How European Cybersecurity Laws affect your digital product

The European market offers huge opportunities for software and connected devices—but new rules are coming that will affect all products sold to EU customers. The Cyber Resilience Act, which will fully apply in 2027, will require manufacturers, importers, and distributors to plan cybersecurity from the very start, build secure products, and manage vulnerabilities throughout the product lifecycle.

Even though the Act is not yet in force, companies should start preparing now. Product development and update cycles can be lengthy, and aligning design, risk management, and documentation with CRA requirements early helps avoid last-minute compliance challenges. This will also ensure smoother market entry, reduce the risk of costly redesigns, and give your company a head start with European customers before the regulation takes effect.

The European market offers substantial commercial opportunities for technology-driven businesses. Companies offering software components or dealing with desktop or mobile applications increasingly find themselves supplying products and services to customers located within the European Union—often without maintaining a physical presence in Europe.

At the same time, market access to the European Union is accompanied by a sophisticated and continuously evolving regulatory framework. This is particularly the case in the area of cybersecurity, which has been a legislative priority for EU institutions for several years. As part of this broader regulatory landscape (see our overview article), the Cyber Resilience Act (CRA) introduces far-reaching cybersecurity obligations for manufacturers, importers, and distributors of products with digital elements, regardless of whether they are established inside or outside the EU.

Although the Cyber Resilience Act will become fully applicable in late 2027, companies should not view compliance as a distant concern. The regulation’s requirements apply throughout the product lifecycle, and the often lengthy design, development, and update cycles for software and connected products mean that compliance considerations must be addressed at a much earlier stage. In practice, this requires businesses planning to enter or expand within the European market to align their product development, vulnerability management, and contractual frameworks well ahead of the formal application date.

 Is this relevant to my company?

The Cyber Resilience Act applies to companies that make digital products available in the European market. This includes:

      • Manufacturers, such as those developing software platforms, mobile applications, or firmware embedded in connected devices;

      • Importers, for example companies bringing smart devices, networking equipment, or industrial IoT products from outside the EU into the European market;

      • Distributors, including those selling products through webshops, digital marketplaces, or enterprise licensing arrangements.

If your company might fall into one of these categories, it is advisable to determine which exact role applies in your specific case, as the Cyber Resilience Act assigns different responsibilities to manufacturersimporters, and distributors. The correct classification is not merely formal: it directly affects the scope of your cybersecurity obligations, your internal compliance processes, and your contractual arrangements with partners and customers.

What requirements do I have to fulfil?

For many companies, the Cyber Resilience Act will require changes to how products are designed, documented, and supported. The key obligations can be summarised as follows.

1. Integrate Security into Your Product from the Start

Under the Cyber Resilience Act, cybersecurity cannot be treated as a final compliance step shortly before launch. Companies are expected to consider cybersecurity already during product design and development. This includes identifying and assessing potential risks early and addressing them as part of the development process. The regulation is built around two core principles:

  • Security by design: Products must be developed with appropriate technical safeguards in place, such as encrypting stored or transmitted data and limiting the attack surface.

  • Secure by default: Default configurations must support security, for example by preventing weak default passwords and enabling automatic security updates.

Vulnerability handling must also be planned from the outset. Manufacturers are required to maintain transparency over the software components used in their products by creating a software bill of materials (SBOM). An SBOM is comparable to an ingredient list for software. While the Cyber Resilience Act requires an SBOM to be created, it does not need to be made public. 

2. Demonstrate Compliance

To sell a product in the EU, manufacturers must show it meets the Cyber Resilience Act’s requirements, usually through a declaration of conformity. Most products can be self-assessed, while higher-risk items—like critical network equipment—require an independent assessment by a notified body.

Compliance documentation should cover risk assessments, design decisions, software bills of materials (SBOMs), and vulnerability management. Beyond regulatory purposes, this documentation reassures customers and partners that cybersecurity is built into the product from the start.

3. Report vulnerabilities 

Under the Cyber Resilience Act, manufacturers must report actively exploited vulnerabilities and serious security incidents that affect their products. Reports are submitted through a central platform operated by ENISA, the European Union Agency for Cybersecurity, which supports EU member states, companies, and citizens in improving cybersecurity. 

Examples include compromised update mechanisms, risks of code manipulation, or other security breaches that could impact users. Even companies outside the EU must comply if their products are placed on the European market, making early integration of vulnerability reporting processes essential for compliance and risk management.

4. Secure the product throughout its lifetime

The Cyber Resilience Act makes clear that cybersecurity obligations do not end at the point of sale. Manufacturers must provide security updates and address vulnerabilities for the entire support period of a product, which is generally expected to be at least five years.

This means companies need processes in place for ongoing monitoring, patching, and vulnerability management throughout the product’s life. Planning for this from the start helps avoid compliance gaps and ensures that products remain secure for customers over time.

Preparing for the Cyber Resilience Act

Compliance with the Cyber Resilience Act requires careful planning across product design, development, and ongoing support. Early attention to your obligations can help avoid regulatory gaps and strengthen trust with customers in the European market. Our law firm has experience advising technology companies on EU cybersecurity regulations and can guide you through the steps needed to align your products with the regulation’s requirements.

If you need any assistance, get in touch today to see how we can help you protect your business and your customer’s trust.

Get Expert Legal Advice from Boettcher Law

Disclaimer: This article provides general information and does not constitute legal advice.

 

 

 

Contact us Now

How EU Cybersecurity Laws may affect your product

FAQs

Yes. EU regulations can apply even where a company has no physical presence in the EU and only limited interaction with EU customers. Under the Cyber Resilience Act, what matters is whether products are made available on the EU market, not where the company is located.

The CRA focuses on the security of digital products, such as software, smart devices, and connected applications, that are sold in the EU market. It requires manufacturers to implement cybersecurity-by-design, maintain documentation, conduct vulnerability testing, and provide timely security updates. For the most part, the regulation will apply from 11 December 2027, meaning new products placed on the EU market from that date must comply with these requirements.

In practice, this means reviewing your product lifecycle for security risks, maintaining technical documentation, and communicating security guidance to customers. Companies should also consider legacy products—those already on the market before 11 December 2027. Existing products may remain subject to certain obligations if updates, patches, or new versions are released after the CRA enters into force. Even if your business is based outside the EU, planning for both new and legacy product compliance ensures your offerings can be legally sold in the EU and reduces liability from security incidents or regulatory enforcement.

If a product does not comply with the Cyber Resilience Act, authorities may require corrective measures before or after the product is placed on the European market. This can include requests to address identified security shortcomings, provide additional documentation, or implement specific risk-mitigation measures.

In more serious cases, non-compliant products may be restricted or removed from the EU market. The regulation also provides for administrative penalties. For companies entering the European market, early preparation and structured compliance processes can significantly reduce the risk of disruption.

Companies should start preparing now because product development, testing, and update cycles can be lengthy. Early planning allows you to integrate cybersecurity measures, establish vulnerability management processes, and prepare required documentation in advance, reducing the risk of compliance gaps when the Cyber Resilience Act comes into full effect in late 2027.

Compliance made easy

Get expert help advising your companies 

Contact us now