Cyber Resilience Act: what device and machine manufacturers must know now
The Cyber Resilience Act requires manufacturers of products with digital elements to deliver cybersecurity across the lifecycle, EU-wide. Who it affects, which deadlines apply, and why ISO 27001 is the natural foundation.
In short
The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to deliver cybersecurity across the whole lifecycle, EU-wide: security by design, vulnerability management and reporting duties. A first stage applies from June 2026, the main obligations phase in towards 2027. For mid-sized manufacturers with connected machines and devices this is relevant, and ISO/IEC 27001 is the natural foundation.
Auf Deutsch lesen: deutsche Fassung
While everyone watches the AI Act, a second duty is approaching for mid-sized manufacturers: the Cyber Resilience Act. It affects not only software houses, but anyone placing products with digital elements on the market, including connected machines, controllers and devices. A first stage already applies from June 2026.
Who the CRA affects
It covers products with digital elements, from pure software to the connected machine. Whoever manufactures, imports or distributes has duties. Unlike before, cybersecurity becomes a precondition for market access in the EU, no longer a voluntary extra, but part of the CE marking.
The core obligations
At its core the CRA demands three things: security by design and by default, that is, security from the start rather than bolted on. A working vulnerability management across the whole lifecycle, including security updates. And reporting duties: actively exploited vulnerabilities and serious incidents must be reported within short deadlines. On top come technical documentation and the conformity evidence.
The deadlines
The CRA applies in stages. A first stage, among others on conformity assessment bodies, applies from June 2026. The reporting duties and the full manufacturer obligations phase in towards 2027. Those who build products with long development and service lives should start now, not just before the deadline.
Why ISO 27001 is the natural foundation
At its core the CRA requires a structured approach to information security and vulnerabilities. An information security management system to ISO/IEC 27001 provides exactly that frame: risk management, access control, a secure development process and vulnerability and incident management. It does not satisfy the CRA automatically, because the CRA adds product-specific requirements. But it is the foundation the product duties build on cleanly. How to connect the two, we clarify in a free initial call.
Frequently asked questions
Who does the Cyber Resilience Act affect?+
Manufacturers, importers and distributors of products with digital elements, from software to connected machines and devices. Cybersecurity becomes a precondition for market access in the EU and part of the CE marking.
When does the CRA apply?+
In stages: a first stage from June 2026, with reporting duties and the full manufacturer obligations phasing in towards 2027. Products with long development and service lives should be prepared now.
Does ISO 27001 help with the CRA?+
Yes, as a foundation. An ISMS to ISO/IEC 27001 provides the structured frame for risk, secure development and vulnerability and incident management, on which the specific CRA product requirements build. It does not replace the product-specific duties, though.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 18 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.