Affected Stakeholders
The regulation applies to:
Manufacturers, importers, and distributors of products with digital elements (hardware and software)
Companies distributing digital products that are directly or indirectly connected to a network
Open-source software operators offering long-term support for free/open-source software with commercial applications
However, end users are also indirectly affected by this complex regulatory environment, as will be further discussed.
Key Milestones
Following its entry into force in December 2024, the regulation will be implemented in phases:
Notification of conformity assessment bodies: from 11 June 2026
Mandatory reporting of vulnerabilities and security incidents: from 11 September 2026
Full application of all requirements: from 11 December 2027
Non-compliance may result in penalties of up to €15 million or 2.5% of global annual turnover.
A Risk-Based Approach
The CRA follows a risk-based approach, setting stricter requirements for "important" and "critical" products that pose a higher cybersecurity risk. The regulation introduces a deep transformation in how digital products are designed, developed, and managed in terms of security—making compliance a strategic factor for companies operating in the EU market.
CRA and Switzerland: Specific Implications
Currently, Switzerland does not have a legal framework equivalent to the EU Cyber Resilience Act (CRA). The Swiss approach to cybersecurity is fragmented and sector-specific, with targeted rules for certain domains but no horizontal regulation defining minimum security requirements for all products with digital elements.
Nonetheless, Swiss companies exporting digital products to the European Union are subject to the CRA and must ensure compliance to access the single market.
At the national level, the National Strategy for the Protection of Switzerland against Cyber Risks (NCS) provides general guidance to strengthen cyber resilience but does not impose specific regulatory obligations on hardware and software manufacturers.
Some regulated sectors, such as finance, already follow cybersecurity practices mandated by FINMA (Swiss Financial Market Supervisory Authority), but these are not fully aligned with the CRA’s requirements.
It is likely that Switzerland will, in the future, adopt harmonized regulations aligned with the EU to reduce trade barriers and facilitate Swiss companies’ access to the European market, as has been the case with other technical standards.
:quality(100)/f/270561/1024x1024/24ec5d8c38/2511_02.png)
Core Requirements of the CRA
The Cyber Resilience Act introduces a series of core requirements that radically reshape the approach to digital product security in the European market:
Security by Design and Vulnerability Management:
Obligations for manufacturers to integrate security during the design and development phases
Products placed on the market must not contain known exploitable vulnerabilities
Provision of security updates throughout the entire support period (minimum 5 years)
Secure configuration as the default setting
Structured system for vulnerability management and documentation, including a Software Bill of Materials (SBOM)
Conformity Assessment Procedures:
Self-certification (internal control) for standard products
Assessment by notified bodies for “important” and “critical” products
Complete technical documentation to demonstrate conformity
Mandatory Reporting Requirements:
Reporting within 24 hours of actively exploited vulnerabilities
Notification of severe security incidents to the relevant national CSIRTs (Computer Security Incident Response Teams)
User notification regarding vulnerabilities, updates, and end-of-support timelines
Implementation of coordinated vulnerability disclosure policies
Additionally, the CRA represents a central and complementary pillar in the EU’s cybersecurity legal framework by integrating with existing sector-specific regulations and reinforcing the minimum security standards for digital products..
:quality(100)/f/270561/1284x1436/57db7746aa/2511_01.png)
CRA Main Requirements
The Cyber Resilience Act introduces a set of core requirements that radically reshape the approach to digital product security in the European market:
Security by Design and Vulnerability Management:
Manufacturers must embed security during the design and development phases
Products placed on the market must not contain known, exploitable vulnerabilities
Security updates must be provided throughout the support period (minimum 5 years)
Secure configuration by default
Structured system for managing and documenting vulnerabilities, including a Software Bill of Materials (SBOM)
Conformity Assessment Procedures:
Self-certification for standard products
Third-party assessment by notified bodies for "important" and "critical" products
Complete technical documentation proving compliance
Reporting Obligations:
Report actively exploited vulnerabilities within 24 hours
Report serious security incidents to relevant national CSIRTs
Notify users of vulnerabilities, updates, and end of support
Implement coordinated vulnerability disclosure policies
The CRA is a central and complementary element of the EU cybersecurity legal framework, integrating with sector-specific regulations and strengthening minimum digital product security standards.
What Does It Mean for Your Company?
The CRA brings tangible benefits to end users:
More secure and reliable digital products
Greater transparency on security features and support periods
Free security updates for at least five years
Clear lifecycle and support-end information
However, critical issues remain, particularly the continued use of legacy systems due to:
high replacement costs
functional dependencies
proven reliability
internal expertise requirements
migration-related operational risks
regulatory compliance constraints
In smart building contexts, it's especially relevant that hardware and IoT devices often exceed the 5-year support lifecycle required by the CRA, creating a compliance and security grey area.
Although the CRA does not impose direct penalties on end users who continue using products beyond the mandatory support period, failure to update or replace such products could be considered negligence in other legal contexts.
For instance, in a cyber incident or data breach, regulators (e.g., GDPR, which allows fines of up to €20 million or 4% of global annual turnover) may reference the CRA as a standard when assessing corporate diligence.
They may argue that the company, despite being aware of the end-of-support risks, did not implement adequate preventive measures.
Recommended Actions:
Conduct a detailed gap analysis of digital products
Develop risk mitigation strategies
Pre-document risk analysis, implemented safeguards, and segmentation of critical legacy systems
Note that EU sanctions are administrative in nature and do not offer direct compensation to affected parties, who must pursue legal action independently.
Authorities can issue sanctions based on technical assessments, which may sometimes be incomplete or scientifically debatable. Only afterward can companies appeal before the competent judicial authority, which will review procedural aspects and sanction proportionality, but may not carry out a deep technical review.
In other words, the burden of proof shifts to the company, which must demonstrate that the legacy system or IoT component did not contribute to the incident, or that effective compensatory measures were in place.
This means companies must prove they acted with due diligence, rather than the authority proving negligence.