Cyber Resilience Act 2026: A Compliance Guide for OEMs

The electronics industry has navigated big regulatory changes in recent years. The EU Cyber Resilience Act is the next one to get ahead of.

From 11^th September 2026, electronics manufacturers selling into the EU will be facing a new legal obligation: the EU Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847. The Cyber Resilience Act requires manufacturers to report actively exploited vulnerabilities and severe security incidents to EU authorities within 24 hours.

Most procurement and engineering teams are still unprepared for this new regulation. The deadline is not a future concern; it is three months away.

The full weight of the CRA's product compliance requirements lands on 11 December 2027, but the vulnerability reporting machinery must be operational now.

For hardware Original Equipment Manufacturers (OEMs), the implications go well beyond software updates. They cut into how you source components, document your supply chain, and manage end-of-life parts in production.

What Is the Cyber Resilience Act? 

The Cyber Resilience Act (CRA) is the EU's first horizontal regulation establishing mandatory cybersecurity requirements for products with digital elements, covering both software and hardware. If your product connects directly or indirectly to a network or device, it falls within scope.

That includes microcontrollers, industrial IoT hardware, automotive modules, medical devices, consumer electronics, and the chips embedded inside them.

The regulation entered into force on 10 December 2024. The transition is structured in phases: reporting obligations apply from 11 September 2026, giving manufacturers time to build the notification infrastructure. Full product compliance, covering secure design, lifecycle vulnerability management, and documentation, is required from 11^th December 2027.

Importantly, the CRA applies to any manufacturer wishing to place products on the EU market, regardless of the company's headquarters or manufacturing location. A US-based OEM selling hardware into Germany has the same obligations as a German manufacturer.

What Does The Cyber Resilience Act Cover?

Much of the early discussion around the Cyber Resilience Act (CRA) has focused on software. That misses a large part of what the regulation actually covers. Any product that can directly or indirectly connect to a device or a network falls under the CRA: industrial controllers, routers, smart sensors, IoT devices, embedded systems, network equipment, and the individual hardware components that go into building them.

The regulation sets out clear obligations for manufacturers across five areas:

1. Secure design. Under Article 13 of the CRA, manufacturers must carry out a formal cybersecurity risk assessment covering the entire product lifecycle, from design through to manufacture, delivery, and long-term support. Products must ship in a secure default state, limit potential attack surfaces, and remove unnecessary communication interfaces. Security must be built in from the start, not added as an afterthought.
2. Product identification and traceability. Under Article 13(15) of the CRA, every product must carry clear identifiers, such as a type number, batch number, or serial number, so it can be precisely identified. For hardware manufacturers managing complex bills of materials and multi-tier supply chains, this requirement extends throughout the product to its components.
3. Software Bill of Materials (SBOM). Manufacturers must produce an SBOM covering at least the top-level dependencies of the product, in a commonly used, machine-readable format. Per Annex I, Part II(1) of the CRA, it must be kept up to date throughout the product's supported life. It does not need to be published publicly, but it must be made available to market surveillance authorities if requested. Think of it as an ingredients list for the software in your hardware: without it, meeting the 24-hour reporting window is close to impossible.
4. Product risk tiers. The CRA divides products into four categories based on security risk: Default, Important Class I, Important Class II, and Critical. The tier determines the conformity assessment route. Most products fall into the Default category and can self-certify. Important Class II products, such as industrial firewalls, intrusion detection systems, and hypervisors, require mandatory third-party assessment by a notified body. Critical products, such as hardware security modules and smartcards, face the most rigorous requirements.
5. Long-term support obligations. Under Article 13(8) of the CRA, manufacturers must declare a support period at the point of sale. That period must be no shorter than five years, unless the product is expected to be in use for less time. During that period, manufacturers must monitor for newly discovered vulnerabilities and keep the SBOM up to date. Under Annex I, Part II, point 8, security updates must be issued free of charge.

The Cyber Resilience Act’s Vulnerability Reporting and Deadlines

This is where OEMs will feel the most immediate pressure. From 11 September 2026, if a vulnerability in your product is being actively exploited or a serious security incident occurs, you must report it through ENISA's central reporting platform. The deadlines are fixed:

1. Within 24 hours: An initial alert confirming the vulnerability is being actively exploited, with a first assessment of its severity.
2. Within 72 hours: A full report covering technical details, which product versions are affected, and what users should do in the meantime.
3. Within 14 days: A final report once a fix or workaround is available.
4. Within one month: A final report for serious security incidents, from the point of the 72-hour submission.

These are legal deadlines. For an OEM whose product contains a vulnerable component from a third-party supplier, such as a chipset, a wireless module, or an embedded security chip, meeting a 24-hour reporting window requires knowing exactly what is inside your product, where it came from, and which version it is.

Manufacturers must also provide a clear, public process for security researchers or customers to report vulnerabilities they discover. All security documentation, including risk assessments, technical records, and SBOM updates, must be kept for ten years from the date the product goes on sale.

Why Supply Chain Traceability Now Carries Compliance Weight

This is where the CRA begins to directly affect procurement teams and supply chain managers, not just product engineers.

The regulation instructs manufacturers to bear responsibility for the security of the components they use, including parts sourced from third-party suppliers. If a vulnerability enters through a bought-in component, the legal responsibility still sits with the manufacturer of the finished product.

