Back to Blog
Industrial MachineryIndustrial ComponentsEmbedded SystemsCyber Resilience ActCRA ComplianceEU ComplianceCE Marking

Cyber Resilience Act and Switzerland: What Swiss Manufacturers Need to Know for EU Exports

The EU Cyber Resilience Act applies to Swiss manufacturers exporting to the EU — and Switzerland is preparing its own equivalent regulation via Motion 24.3810. Obligations, deadlines and concrete steps at a glance.

February 12, 2026
9 min read
Maximilian Heck

Last updated 2 June 2026. Additions since first publication: status of Swiss legislation (Motion 24.3810, BACS consultation in autumn 2026), the 11 June 2026 milestone for notified conformity assessment bodies, and additional cross-references to the Swiss CRA overview page.

Switzerland is not an EU member – yet the Cyber Resilience Act (CRA) affects Swiss manufacturers as soon as their products are placed on the EU market. In parallel, the Swiss Federal Council is preparing its own regulation for the cybersecurity of digital products via Motion 24.3810. For Swiss MEM industry (machinery, electrical, metalworking) and the digital supplier ecosystem, the picture is pragmatic: anyone exporting to the EU implements the EU CRA today – and is largely prepared for the upcoming Swiss law. A compact summary including the Kunnus platform answer is available on our Swiss CRA overview page.

Two parallel tracks: EU CRA and Motion 24.3810

Swiss manufacturers must keep two regulatory threads on the agenda. Both target the security level of digital products, but they are at different stages.

EU Cyber Resilience Act. In force since 10 December 2024. Reporting obligations from 11 September 2026, full application from 11 December 2027. From 11 June 2026, notified conformity assessment bodies are authorised to assess products against the CRA – Swiss manufacturers can secure formal conformity evidence well before the main obligations take effect.

Motion 24.3810 – the Swiss response. The Security Policy Committee of the Council of States mandated the Federal Council to propose its own cybersecurity regulation for digital products. The Federal Office for Cybersecurity (BACS), together with OFCOM and SECO, is preparing a consultation draft by autumn 2026. Following Switzerland's tradition of autonomous adaptation ("autonomer Nachvollzug") to EU rules, the Swiss regulation will closely align with the EU CRA, define its own market surveillance rules, and create the legal basis to keep insecure devices off the domestic market.

Pragmatic conclusion. Double compliance is not expected. The Federal Council has signalled that the Swiss regulation will be designed so that EU-CRA-compliant products largely meet the domestic level. Anyone implementing the EU CRA now will cover the expected Swiss obligations to a large extent – and can later actively engage with the consultation. Both regulations are summarised side-by-side on our CRA compliance for Switzerland page.

Market location principle, not bilateral recognition

For many EU regulations, the bilateral treaties between Switzerland and the EU provide for mutual recognition – not so for the CRA. There is no Mutual Recognition Agreement (MRA) comparable to the Machinery Directive. The market location principle (Art. 2(1) CRA) applies: any product made available on the EU single market must be compliant, regardless of where the manufacturer is based.

For an export-driven economy, the stakes are real: more than half of all Swiss goods exports go to the EU; in the MEM industry, embedded and IoT supply chains, and medical technology, the EU share is noticeably higher. Swiss manufacturers are legally treated as third-country manufacturers, with all the associated obligations. This is not a political statement, simply operational reality – and to be handled as such.

Obligations as a third-country manufacturer

Swiss companies distributing products with digital elements in the EU take on obligations that do not apply in the same form to EU-based manufacturers.

Authorised representative in the EU (Art. 26 CRA). Manufacturers based outside the EU appoint an authorised representative in an EU member state in writing. The representative is the point of contact for market surveillance authorities, keeps the technical documentation available for 10 years, and is named on the declaration of conformity and product information. In practice, the role is filled by an EU subsidiary, a specialised service provider, or a long-standing business partner – key is a contractually clean allocation of responsibilities and liability.

