Cyber Resilience Act: What IoT Manufacturers Need to Know
By Enrico Milanese
Alberto Carelli
Federico Della Valle
June 11, 2026
Modules
Estimated reading time: 10 minutes
The European Union (EU) Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements placed on the European market. The regulation applies general requirements across all products, with more specific obligations for selected product categories.
For companies building connected products, this is a fundamental shift. Manufacturers must build cybersecurity into their products from the design phase and maintain it throughout the support period.
Compliance is a lifecycle security responsibility, requiring manufacturers to continuously identify, assess, and remediate vulnerabilities throughout the product support period.
With the first CRA deadline taking effect in September 2026, manufacturers of IoT products need to understand what the regulation requires and how to begin preparing.
Key Takeaways
- The Cyber Resilience Act (CRA) sets mandatory cybersecurity requirements for products with digital elements in the EU market.
- The CRA requires regular vulnerability assessments, security updates, and a supply chain approach to compliance.
- Key deadlines include vulnerability reporting requirements in September 2026 and full compliance by December 2027.
- Preparation involves assessing product portfolios, monitoring standardization, and reviewing secure development practices.
Table of Contents
- What Is the Cyber Resilience Act?
- CRA Compliance as a Lifecycle Process
- Cyber Resilience Act Timeline and Key Milestones
- CRA Product Categories and Conformity Assessment
- The EN 40000 Standardization Roadmap
- European Commission Cyber Resilience Act Guidance
- How to Prepare for CRA Compliance
- How the CRA Relates to the Radio Equipment Directive
- RED Certification Gives Manufacturers a Head Start
- What the Cyber Resilience Act Means for Telit Cinterion Radio Modules
What Is the Cyber Resilience Act?
The Cyber Resilience Act (EU) 2024/2847 is an EU Regulation that establishes mandatory cybersecurity requirements for products with digital elements, covering both hardware and software.
The CRA is the first regulation to embed cybersecurity directly into the EU product compliance and safety framework. It applies as a horizontal layer across industries and technologies.
Unlike traditional compliance schemes, the CRA introduces broader and ongoing obligations. Manufacturers must build cybersecurity into the design and development process, manage vulnerabilities, and provide security support throughout the product lifecycle.
These obligations apply at the product and system level across the supply chain. They do not transfer full responsibility to individual components or their suppliers. CRA compliance is a regulatory precondition for CE marking. Manufacturers must demonstrate that their products meet CRA cybersecurity requirements before placing them on the EU market.
CRA Compliance as a Lifecycle Process
The CRA takes a supply chain approach to cybersecurity, distributing responsibilities across all actors involved in bringing a product to market. Under the CRA, IoT manufacturers are expected to:
- Perform and document cybersecurity risk assessments
- Design products following security by design and security by default principles
- Address vulnerabilities throughout the product lifecycle, including post-market security
- Provide security updates and relevant information to users
These obligations extend across the supply chain. Manufacturers, importers, distributors, and authorized representatives each carry defined compliance responsibilities.
Cyber Resilience Act Timeline and Key Milestones
While the CRA entered into force on 10 December 2024, requirements are being phased in over three years to complement existing regulations. Two dates are especially important for compliance planning:
11 September 2026: Obligations related to CRA vulnerability reporting take effect. Manufacturers must report actively exploited vulnerabilities and severe security incidents to EU authorities (ENISA and national CSIRTs). An early warning must be submitted within 24 hours of becoming aware of a vulnerability, followed by a detailed notification within 72 hours.
11 December 2027: Full CRA compliance becomes mandatory. All products with digital elements placed on the EU market after this date must demonstrate complete conformity.
Companies that begin preparing now will be better positioned to meet both milestones without disrupting their product roadmaps.
CRA Product Categories and Conformity Assessment
The CRA defines products with digital elements as any software or hardware product, along with its remote data processing solution, that can directly or indirectly connect to a network or another device. The regulation classifies these products into tiers that determine the conformity assessment procedure required before EU market placement.
A product’s classification directly affects whether it can be self-assessed or requires third-party evaluation. Classification depends on the product’s functionality and intended use at the final product level.
- Default category: Covers products not classified as important or critical. Manufacturers can demonstrate compliance through self-assessment.
- Important products – Class I: Products with elevated cybersecurity relevance. Manufacturers may self-assess when applying harmonized standards, once available, or opt for third-party assessment.
- Important products – Class II: Higher-risk products that require third-party involvement by a notified body or the usage of a European cybersecurity certification scheme, where available and applicable.
- Critical products: Products with the highest cybersecurity impact. These require the most stringent conformity assessment procedures to ensure maximum assurance and regulatory control. The primary expected route is a European cybersecurity certification scheme, such as Common Criteria, under applicable EU cybersecurity certification frameworks; or, when these are not available, third-party involvement by a notified body.
The EN 40000 Standardization Roadmap
The CRA defines what IoT device manufacturers must achieve but deliberately avoids prescribing how to implement these requirements. That role belongs to European harmonized standards, which translate the regulation’s legal obligations into assessable technical and process requirements.
In April 2025, CEN, CENELEC and ETSI accepted Standardization Request M/606 from the European Commission, initiating development of 41 harmonized standards to support CRA implementation.
These standards will be delivered in two waves: 15 horizontal standards applicable across all product categories and 26 vertical standards with additional requirements tailored to specific product types.
CEN/CLC/JTC 13/WG 9 is primarily developing the horizontal standards, which follow the EN 40000‑1‑x numbering scheme. They are structured as follows:
- Type A standards define the overall cyber resilience framework, including security objectives and risk management principles.
