TL;DR: The Cyber Resilience Act (CRA) requires manufacturers, importers and distributors of products with digital elements to build in cybersecurity from design. The first notification requirement applies as early as Sept. 11, 2026, full compliance on Dec. 11, 2027. Belgian companies making software or connected hardware must start SBOM generation, vulnerability management and a Secure Development Lifecycle now.
Does your company make software, IoT devices or connected hardware? If so, the Cyber Resilience Act fundamentally changes the rules of the game. Whereas cybersecurity for digital products was a matter of best practices for years, the EU is now making it a hard requirement for market access. Similar to CE marking for physical safety, but for digital security. In this article you will read what the CRA means in concrete terms, what deadlines are coming and how to prepare your company.
What is the Cyber Resilience Act?
The Cyber Resilience Act, officially Regulation (EU) 2024/2847, is the first European legislation to impose mandatory cybersecurity requirements on all products with digital elements in the EU market. The regulation was published on Nov. 20, 2024, and entered into force on Dec. 10, 2024.
The core principle is security by design: manufacturers must build cybersecurity in from the initial design phase, not add it afterwards as an optional extra. This means that any product with a network or data connection, from a smart thermostat to an ERP package, must meet minimum security requirements before it is allowed to enter the European market.
The CRA is a regulation, not a directive. This difference is important: a regulation applies directly in all EU member states, without Belgium having to transpose the law separately. So what is in the CRA applies directly to your business.
Is your company covered by the CRA?
The CRA applies to any company that manufactures, imports or distributes a “product with digital elements” on the European market. The definition is deliberately broad: it includes any hardware or software product intended for direct or indirect connection to a network or device.
In practice, the CRA affects three groups of companies:
Manufacturers bear the heaviest responsibility. Whether you develop software in Ghent or assemble IoT sensors in Antwerp, if you design the product or market it under your name, you are a manufacturer within the meaning of the CRA. You must go through the entire compliance process, from secure development to post-launch vulnerability management.
Importers bringing products from outside the EU onto the Belgian market must verify that the manufacturer has followed the correct procedures. Do you discover a vulnerability? Then you are obliged to report it and may no longer offer the product.
Distributors verify that the product bears the CE mark and that manufacturer and importer have fulfilled their obligations.
Exceptions apply to products already covered by specific sectoral legislation, such as medical devices (MDR/IVDR), civil aviation products and motor vehicles. Pure SaaS solutions basically fall outside the CRA and are handled under the NIS2 directive. Note that if your cloud solution is essential to the operation of a physical product, that software does fall under the CRA.
Open source software that is not offered commercially is exempt. But once you integrate open source components into a commercial product, the CRA obligations apply to that product.
What are the key CRA obligations?
The CRA imposes three core obligations on manufacturers that cover the entire life cycle of a product. Together, they force a fundamental shift: from reactive patching to proactive security.
1. Security by design and secure defaults
Products should be delivered without known exploitable vulnerabilities. Default settings must be secure, including the prohibition of weak default passwords. The attack surface must be minimized, with strong authentication and encryption as basic requirements.
2. Software Bill of Materials (SBOM).
Each manufacturer must maintain a machine-readable inventory of all software components, libraries and dependencies in the product. Think of it as an “ingredients list” for software. When a vulnerability pops up in an external library, as was the case with Log4j at the time, a current SBOM allows you to immediately determine if your product has been hit. The SBOM must be reviewed with each update and kept for 10 years. International standards such as CycloneDX and SPDX are accepted as formats.
3. Vulnerability management and security updates.
Manufacturers must provide free security updates for the expected lifetime of the product, with a minimum of five years. Moreover, those updates should be separate from functional updates: users should not be forced to accept a heavier software version just to plug a security vulnerability.
When does the CRA go into effect? The timeline
The CRA is using a phased implementation. Not everything will be required at once, but the first operational deadline will come sooner than many companies realize.
| Date | Milestone | What it means |
|---|---|---|
| December 10, 2024 | Effective date | The 36-month transition period takes effect |
| June 11, 2026 | Notification of conformity bodies. | Member states must have procedures for CABs operational |
| September 11, 2026 | Reporting requirement in effect | Manufacturers must actively report exploited vulnerabilities and serious incidents |
| December 11, 2027 | Full application | All products on the market must comply and bear CE marking |
The date of Sept. 11, 2026 is crucial. From then on, you must have an operational channel with both ENISA and the Center for Cybersecurity Belgium (CCB). Your systems for monitoring and detecting vulnerabilities must be up and running by then. That’s less than 18 months from now.
What is the difference between the CRA and NIS2?
Many Belgian companies already engaged in NIS2 compliance are wondering how the CRA compares. The two complement each other, but regulate something fundamentally different.
| Criterion | Cyber Resilience Act (CRA). | NIS2 guideline |
|---|---|---|
| Focus | Securing the product itself | Making the organization resilient |
| Target Group | Manufacturers, importers, distributors | Essential and key entities |
| Type of legislation | Regulation (direct effect in the EU) | Directive (transposed into Belgian law) |
| Market Access | CE marking required | Supervision of processes and audits |
| Duty to Report | Product vulnerabilities | Incidents in operations |
| Fines (max.). | €15 million or 2.5% turnover | €10 million or 2% turnover |
| Deadline | September 2026 (notification requirement) / December 2027 | April 2026 (conformity assessment) |
An important insight: the CRA acts as a supply chain tool for NIS2. A Belgian hospital covered by NIS2 can operate securely only if the medical equipment and software it purchases are themselves cybersecure under the CRA. This creates a closed security loop from manufacturer to end user.
