The Cyber Resilience Act officially came into force on 10 December 2024, setting out a key timeline for affected companies. From September 11, 2026, manufacturers will be required to actively report exploited vulnerabilities as well as serious security incidents. Under the regulation, manufacturers must notify the relevant authorities of security vulnerabilities and security-related incidents as soon as they become aware of them, and within strict time limits. To support this process, the EU Agency for Cybersecurity (ENISA) is establishing a centralised CRA Single Reporting Platform (SRP), through which all reports must be submitted in future.

Operational phase begins in 2026

The CRA's comprehensive requirements, including security by design, lifecycle management and CE marking under CRA conformity assessment, will apply in full from 11 December 2027. "The operational phase of the Cyber Resilience Act will begin in 2026," said Onekey Managing Director Jan Wendenburg.

Starting on June 11, 2026, the first conformity assessment bodies (CABs) will start to check product conformity. These CABs are accredited, independent testing laboratories. This enables manufacturers to obtain external CRA conformity certification.

Onekey CEO Jan Wendenburg explained the urgency of this process: "The manufacturers concerned must have their internal processes, documentation, technical evidence, and safety requirements in place by then at the latest so that a CAB can test their products."

External conformity assessment is mandatory for products with a high safety risk (CRA classes "critical" and "highly critical"), such as critical infrastructure components, IoT devices with high damage potential, and industrial control systems.

"However, a self-declaration is sufficient for around 90 percent of all networked products," Jan Wendenburg clarified. This is a declaration by the manufacturer that the digital product meets the CRA's requirements and is being legally placed on the market. The declaration must include a detailed conformity assessment, which can be carried out via the Onekey platform. From 11 December 2027 onwards, products without such a declaration may no longer be sold on the EU market.

Urging manufacturers to act now

Jan Wendenburg explained: "It's time for manufacturers to subject their networked devices, machines, and systems to a CRA conformity assessment." Based on his experience with relevant tests on the Onekey platform, he says that "gaps often emerge, and many of them are difficult to resolve. Manufacturers should be prepared to invest the necessary time, money, and personnel to meet the legal requirements that will be imposed on them.” He cites vulnerabilities in external programmes from partners outside the EU with little understanding of CRA compliance, as well as purchased components with incomplete documentation and open-source software, as examples.

The first step for manufacturers, according to Wendenburg, is to create a software bill of materials (SBOM) for each networked product, which is often challenging in practice. The purpose of an SBOM is to identify software components that may contain vulnerabilities that could be exploited by attackers, enabling them to be addressed quickly and systematically. To this end, the Cyber Resilience Act requires a comprehensive inventory of all software elements, including programmes, libraries, frameworks, and dependencies, along with their exact version numbers. Manufacturers must also document licensing information, authorship, and any known vulnerabilities or security gaps associated with each component.

He adds that many manufacturers struggle to meet these requirements because they do not receive sufficient or reliable information from their suppliers. “Many SBOMs are incomplete, outdated, or lack the necessary context around vulnerabilities,” he said. “Such SBOMs fail to meet the mandatory documentation standards under EU regulations and offer little practical value for compliance or security purposes.”

"The first implementation phase of the Cyber Resilience Act is undoubtedly a milestone for digital security in Europe, but it also requires considerable effort from manufacturers," concludes the Onekey CEO.