- Type B standards specify product-agnostic technical and process requirements, such as vulnerability handling and generic security controls.
- Type C (vertical) standards address requirements for specific product categories.
Table: Draft Horizontal Standards
The table below summarizes the most relevant draft horizontal standards under development as of June 2026.
| Standard | Title | Type | Status (June 2026) | Deadline |
| prEN 40000-1-1 | Vocabulary: Terms and Definitions | A | Under approval | 30 Aug. 2026 |
| prEN 40000-1-2 | Principles of Cybersecurity: Framework for Product Lifecycle Design, Development and Production | A | Under approval | 30 Aug. 2026 |
| prEN 40000-1-3 | Vulnerability Handling: Processes and Requirements | B | Under approval | 30 Aug. 2026 |
| prEN 40000-1-4 | Security Controls: Generic Security Requirements (product-agnostic technical measures) | B | Under development | 30 Oct. 2026 |
Particular attention should be given to prEN 40000-1-3 on vulnerability handling. The related CRA obligations take effect on 11 September 2026, ahead of the rest of the regulation. Until harmonized standards are formally adopted as European Norms (EN) and cited in the EU Official Journal, conformity must be assessed directly against CRA Annex I. Though not yet finalized, the draft standards provide the most concrete guidance available for meeting Annex I requirements.
Vertical standards are also under active development and available for public review through resources such as the ETSI GitLab repository.
European Commission Cyber Resilience Act Guidance
The European Commission provides official information and guidance for the CRA through:
The Commission also published a draft of its guidance document on the CRA, with public comment closing in April 2026. It covers topics including:
- Scope and perimeter
- Free and open-source software
- Substantial modifications and spare parts
- Support period
- Important and critical products
- Cybersecurity risk assessment
- Integration of products and components
- Remote data processing
- Vulnerability handling and reporting obligations
- Interplay with other legislation
How to Prepare for CRA Compliance
Assess CRA applicability across your product portfolio and role (manufacturer, importer or distributor) under the regulation.
Proactively monitor standardization developments. The EN 40000 draft series provides the emerging framework for CRA compliance. Tracking these standards as they evolve helps clarify technical and procedural requirements ahead of finalization.
Review secure development practices. Evaluate your current approach to IoT security by design and vulnerability handling, with particular attention to CRA vulnerability reporting requirements ahead of the September 2026 deadline.
Conduct product risk assessments. If formal threat analysis is not yet part of your process, establish one.
Evaluate your product lifecycle strategy. Confirm that your update strategy and product support period align with EU CRA requirements.
Key deliverables manufacturers should prepare include:
– Software Bill of Materials (SBOM) covering all software components and dependencies
– Documented vulnerability handling and disclosure process
– Defined product support period and security update policy
– Secure mechanism to ensure authenticity and integrity of firmware/software updates
– Technical documentation demonstrating compliance with CRA Annex I requirements
How the CRA Relates to the Radio Equipment Directive
The CRA does not replace existing sector-specific EU legislation, nor does it merge with the Radio Equipment Directive (RED). Instead, it works alongside it.
The RED Delegated Regulation on cybersecurity (EU) 2022/30 introduced cybersecurity requirements for certain radio equipment. The EN 18031 series provides technical standards supporting compliance with those requirements.
However, to provide regulatory coherence, the cybersecurity provisions introduced under the RED Delegated Regulation are expected to be phased out to avoid overlap, with the CRA becoming the primary cybersecurity framework from 11 December 2027. From that date, all cybersecurity obligations for products with digital elements will fall under the CRA framework.
During the transitional period from 1 August 2025 to 10 December 2027, manufacturers of in-scope radio equipment must continue to comply with RED cybersecurity requirements. Beginning on 11 December 2027, the CRA will become the sole cybersecurity framework for these products.
While the CRA will address cybersecurity obligations, RED will continue to govern radio performance, electrical safety, and electromagnetic compatibility (EMC) for wireless products in the EU market.
RED Certification Gives Manufacturers a Head Start
Many of the technical controls and security principles in the EN 18031 series, developed for RED compliance, align closely with the CRA’s cybersecurity baseline. A manufacturer whose modules hold current EN 18031 certifications can build on an established security foundation and address EU CRA requirements through incremental extensions rather than a full redesign.
Manufacturers whose products lack RED cybersecurity certification may require a broader initial effort to establish their technical security baseline and supporting processes, along with the necessary documentation, resulting in a broader initial compliance effort.
What the Cyber Resilience Act Means for Telit Cinterion Radio Modules
Wireless connectivity is a potential attack surface in connected products. Wireless modules directly influence how a product handles secure communication and authentication. They also affect remote update capabilities over cellular networks and introduce dependencies on software components and external services that manufacturers must manage under the regulation’s requirements.
While IoT device manufacturers make integration and configuration decisions at the final product level, module-level security features contribute directly to CRA compliance.
Telit Cinterion has certified its products under the EN 18031 standards for RED compliance. Our modules include security features such as remote firmware update mechanisms. These allow customers to address security issues and deploy patches over the product lifecycle, consistent with the CRA’s requirements for security updates and resilience.
We also maintain a dedicated Product Security Incident Response Team (PSIRT), along with technical support channels that serve as the primary entry point for reporting potential security issues. This structure supports coordinated analysis and mitigation of vulnerabilities that may affect Telit Cinterion products.
These capabilities serve as inputs to each customer’s CRA compliance process. They do not transfer CRA compliance responsibility to Telit Cinterion. Instead, they reduce the complexity of achieving compliance while improving supply-chain transparency.
Get in touch to discuss how Telit Cinterion can support your CRA compliance journey.
Review your CRA compliance strategy with our experts.
