Published:

Last updated:

Reading time:

circa 5 minutes

Cyber Resilience Act: What Companies Need to Know Now

Digitalization is advancing at a rapid pace and has become an integral part of our everyday lives. This makes it even more important to expand cybersecurity and introduce new requirements for digital products. We explain which changes the Cyber Resilience Act will bring for companies and what they should already be keeping in mind.

Illustration of a padlock symbol representing cybersecurity. Natthaphon Wanason 2190938589

What Is the Cyber Resilience Act?

The Cyber Resilience Act is a key EU regulation designed to improve the cybersecurity of products with digital elements. This includes hardware, software and IoT products. The aim of the CRA is to introduce minimum cybersecurity standards for digital products, making it comparable to the GDPR, but for product security.

The NIS2 Directive also aims to strengthen cybersecurity within Europe. However, it primarily applies to infrastructures and organizations—for example, the healthcare sector—and is therefore distinct from the Cyber Resilience Act.

Who Does the CRA Apply To?

The CRAEU primarily applies to manufacturers, importers and distributors. They are required to consider cybersecurity during the development process and to disclose and assess potential risks.

The CRA requirements also apply to B2B software providers. Depending on their design, operating models are classified as “important” or “critical” products. For example, if software regulates access to sensitive data or is used in sensitive areas such as smart cards, an external assessment is required.

CRA Requirements

To cover cybersecurity sustainably, the Cyber Resilience Act introduces new obligations for companies, especially software providers. Here is an overview of requirements that directly affect manufacturers:

  • Security by design & default: Security is the top priority and must be integrated into planning and product architecture from the outset, rather than being added later.
  • Vulnerability management & updates: Vulnerabilities must be systematically identified, assessed and remediated. In addition, security updates must be provided over a defined support period of at least five years.
  • Transparency for users: Relevant product information must be provided to users in an understandable way, and security incidents as well as countermeasures initiated must be communicated.
  • Technical documentation: The product must include complete documentation of all software components used in the form of a Software Bill of Materials (SBOM).
  • CE marking for cybersecurity: Distributors and importers must ensure that the product they distribute or source has been provided with a CE marking.
  • Reporting obligation for security incidents: If vulnerabilities have been actively exploited, an initial report must be submitted on the new ENISA reporting platform within 24 hours. A follow-up report must be submitted after the third day, and a final report after 14 days.
  • Risk assessment, product life cycle: Manufacturers must carry out a regularly updated risk assessment that addresses potential cybersecurity risks.
  • Declaration of conformity: Manufacturers and software providers must use a declaration of conformity to demonstrate that their products meet all CRA requirements.
An infographic providing an overview of all deadlines and requirements under the Cyber Resilience Act

The Cyber Resilience Act introduces many new obligations for companies, making an overview of key deadlines important. © GFOS Group

When Does the Cyber Resilience Act Come into Force?

The implementation of the Cyber Resilience Regulation will take place gradually. The CRA formally entered into force on 10 December 2024. Since that date, companies have been able to adapt their processes to the new requirements.

From 11 September 2026, manufacturers will face the first obligations, including the obligation to report all actively exploited vulnerabilities.

On 11 December 2027, the regulation will finally become fully applicable. From that date, companies must meet all CRA requirements.

Consequences for Companies

The Cyber Resilience Act primarily affects traditional on-premise operating models. Software operators will face more obligations, but customers also bear responsibility: security measures must be implemented, tested and approved locally. In addition, updates require regular coordination, new practical testing and possible adjustments. This takes time and increases security management risks. While the manufacturer is responsible for the security of the product, the customer is responsible for secure operation.

For this reason, many software manufacturers are increasingly relying onSaaS solutions—such as HR SaaS software. The transition to SaaS models simplifies security-related adjustments, as these are implemented across all instances. This eliminates coordination processes. Maintenance, monitoring and security are no longer the customer’s responsibility but are an integral part of the operating model. Using a SaaS model —for example, for time tracking—therefore reduces cyber risk.

Action Required: Reassess Operating Models

With the Cyber Resilience Regulation, companies are now under pressure: by the end of 2027 at the latest, on-premise operating models must be strategically rethought and given a future-proof architecture. Software users are increasingly becoming the focus of compliance audits, which means that the ability to implement security measures quickly and sustainably is becoming a critical success factor.

Why Switching to SaaS Solutions Is Worthwhile

Thanks to their sustainably future-proof architecture, customers gain significant added value from SaaS models. Here is an overview:

  • Increased security: Because all security-relevant measures—such as updates for new features—are managed and implemented centrally, cyber risk is reduced.
  • Relief for employees: SaaS solutions increase transparency, reducing coordination efforts between IT, specialist departments and external partners.
  • Greater efficiency and transparency: Compliance requirements can be documented more easily, allowing regulatory requirements to be met efficiently.
  • Better planning reliability: The costs of a SaaS solution are needs-based and therefore predictable over the long term. Software operators can flexibly expand the solutions at any time as needed.

Cybersecurity Made Easy with GFOS

SaaS solutions are the operating models of the future. We would be happy to find the right software for you and your requirements. Discover the SaaS bundles from GFOS and help shape a sustainably secure working world.

Call us at

+49 . 201 • 61 30 00

Contact us at

To the contact form

Call us at

DE: +49 . 201 • 61 30 00

CH: +41 . 41 • 544 66 00

Contact us at

To the contact form

Back to top