Are you already working on NIS2 compliance? Then read our complete NIS2 guide for Flemish companies to see how the two regulations reinforce each other.
The vulnerability notification requirement: what should you do?
As of Sept. 11, 2026, there is a strict notification requirement for manufacturers. Become aware of an actively exploited vulnerability in your product, or a serious incident affecting integrity or availability, you must follow a three-step protocol.
| Phase | Deadline | Content |
|---|---|---|
| Early warning | Within 24 hours | Confirmation of the problem and suspicion of malicious exploitation |
| Complete notification | Within 72 hours | Details of vulnerability, risks and planned corrective actions |
| Final Report | Within 14 days of patch | Impact analysis, severity and final solutions |
Reporting goes simultaneously to ENISA and the CCB through a central reporting platform. The goal is not to punish manufacturers, but to build a European threat picture that allows agencies such as the CCB to alert other sectors in a timely manner.
This reporting process bears similarities to the NIS2 reporting requirement (24 hours/72 hours/1 month), but focuses on product vulnerabilities rather than organizational incidents. Companies that must comply with both regulations would do well to streamline their incident response processes.
The risk classification: which conformity procedure applies to your product?
The CRA classifies products into three risk categories. The category determines whether you may self-assess or must engage an outside party.
An estimated 90% of all products fall into the standard category. For this, a self-assessment is sufficient: you test internally whether your product meets the Annex I requirements. Examples include consumer apps, simple hardware and word processing software.
A stricter regime applies to the remaining 10%. Class I products (such as browsers, password managers and routers) must demonstrate compliance with harmonized standards, or else undergo an external assessment. Class II products (such as firewalls, IDS systems and industrial routers) require mandatory assessment by a Notified Body. Critical products (such as smart meter gateways and hardware security modules) must achieve European cybersecurity certification at the substantial level or higher.
What does this mean for Belgian software companies? If you are developing standard software without a specific security feature, an internal review will probably suffice. However, if you are developing identity management software, network components or security solutions, you will need to go through an external audit by an accredited CAB.
What do you risk for non-compliance?
CRA fines are modeled after the structure of the GDPR and can be significant.
For non-compliance with essential requirements: fines of up to 15 million euros or 2.5% of annual worldwide turnover (whichever is higher). For other violations: up to 10 million euros or 2% of turnover. For providing false information: up to 5 million euros or 1% of turnover.
In determining the fine, regulators consider the economic capacity of the company. But beyond the financial penalty, a forced recall or sales ban can be at least as drastic for an SME.
How do you prepare for the CRA?
The road to CRA compliance begins with your development process. Four steps you can take today:
1. Inventory your product portfolio Map out which products are covered by the CRA and in which risk category they belong. Remember that cloud components that are essential to a physical product also count.
2. Integrate a Secure Development Lifecycle Build security in from design. That means threat modeling with every new product or feature, secure coding guidelines for your development team, and automated SBOM generation in your CI/CD pipeline.
3. Test your products structurally An application pen test identifies vulnerabilities before attackers do. Test regularly against the OWASP Top 10 and document the results as part of your compliance file.
4. Set up your reporting process Ensure an operational channel with ENISA and the CCB by September 11, 2026. Establish a vulnerability disclosure policy and train your team on the 24-hour/72-hour notification deadlines.
Has your company already completed a CyberFundamentals track? Then you have a head start. CyFun’s control measures closely align with CRA requirements around software updates, access management and vulnerability management.
Frequently asked questions about the Cyber Resilience Act
Does the CRA also apply to software?
Yes. The CRA applies to any product with digital elements, including standalone software. Only pure SaaS solutions that are not an essential part of a physical product are outside the scope. Those are covered under NIS2.
What exactly is the SBOM requirement?
A Software Bill of Materials is a machine-readable list of all software components, libraries and dependencies in your product. The CRA requires manufacturers to keep it up to date, review it with each update, and keep it for at least 10 years after the last market posting.
What are the penalties for non-compliance?
The maximum fine is 15 million euros or 2.5% of your worldwide annual turnover for violation of essential requirements. In addition, a regulator can impose a sales ban or product recall.
Should my SME take action already?
Yes. The reporting requirement for actively exploited vulnerabilities will apply from Sept. 11, 2026. That’s less than 18 months from now. You have time to set up your processes now, but waiting until 2027 is not an option if you want to meet the mandatory notification deadline.
How does the CRA relate to ISO 27001?
ISO 27001 focuses on your organization’s information security management system. CRA focuses on the security of your products. They are complementary: ISO 27001-certified processes help ensure structural compliance with CRA requirements, but ISO 27001 certification alone is not sufficient for CRA compliance.
What if my product contains open source components?
Once you integrate open source components into a commercial product, the CRA obligations apply to that product. You must include those components in your SBOM and actively monitor and patch vulnerabilities in those components.
Next step: prepare your business
The Cyber Resilience Act is changing the way digital products are marketed in Europe. The first operational deadline of Sept. 11, 2026, is closer than you think.
Cyberplan guides software companies and manufacturers every step of the way: from Secure Development Lifecycle integration and threat modeling to application pentesting and vulnerability management. Our team of 22 certified ethical hackers (OSCP, CISSP) speaks the language of your developers as well as your executives.
Schedule an introductory meeting and discover how Cyberplan helps you become CRA-compliant without slowing down your development speed.
