You think cybersecurity is a topic for Microsoft, Apple, or SAP? You feel safe because your company doesn't manufacture laptops or servers? Then you should read on very carefully.
The CRA Is Not an IT Law – It Is a Product Safety Law
EU Regulation 2024/2847 – better known as the Cyber Resilience Act – is frequently misunderstood. Many companies mentally file it under "only relevant to the IT industry" and return to business as usual.
That is an expensive mistake.
The CRA is a product safety law that applies to almost anything with a plug, a battery, or a radio chip. The EU has established a remarkably simple rule: as soon as a product has a direct or indirect data connection – physical or logical – the law applies.
Direct or indirect data connection. That is not a niche criterion. That is a dragnet.
What This Means in Practice
Imagine you supply a component that has remained unchanged for 20 years. It works, your customers are satisfied, and nobody has ever complained about cybersecurity.
Suddenly you are required to guarantee security updates for the next 5 years, provide a complete Software Bill of Materials (SBOM), and report vulnerabilities to ENISA within 24 hours.
20 Products Where Manufacturers Are Just Waking Up
Here are products where many manufacturers are only now – sometimes painfully – realizing that they are squarely in the EU's crosshairs.
1. Plush Toys and Talking Toy Figures
The connected teddy bear is no longer just a plaything. Toys with internet connectivity – such as dolls with voice functions or location tracking – are classified by the EU as "important products" in Class I. The reason: they directly endanger the privacy of the most vulnerable users – our children. The requirements for conformity assessment and documentation increase significantly here.
2. Smart Door Locks
Security here no longer means just solid steel. A hacked lock opens physical doors – putting the safety of people and property at stake. The EU classifies smart door locks as important products with strict testing requirements.
3. RFID Chips on Warehouse Containers
They look like simple stickers. But they process digital data and establish a physical radio connection to readers – making them legally a product with digital elements. Even such seemingly simple components can serve as entry points for attackers into larger logistics or information systems. If the chip is placed on the market separately, it must meet the essential cybersecurity requirements – including CE marking.
4. Industrial Milling Machines
A multi-ton machine that suddenly stops because it is networked? The CRA applies here in addition to the Machinery Regulation (EU) 2023/1230, especially for remote maintenance functions. A critical point: industrial systems are often used for decades. Manufacturers must account for this long lifecycle when planning the support period for security updates.
5. Baby Monitors
Once a simple radio device, now a highly regulated "important product." What was once basic radio technology is now a networked system with app connectivity and cloud features. Vulnerabilities here represent an unacceptable risk to child safety in the EU's view.
6. TV Remote Controls
Modern remote controls contain firmware and communicate via infrared, Bluetooth, or even Wi-Fi with the end device. The TV is networked, the remote communicates with the TV – that is sufficient to be classified as an indirect data connection. Manufacturers must ensure these devices have no known exploitable vulnerabilities when placed on the market.
7. Smart Coffee Machines
Here is the real eye-opener: if an app is required for control, even the manufacturer's cloud backend legally becomes part of the product and must be secured. This applies to any product whose functions could not be fulfilled without remote data processing developed by the manufacturer.
8. Gaming Headsets
This surprises many: gaming headsets are worn on the body and transmit data wirelessly – as wearables, they fall directly under the cybersecurity requirements. If they are specifically intended for use by children, they are even classified as "important products" in Class I. Manufacturers are required to provide security updates for the expected product lifetime – at least five years.
9. Fitness Trackers and Smartwatches
Unless they are certified medical devices (which are governed by separate regulations), these health-monitoring wearables fall under the CRA. The EU views models designed for children as particularly critical.
10. Alarm Systems
Traditional security technology must now meet digital minimum standards to even obtain a CE mark. The same applies to security cameras and other smart home security products.
The "Invisible" Software and Infrastructure
From here, it gets even more uncomfortable for many companies – because the following products cannot be seen or touched, yet they are equally in the CRA's sights.
11. Smart Meter Gateways
These inconspicuous boxes in the basement are classified as "critical products" (Annex IV) – the highest CRA category. The reason: they can influence the power grid. The strictest requirements apply here, including mandatory certification through European cybersecurity certification schemes. This is particularly relevant for manufacturers in the energy sector.
12. Microprocessors and Microcontrollers
The tiny building blocks deep inside your hardware. If they have security-relevant functions, they often require third-party certification. Component manufacturers who have previously "only supplied parts" will need to fundamentally rethink their approach.
13. Boot Managers
The first software loaded when a system starts – before you even see anything. Since it can compromise the entire security chain, it is classified as an "important product" with enhanced requirements. Learn more about securing embedded systems under the CRA.
