden fixes, users can expect a more open and responsive approach to cybersecurity.

How Nemko Can Help

Navigating the Cyber Resilience Act’s ongoing requirements can be challenging, especially as obligations extend far beyond the initial product launch. At Nemko, we understand that compliance is not just a checkbox—it’s a continuous journey that requires expertise, vigilance, and the right processes.

Our services include:

• Cybersecurity risk assessments to identify vulnerabilities and align with EU requirements.
• Testing against relevant standards
• Support in CE marking preparation, ensuring your products meet the requirements
• Advisory and training services to help your teams integrate cybersecurity into products and related services.

As your trusted regulatory partner, Nemko helps you reduce risks, accelerate compliance, and enter the European market with confidence.