EU Cyber Resilience Act

Determining scope involves assessing your role in the supply chain, the nature of your products, your geographic relationship with the EU market, and the commercial context.

Step 1: Identify your role in the supply chain

The CRA imposes obligations on "economic operators" making products with digital elements available on the EU market. The regulation defines four roles:

• Manufacturer: Develops or manufactures products with digital elements and markets them under its name or trademark.
• Authorised representative: An EU-established person mandated by a non-EU manufacturer to act on its behalf for specified tasks.
• Importer: An EU-established person who places on the market a product bearing a non-EU manufacturer’s name or trademark. Importers must verify manufacturer CRA compliance before placing products on the market.
• Distributor: A supply chain participant (other than manufacturer or importer) who makes a product available on the EU market without affecting its properties. Distributors must verify CE marking and inform manufacturers of vulnerabilities.

If your organisation falls into any of these categories for a product with digital elements sold in the EU, the CRA applies to you.

Step 2: Determine whether your product is in scope

A "product with digital elements" is broadly defined as any software or hardware product whose use includes a direct or indirect data connection to a device or network. This includes:

• Hardware products: IoT devices, routers, switches, smart appliances, sensors, cameras, industrial control systems, embedded systems, connected machinery
• Software products: standalone applications, firmware, operating systems, mobile/desktop apps, video games, software libraries, SDKs
• Remote data processing solutions: cloud-enabled functionalities designed by or under the manufacturer’s responsibility, where absence would prevent the product from performing one of its functions
• Components: processors, video cards, software components placed separately on the market

Products covered by sector-specific EU legislation (e.g., medical devices, motor vehicles, civil aviation, marine equipment) are excluded. Non-commercial free and open-source software not monetised by developers is generally exempt.

Step 3: Confirm your geographic and commercial nexus with the EU

The CRA applies to products with digital elements "made available on the Union market" - supplied for distribution or use in the EU in commercial activity, whether for payment or free. This extraterritorial reach means:

• Non-EU manufacturers (including Swiss companies) are fully in scope if their products are sold into the EU, regardless of headquarters location.
• Products supplied free in a commercial context (e.g., freemium software) are in scope.
• Products not supplied in the course of a commercial activity - i.e., not put on the market — are not subject to the CRA. 

The CRA applies whenever products with digital elements are made available on the EU/EEA market. Swiss manufacturers exporting covered products into the EU are treated as non-EU manufacturers. This means:

• The Swiss manufacturer bears the same obligations as any other manufacturer - including reporting obligations from 11 September 2026.
• Products typically enter the EU market through an importer - an EU-established person placing the product bearing the Swiss manufacturer's name on the EU market.
• The importer must verify manufacturer compliance with essential cybersecurity requirements, conformity assessment, technical documentation, and CE marking.

The CRA requires manufacturers to report two event categories via ENISA's Single Reporting Platform (SRP):

1. Actively exploited vulnerabilities - any vulnerability in your product known to be currently exploited by a malicious actor.

2. Severe incidents - incidents with significant negative impact on product security, e.g., compromising availability, authenticity, integrity, or confidentiality of important data or functions.

Reporting is triggered when the manufacturer becomes aware of active exploitation or severe incident.

Reports are submitted through ENISA's Single Reporting Platform and routed to the national CSIRT where the manufacturer is established. The receiving CSIRT shares notifications with all other CSIRTs in affected Member States. This "report once" mechanism eliminates individual notifications to multiple authorities.

The CRA imposes strict timelines:

• Early warning - within 24 hours of becoming aware. This is a brief alert, not a full analysis.
• Full notification - within 72 hours, including initial severity assessment, potential impact, and corrective measures taken or planned.
• Final report — within 14 days after a corrective measure becomes available (for vulnerabilities), or within one month of initial notification (for severe incidents).

Reporting obligations apply to all products with digital elements made available on the Union market, including those placed on the market before 11 December 2027. From 11 September 2026, if a manufacturer becomes aware of an actively exploited vulnerability or severe incident affecting any product currently available to EU customers - regardless of when sold - it must report through the ENISA SRP within prescribed timelines.

With 11 September 2026 approaching, focus on these steps to ensure readiness:

• Scope and inventory products. Identify all products with digital elements placed or made available on the EU market - hardware, software, firmware, connected devices, including legacy products. Map which Member States your products are available in for CSIRT routing.
• Establish continuous vulnerability monitoring. The 24-hour clock starts when you become aware of active exploitation. Monitor CISA's Known Exploited Vulnerabilities catalogue, vendor advisories, and threat intelligence feeds. Maintain an accurate SBOM to know whether newly exploited vulnerabilities affect your products.
• Assign clear roles and responsibilities. Designate individuals responsible for drafting, reviewing, and submitting reports at each stage. Document backup coverage for weekends, holidays, and out-of-hours.
• Register on the ENISA Single Reporting Platform. The SRP will be operational by 11 September 2026. Ensure registration and staff familiarity with the platform.
• Align with adjacent regulatory obligations. Consider how CRA reporting interacts with NIS2, GDPR, or DORA. While triggers, timelines, and recipients differ, internal escalation processes should be coordinated to avoid duplication or missed deadlines.

To conclude, the question here is not whether to welcome or fear the regulation. For the organisations who are proactive to meet the requirements can make CRA a competitive instrument and win trust of your customers.