14. Network Switches
The often dusty distribution boxes in IT cabinets are considered central infrastructure components. Hardly any facility manager thinks about CRA conformity when procuring switches. That will have to change. Manufacturers of network and telecommunications equipment face particular challenges here.
15. Mobile Apps (iOS and Android)
Every app in the store that accesses a database or API falls under the CRA as part of a remote data processing solution. Whether your company develops the app in-house or commissions it from a service provider – if you make it available in the course of a commercial activity, you are liable. The same applies to SaaS products and cloud software.
16. PDF Tools and Image Editing Software
Traditional installable software is also affected. It processes data and typically communicates with the manufacturer's servers via update functions. This triggers the CRA – along with the full documentation and security requirements.
17. Messaging Services
Communication security must be guaranteed through state-of-the-art encryption mechanisms. For messaging software providers, this means: conformity assessment, SBOM, vulnerability management – the full program.
18. Routers and Modems
The classic "gateways" to our digital lives are by definition important products with elevated risk. The requirements for manufacturers go far beyond what is industry standard today.
19. Password Managers
Software made available in the course of a commercial activity is subject to extensive documentation requirements. Even if the tool is free – if it is offered commercially, the CRA applies. Password managers fall under particularly strict requirements as important Class I products.
20. Operating Systems
No matter how small – every operating system for a digital device is an important Class I product. From the mini-RTOS in an industrial sensor to a smartphone OS: without conformity, no EU market access.
The Elephant in the Room: What Applies to Suppliers?
Many companies think: "We only build components. Someone else is responsible for the end product." That is only half the truth.
Intel Builds the Processor. Dell Builds the Laptop. Who Is Liable?
Both. The regulation aims to ensure the security of the entire supply chain – and therefore holds every actor accountable.
Intel as a component manufacturer places the processor on the market separately. This makes Intel a manufacturer within the meaning of the CRA and requires Intel to develop the processor in accordance with the essential security requirements, perform its own conformity assessment, apply the CE marking, create an SBOM for the processor (including microcode and firmware), and address vulnerabilities and deliver security updates throughout the entire support period.
Dell as the end product manufacturer places the laptop on the market under its own name and bears overall responsibility. Dell must verify during integration that the Intel component does not compromise the laptop's security. If a vulnerability in the processor becomes known that makes the laptop insecure, Dell must respond through its own vulnerability management process. And Dell needs its own SBOM for the entire laptop, listing Intel's processor as a dependency.
The interplay: If Dell discovers a vulnerability in the Intel component, Dell must inform Intel. Intel in turn must address the vulnerability and provide Dell with the necessary security patch. The principle: Intel is liable for the security of the component it places on the market. Dell is liable for the security of the laptop it assembles from it. And if you sell a software module, firmware, or hardware component separately – whether free or not – you are in the same position as Intel.
What Is NOT Affected?
To sharpen the contrast: products such as motor vehicles, medical devices, or civil aviation equipment do not fall under the CRA. But not because they don't need cybersecurity – rather because they are already strictly regulated by more specific EU laws.
The CRA closes exactly the gap that existed until now: everything that communicates digitally but was not already regulated by sector-specific legislation. For a complete overview, see our article on the scope of the CRA.
The Clock Is Ticking
The deadlines are concrete, and they are close:
- September 2026: Vulnerability reporting obligations take effect. From then on, actively exploited vulnerabilities must be reported to ENISA within 24 hours.
- December 2027: The CRA becomes fully enforceable. Every product with digital elements placed on the EU market after this date must be compliant.
Those who fail to plan now risk fines of up to 15 million euros or 2.5% of global annual turnover – whichever is higher. For a detailed timeline, see our CRA Countdown 2026–2027.
What You Should Do Now
- Portfolio check: Systematically review which of your products fall under the CRA. The answer will likely surprise you.
- Build SBOM capability: A Software Bill of Materials is not optional – it is mandatory. Start inventorying your software components now.
- Establish processes: Vulnerability management, reporting workflows, update strategies – all of this must be in place before the deadlines hit.
- Plan the support period: At least 5 years of security updates. For long-lived industrial products, significantly longer. This has implications for your business model.
Conclusion
The Cyber Resilience Act is the most comprehensive cybersecurity law the EU has ever passed. It affects not only the usual suspects in the tech industry but draws a circle around practically every product that communicates digitally.
The question is not whether you are affected. The question is whether you already know it.
Kunnus supports manufacturers in the structured implementation of CRA requirements – from automated SBOM creation through continuous vulnerability monitoring to complete documentation. Where do you stand on CRA compliance? Our free CRA readiness assessment gives you a clear overview of your status and next steps in just a few minutes.