The responsibility for securing software and hardware can sometimes feel like a bit of an after-thought, falling on the end-user to patch, update, and hope for the best. With the introduction of the EU 🔗Cyber Resilience Act (CRA) security leaders need to accept a shift in how we might approach the secure-by-design philosophy.
With legislation looming, security by design is becoming an operational priority. If your business manufactures, imports, or distributes products with digital elements (PDEs), ranging from smart sensors to complex enterprise software, the CRA likely has a seat at your boardroom table.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is the first EU-wide legislation to impose mandatory cybersecurity requirements on hardware and software products throughout their entire lifecycle. Its core objective is simple but far-reaching: to ensure that any digital product placed on the EU market is secure at the point of sale and remains secure via regular updates.
The CRA is an EU regulation but the reach is global, like GDPR, it applies to any organisation selling into the EU market. For UK businesses, this means that even post-Brexit, compliance isn’t optional if you want to maintain a European footprint. What’s more, the UK government is following suit with their 🔗Cyber Security and Resilience Bill, which aims to mirror many of these protections to strengthen domestic infrastructure.
Key Milestones of the CRA
Understanding the timeline is critical for compliance. We are currently in a transition period where the rules are being defined.
11 June 2026
The framework for notifying conformity assessment bodies begins.
11 September 2026: Crucial Date.
Mandatory reporting obligations for manufacturers take effect. You must report actively exploited vulnerabilities to ENISA within 24 hours of discovery.
11 December 2027:
Full application of the Act. All products must meet essential security requirements and bear the CE marking to be sold in the EU.
Does CRA Apply to You?
If your product has a digital element and connects to a network or device (directly or indirectly), it’s more than likely in scope. This includes:
- Software – Operating systems, firmware, and even mobile applications.
- Hardware – IoT devices, routers, smart cameras, and industrial control systems.
- Components – Software libraries or CPUs sold as standalone products.
Non-compliance is a risk with penalties set to be significant. Administrative fines reach up to €15 million or 2.5% of global annual turnover, whichever is higher.
Beyond CRA Compliance
At Mondas, we view the CRA not just as a regulatory hurdle, but more a benchmark for excellence. True cyber resilience isn’t about ticking boxes for a regulator; it’s about protecting your intellectual property, your reputation, and your customers’ trust.
The Act highlights a growing concern in the industry: the vulnerability of the supply chain. By mandating a Software Bill of Materials (SBOM), the CRA forces transparency, ensuring that every component, even open-source ones, is accounted for and monitored.
Mondas specialise in navigating complex regulatory landscapes and securing digital supply chains. If you are concerned about how the Cyber Resilience Act impacts your product roadmap, reach out to us today for an initial consultation.
This overview was brought to you by our Sales and Marketing Manager at Mondas, 🔗learn more about George on LinkedIn.
Article First Published 10/03/2026
