"If BSI does not step in, nothing happens to us as a manufacturer." I hear this regularly, and it reveals a fundamental misunderstanding of how the enforcement regime of the Cyber Resilience Act actually works. Because the CRA has activated an enforcement layer that goes well beyond market surveillance authorities.
What does collective redress mean in the context of the CRA?
The Cyber Resilience Act is not only a product safety regulation. It is also an intervention in the EU's civil enforcement landscape. Article 64 CRA amends the EU Representative Actions Directive (Directive 2020/1828). That directive allows qualified entities, in Germany for example the state consumer protection agencies or the federal umbrella body vzbv, to file injunctive and redress actions against companies that breach EU law and thereby harm collective consumer interests.
What is new: CRA breaches are explicitly added to the scope of this directive. A manufacturer that places an insecure product with digital elements on the market, whether without adequate vulnerability management, without an SBOM, or without the mandatory reporting of security incidents to ENISA (the EU Agency for Cybersecurity), therefore risks more than just an administrative fine from the national market surveillance authority. They risk a collective redress action by a civil society organisation with significant litigation capacity and public attention.
For a detailed overview of the CRA requirements that such actions can attach to, see our CRA summary.
Why the "authorities must step in first" misconception is dangerous
The widespread misjudgment is based on a classic mental shortcut. Many manufacturers equate CRA risk with fine risk. Fines come from authorities. Authorities are staffed and prioritise based on resources. So: if you do not stand out, you will not be noticed.
This logic ignores three realities.
First, the right of collective redress is independent of authorities. A qualified entity does not need a regulatory decision as a precondition. It can act on its own if it has sufficient indications of a breach that harms collective consumer interests. That can be a publicly known security incident, a pentest report, a tip from a security researcher, or simply its own technical assessment.
Second, organisations are strategic. Bodies like vzbv do not litigate at random. They look for cases that have precedential effect and generate public attention. An IoT device with known security flaws that affects hundreds of thousands of consumers is exactly the right profile.
Third, reputational damage is hard to repair. A collective redress action usually comes with press work. Even if a manufacturer ultimately wins or settles, the public report remains: "Consumer advocates sue manufacturer X over insecure products." That is a problem no fine alone produces.
For more on the financial risks of non-compliance, see our article on CRA penalties and fines.
Myth vs. fact
Myth: As long as the market surveillance authority does not step in, a manufacturer has nothing to fear from CRA breaches.
Fact: The CRA explicitly extends the EU Representative Actions Directive (2020/1828) to CRA breaches. Qualified consumer protection organisations can sue manufacturers directly, independent of any regulatory proceedings, if breaches harm collective consumer interests. The enforcement risk is two-track, regulatory and civil.
Concrete consequences for manufacturers
1. Vulnerability management is not an optional add-on. One of the clear attack surfaces for collective redress is products where known vulnerabilities have not been reported or remediated. Article 13 CRA obliges manufacturers to implement structured vulnerability management across the entire product lifecycle. Those who cannot demonstrate it have a serious evidentiary problem in a lawsuit. We describe a practical approach in our vulnerability management guide for CRA manufacturers.
2. Publicly visible breaches are the real triggers for litigation. What is actually attackable for civil society organisations is what they can verify themselves. If the user manual lacks information on secure use or data deletion, that is directly observable. If a manufacturer does not respond to publicly known CVEs and this inaction is documented, that provides a concrete anchor. And whether an EU declaration of conformity exists, and whether the product holds up against what it claims, can be verified through technical assessments. The SBOM is an important internal tool but not the first thing that becomes externally visible and triggers claims.
3. Compliance documentation protects, but only if it holds up. CE marking and the declaration of conformity are formal shields, not substantive ones. An organisation can have technical documentation reviewed via authorities or experts. Those who carried out their conformity assessment only pro forma will stand without solid evidence. For more on CE marking under the CRA, see our article on CRA conformity assessment.
What does this mean for your CRA roadmap?
Two deadlines structure the CRA implementation timeline for manufacturers. From 11 September 2026, the reporting obligations for actively exploited vulnerabilities and severe security incidents enter into force. From 11 December 2027, the CRA applies in full, including all requirements for product security, SBOM, technical documentation and conformity assessment.
The point often overlooked in this context: the right of collective redress does not only kick in from December 2027. As soon as the CRA is fully applicable, breaches are actionable. Organisations will not wait years to establish first precedent cases. The GDPR experience shows how quickly such bodies become active after entry into force.
Anyone structuring their CRA roadmap today is at the same time laying the foundation for their defensibility against civil claims. A detailed timeline is available in our article on the CRA compliance roadmap 2026 to 2027.
Frequently asked questions
Who can file a collective redress action based on the CRA? Qualified entities under Directive 2020/1828. In Germany this includes the Verbraucherzentrale Bundesverband (vzbv) or the individual state consumer protection agencies. At EU level there is a wide range of such organisations, which can act cross-border.
Do consumers need to be individually harmed for collective redress to be possible? No. Collective actions protect collective interests. It is enough that a CRA breach is potentially capable of harming a large number of consumers, for example through a product with security-relevant vulnerabilities that is widely marketed.
What sanctions can result from a collective redress action? Primary remedies are injunctions (no further distribution of the product) and redress measures (recall, remediation, information to affected consumers). On top of that come legal costs and reputational damage. Administrative fines come separately, through the market surveillance authorities.
Can a manufacturer protect itself from collective redress through CE marking? Not fully. The CE marking certifies formal conformity at the moment of placing on the market. If a product later shows known vulnerabilities that are not remediated, the ongoing vulnerability management obligation kicks in. A claim can be based on that breach, independent of the original CE marking.
Are there precedent cases on CRA and collective redress yet? The CRA is not yet fully in force. Such claims will only become possible after 11 December 2027. GDPR experience shows, however, how quickly organisations become active after entry into force. The first collective actions were filed shortly after May 2018.
Conclusion
The CRA is not a pure regulator game. BSI is actively building capacity for CRA market surveillance and takes the task seriously. Still, there is a second, independent enforcement layer, the civil one. The amended Representative Actions Directive gives consumer protection organisations the right to sue manufacturers directly when their products breach CRA requirements and thereby endanger collective consumer interests. These two layers run in parallel, not sequentially.
For practice this means: CRA compliance is not regulator compliance, it is product quality compliance. Vulnerability management, product documentation, and conformity evidence are not only regulatory duties but also the most important arguments in a civil proceeding. What organisations can examine are the visible things, the user manual, the response to publicly known vulnerabilities, the declaration of conformity.
If you want to know where your company stands today, you can start with a free CRA assessment, structured, manufacturer-specific, and without detours through generic checklists.
Every Friday I debunk a CRA myth here.