Cyber Resilience Act: the countdown has started for connected products

· 4 min read · SOVALYX Technologies

SHARE

The Cyber Resilience Act (CRA) is the EU regulation imposing cybersecurity requirements on every product with digital elements placed on the Union market — hardware and software alike. Its first concrete deadline lands on 11 September 2026 with the reporting obligations for actively exploited vulnerabilities; the bulk of the obligations apply on 11 December 2027. For a manufacturer or software vendor, preparation starts now.

Who is covered: far more than connected gadgets

The CRA's scope is deliberately broad: it covers products with digital elements, meaning connected hardware (network equipment, sensors, controllable industrial machines, consumer electronics) but also software placed on the European market — applications, embedded systems, components. The official description of the text is available on the European Commission's website.

Three points widen the circle of organisations concerned:

Two dates to remember

The application timeline is staged, with two structuring milestones:

The order of these deadlines is a message in itself: the legislator starts with the ability to detect and report that a product is under attack, before even requiring full conformity. A necessary note: this article is an information summary, not legal advice — the exact scope of your obligations should be confirmed with your advisors.

Article 14: what "reporting" demands in practice

Reporting an actively exploited vulnerability presupposes a complete chain that, in many organisations, does not yet exist:

What to prepare in 2026

The foundations the CRA demands are the same as those of serious product hygiene — better to build them once, properly:

CRA checklist: where do you stand?

If the Article 14 deadline feels distant, remember that it demands operational capabilities, not documents: a disclosure channel, telemetry, on-call coverage. These building blocks take months. A diagnostic of your product chain lets you sequence the work before the calendar does it for you.

How SOVALYX can help

SOVALYX helps manufacturers and software vendors build the foundations the CRA requires: a vulnerability management process, automated SBOM generation and tracking, a working disclosure channel and 24/7 monitoring under SLA to detect and qualify active exploitation. These building blocks take months to put in place — not something to improvise under a mandatory notification deadline.

Talk compliance with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.