"We have the CE mark. So we're compliant." For many manufacturers, this used to be a closed process: create documentation, sign the declaration of conformity, done.
Under the Cyber Resilience Act, this changes fundamentally.
What does CE marking mean under the CRA?
CE marking is not a standalone compliance status, it is a collective mark indicating that a product meets all EU harmonization rules applicable to it. For a connected product, this typically includes the EMC Directive, Low Voltage Directive, RoHS, possibly Radio Equipment Directive or Machinery Regulation, and from 11 December 2027, the EU Cyber Resilience Act.
The CRA does not become "the" CE marking but an additional mandatory layer. Without CRA conformity proof, a covered product can no longer be made available on the internal market, not even when all other directives are fully satisfied.
The conformity assessment under the CRA leads to the issuance of the EU declaration of conformity. This declaration is the formal legal act, and exactly here lies the myth: The signature is not an endpoint, but the start of a continuous obligation.
Why CRA compliance is not a one-time task
Unlike classic product directives, cybersecurity is dynamic. A vulnerability unknown today can be actively exploited tomorrow. An open-source library that is safe today can have a critical CVE next week.
The CRA responds with a continuous obligation instead of a one-time conformity act:
- Technical documentation and the EU declaration of conformity must be retained for at least ten years from the date of placing on the market
- For series products, every delivered unit must remain compliant, even when software libraries change in the background
- Vulnerability management runs continuously: identification, assessment, remediation, reporting
- SBOM data must be updated with every component change and remain traceable
- When operations cease or security support ends, authorities and users must be notified in advance
Anyone who doesn't continuously monitor, document, and update loses conformity, and with it, the right to make the product available on the internal market.
Myth vs. fact
Myth: CE marking done, topic closed.
Fact: The CRA makes cybersecurity an ongoing obligation. Anyone who doesn't continuously monitor, document, and update loses their conformity.
What you need to establish concretely
CRA compliance is a living system, not a project with an end date. Four building blocks must operate permanently:
1. Vulnerability monitoring with a response process. You must know which vulnerabilities affect your products, and respond to new CVEs in a structured way. Including the 24-hour initial report for actively exploited vulnerabilities.
2. SBOM maintenance as a routine. Every component or library change must be tracked in the SBOM. Without a current SBOM, there is no defensible conformity statement.
3. Documentation as an ongoing process. Technical documentation, risk assessment, and the EU declaration of conformity are not Word files in an archive but versioned artifacts that make every substantial change to the product traceable.
4. Lifecycle planning with an exit path. Who maintains your product for five, seven, or ten years? What happens after support ends? Who notifies users and authorities? These questions must be answered upfront.
Frequently asked questions
Is a one-time conformity assessment enough under the CRA? No. The CRA requires a continuous set of obligations: ongoing vulnerability management, updates to technical documentation upon substantial changes, reporting obligations toward ENISA, and conformity maintenance across the full support period.
What changes for CE marking under the CRA? The CRA becomes one of the regulations a product with digital elements must satisfy to carry the CE mark. Other directives continue to apply alongside. Without CRA conformity proof, a covered product can no longer be made available.
How long must I keep the technical documentation? At least ten years from the date of placing the respective product on the market. For series products, this applies per unit, not per model.
What happens to CRA conformity if I cease operations? The CRA requires advance notification to authorities and users before security updates can no longer be provided. Users need early notice so they can plan when support ends.
Conclusion
Treat CRA compliance as a living system, not a project with an end date. The EU declaration of conformity is the formal confirmation of a state, and that state must be actively maintained.
Those who set up vulnerability monitoring, SBOM maintenance, documentation, and lifecycle planning as ongoing processes will pass every market surveillance check. Those who tick the box after signing will lose the basis of their conformity at the first audit or first critical CVE.
A structured CRA roadmap helps translate the ongoing obligation of compliance into manageable processes, before the first incident forces the theoretical state into practice.
Every Friday I debunk a CRA myth here.