"The Cyber Resilience Act doesn't apply to our existing products. They're already on the market." I hear this often. And it sounds logical at first. But it's not quite right.
Does the CRA apply to products already on the market?
Partially, and that's the key. The EU Cyber Resilience Act reaches existing products through three mechanisms:
1. Reporting obligations from 11 September 2026. From that date, the reporting obligation for actively exploited vulnerabilities and severe security incidents takes effect. Within 24 hours to ENISA, with a full report within 72 hours. This applies to products already on the market and shipped for years.
2. Full applicability from 11 December 2027. From that day on, all units placed on the market must meet the full CRA requirements. Anyone still selling legacy models must bring them into CRA conformity, production date doesn't matter (more on this in No CRA grandfathering).
3. Substantial modification as a trigger. Any existing product that undergoes a substantial modification falls fully under the CRA, even if it was originally placed on the market before the cut-off.
What is a substantial modification under the CRA?
A substantial modification occurs when the original conformity assessment is called into question. That happens faster than you'd think:
- Feature expansions introducing new risks
- New interfaces (e.g., an additional cloud endpoint for a new customer)
- Changed security characteristics from substantial software updates
- Replacement of central components or security-relevant software libraries
- New usage scenarios not covered by the original risk assessment
A classic example: A new customer wants to integrate their system, so a new interface is implemented. The product is now treated as substantially modified and must satisfy all CRA requirements, including SBOM, vulnerability management, technical documentation, and the EU declaration of conformity.
Myth vs. fact
Myth: Existing products are exempt from the CRA.
Fact: The reporting obligation also applies to existing products. And any substantial modification triggers the full CRA.
How long does a CRA compliance project realistically take?
At LogiMAT and other industry events, I've spoken with companies whose CRA compliance projects started in 2024 and were only completed at the start of this year. Typical duration: 12 to 18 months, from gap analysis to a demonstrably compliant product.
Anyone thinking this can be implemented as a side project should start now. The steps are not trivial:
- Inventory of product portfolios and interfaces
- Risk assessment per product family
- SBOM build-out and maintenance process
- Vulnerability management pipeline including reporting workflow
- Technical documentation and conformity assessment
- Supply chain alignment (see supplier liability)
Starting in early 2027 means missing the deadline. More on the CRA roadmap toward 2026/2027 is covered separately.
What you should concretely check
1. Walk through your existing portfolio. Which products are currently on the market? Which have digital elements? Which fall under the 11 Sept 2026 reporting obligation?
2. Review your product roadmap for substantial modifications. Every planned feature expansion, interface, or software update could trigger the full CRA. You need to know these triggers before engineering starts.
3. Set up a vulnerability disclosure process. By 11 September 2026 at the latest, you must be able to report actively exploited vulnerabilities within 24 hours. That's a process, not a tool.
4. Prepare reporting channels. ENISA access, CSIRT contacts, internal escalation paths. Anyone clarifying this only after an incident will miss the 24-hour deadline.
Frequently asked questions
Does the CRA apply to products already on the market? Partially. The reporting obligation for actively exploited vulnerabilities and severe incidents applies from 11 September 2026 to all products with digital elements on the EU market. Full manufacturer obligations apply from 11 December 2027 for new placements, and any time a product is substantially modified.
What is a substantial modification under the CRA? A substantial modification occurs when the original conformity assessment is called into question, typically with feature expansions, new interfaces, changed security characteristics, or substantial software updates.
What are the CRA reporting obligations from 11 September 2026? Report actively exploited vulnerabilities and severe security incidents to ENISA and the relevant CSIRTs within 24 hours, with a full report within 72 hours.
How long does a CRA compliance project typically take? 12 to 18 months from gap analysis to a demonstrably compliant product. Starting in 2026 makes the 2027 deadline tight but realistic.
Conclusion
Existing products are not off the hook. The reporting obligation takes effect in 2026, full applicability in 2027, and any substantial modification pulls the entire product into the CRA.
Review your product roadmap carefully. Every planned change to existing products could trigger the CRA. Those who recognize the trigger can steer it consciously. Those who miss it accidentally pull their product into the full CRA scope.
A structured CRA roadmap helps weave together legacy portfolio and forward roadmap, before the first incident forces theory into practice.
Every Friday I debunk a CRA myth here.