For a deeper look at what full traceability means in practice, read our guide on the importance of full component traceability.

That means OEMs need to know not just what components are in their products, but where they came from, what specific version is in use, and whether any known security weaknesses apply. Without that information, producing an accurate Software Bill of Materials (SBOM) is difficult. Without an accurate SBOM, meeting the 24-to-72-hour reporting window is close to impossible.

Components sourced outside verified supply channels carry particular risk. Parts bought through grey-market intermediaries may lack proper paperwork, contain unknown firmware, or be counterfeit. Any of these could introduce a security weakness that the manufacturer never anticipated. If such a component is later linked to a security incident, the manufacturer takes on the exposure.

Sourcing records also become part of the compliance trail. Certificates of conformity, test documentation, and chain-of-custody records are no longer just quality control materials. They are documentation that regulators may ask to see. A zero-trust approach to supply chain security is increasingly the standard that manufacturers are expected to meet.

The CRA does not tell manufacturers exactly how to manage their supply chains, but it is clear about who is accountable when something goes wrong. For procurement teams that have historically focused on price and lead time, that accountability is now part of the equation, too.

Sourcing components for a CRA-compliant supply chain? Every component we supply comes with full traceability to the original manufacturer, sourced directly from tier-one OEM and EMS companies.

Browse our inventory.

What OEMs Should Start Doing Now To Be Compliant With The Cyber Resilience Act

December 2027 is closer than it looks, especially when you factor in the time needed for design reviews, compliance checks, documentation work, and supply chain audits.

As Hogan Lovells notes, for most manufacturers, a key objective now is building the minimum operational capability to meet reporting obligations on day one, while simultaneously laying the groundwork for full compliance by December 2027.

1. Map your product portfolio against CRA scope. Identify which products connect to a network or another device and determine which risk tier each falls into. Products you assumed were out of scope may well fall within it.
2. Start building your SBOMs now. Creating a complete, accurate software inventory for an existing product takes longer than most teams expect. As ICS notes, many companies lack a complete inventory of the software components in their products, particularly when open-source libraries, embedded packages, and third-party firmware are involved. You need full visibility into all of it.
3. Set up vulnerability tracking. Monitor for newly published security vulnerabilities in the components your products use. There are established public databases for this, including the EU Vulnerability Database (EUVD) maintained by ENISA. Setting up alerts for specific components is a practical starting point.
4. Check your supply chain documentation. Can you trace each component back to its original manufacturer? Manufacturers remain responsible for vulnerabilities across all integrated components, regardless of origin. If a vulnerability is found, you need the paperwork to support your SBOM and demonstrate due diligence. A regular inventory audit is a practical starting point.
5. Bring procurement into the conversation. The CRA fundamentally changes supplier evaluations and makes compliance a procurement issue, not just an engineering one. Teams that understand the CRA's requirements can make sourcing choices that support compliance rather than create gaps. Our tips for sourcing from the secondary market cover the practical steps procurement teams can take.

What Penalties Apply

The CRA is backed by significant enforcement powers. Under Article 64, of the Cyber Resilience Act, penalties are set at three levels depending on the nature of the breach.

1. Breaches of essential cybersecurity requirements under Annex I, or of reporting obligations under Articles 13 and 14, carry fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher.
2. Non-compliance with conformity assessment, CE marking, technical documentation, and related obligations carries fines of up to EUR 10 million or 2% of worldwide turnover.
3. Providing incorrect, incomplete, or misleading information to authorities carries fines of up to EUR 5 million or 1% of worldwide turnover.

The CRA sits within the same EU enforcement architecture as GDPR, where regulators have demonstrated a willingness to apply significant fines.

For OEMs still selling into the EU, the question is not whether the regulation applies, but whether compliance is being treated as a design and procurement requirement or as a legal afterthought.

A Practical Takeaway

The CRA is not a distant regulatory concern. Reporting obligations will be enforced from 11 September 2026, and the window for comfortable preparation ahead of full compliance in December 2027 is narrowing fast.

For OEMs selling hardware into the EU, the question is no longer whether to prepare, but how quickly and how thoroughly the work gets done across engineering, procurement, and operations. The regulation creates real obligations around hardware security, product design, long-term vulnerability management, and supply chain documentation.

Getting the right people aligned on CRA readiness now will define which manufacturers are properly prepared when December 2027 arrives, and which find themselves scrambling at the last minute.

How Component Sense Can Help

The CRA puts full responsibility for product security with the manufacturer, including the components used to build it. That means where your components come from, and whether you can trace them back to the original manufacturer, is no longer just a quality question. It is a compliance one.

When supply pressures push procurement teams toward less familiar suppliers, the risks stack up quickly. Components sourced outside verified channels may arrive without adequate paperwork, carry uncertain histories, or introduce security weaknesses that are difficult to trace and disclose within regulatory timescales.

Component Sense supplies fully traceable, counterfeit-free electronic components sourced exclusively from tier-one OEM and EMS companies. Every part comes with a verified chain of custody back to the original manufacturer, and our rigorous inspection process ensures the documentation manufacturers need to support their SBOM and compliance obligations.

If your team is reviewing supply chain risk ahead of CRA deadlines, needs to complete a BOM from a verified source, or is managing excess and obsolete inventory responsibly, we can help.