Importer obligations (Art. 19 CRA). When a Swiss manufacturer does not sell directly but through an EU importer, that importer takes on additional responsibility. Before placing the product on the market, the importer verifies CRA conformity, the availability of technical documentation, and the proper appointment of the authorised representative. In procurement conversations with EU importers, expect specific evidence requests – including SBOM, declaration of conformity, and patch policy.

CE marking. Like all manufacturers, Swiss manufacturers affix the CE marking before the product enters the EU market. The conformity assessment process is identical to that for EU manufacturers; the documentation additionally names the EU authorised representative.

What belongs on the executive board's agenda now

The path to CRA compliance breaks down into five workstreams that should run in parallel. The order follows operational logic, not formal sequence.

1. Analyse the product portfolio. Which products fall within the CRA scope? Every product with digital elements capable of establishing a direct or indirect data connection to a network. Determine the classification (standard, important Class I/II per Annex III, critical per Annex IV) – this determines the applicable assessment route. A consistent observation from Swiss machinery and electrical businesses: controllers with embedded security functions land in Class I more often than initially assumed.

2. Appoint an authorised representative. If not yet in place, set this up now – an EU subsidiary, a specialised service provider, or an existing distribution partner. Capacity, technical depth, and clean liability arrangements matter. For family businesses with established structures, it is worth looking at auditors or law firms that already manage third-country mandates.

3. Implement technical requirements. The Annex I security requirements apply identically: security by design, no default passwords, encrypted communication, secure update mechanisms, SBOM creation, and vulnerability management. A systematic gap analysis rather than ad-hoc fixes – this reduces effort and creates a documented basis for decisions.

4. Establish reporting processes. From 11 September 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours (three stages: 24h early warning, 72h full notification, 14d final report). This applies to Swiss manufacturers whose products are on the EU market. A detailed walkthrough of the reporting obligations is available in a separate post.

5. Prepare documentation. Technical documentation, EU declaration of conformity, and SBOM must be available to market surveillance authorities on request – in an official language of the EU member state concerned. For Swiss manufacturers, this typically means German, French, or English; multilingualism is anyway part of the territory. The SME relief measures (Art. 33(5)) allow a simplified format without reducing the security requirements themselves – relevant for many family businesses and mid-sized industrial operations.

Deadlines for Swiss manufacturers

CRA deadlines apply equally to all manufacturers. For planning in Switzerland, the synopsis with the Swiss legislative track is helpful:

DateEvent
10 December 2024EU CRA in force
11 June 2026Notified conformity assessment bodies active
11 September 202624-hour reporting obligation to ENISA begins
Autumn 2026BACS consultation for the Swiss cybersecurity law expected
11 December 2027Full CRA application – all newly placed products must comply

Typical development cycles in Swiss industry – 12 to 24 months plus inventory – make remaining time tight. Products intended to enter the EU market in late 2027 need CRA requirements in the specification today. For existing products, the per-unit principle applies: as long as no substantial modification occurs, no retroactive compliance is needed. Any major update affecting the security architecture, however, triggers a reassessment.

Industry associations and standards: what runs in the background

Companies already working with IEC 62443, ISO 27001, or ETSI EN 303 645 have an operational head start. These standards are expected to form the basis of CRA harmonised norms. Full overlap does not exist – CRA-specific requirements such as the SBOM obligation (Annex I §2), the 24h reporting duty (Art. 14), and the EU declaration of conformity per Annex V are additional.

In the Swiss association landscape, Swissmem, Swico, asut, and the Swiss standards organisation SNV actively follow developments through the European standardisation bodies. Members have short paths to consultation positions and can contribute practical experience. Once BACS opens the consultation on the Swiss regulation, an own submission – directly or through an industry association – is the simplest way to bring sector-specific realities into the legislative process.

Conformity as a prerequisite, not a marketing message

The CRA establishes a common security level across the EU market. For Swiss manufacturers, conformity is primarily a prerequisite for market access, not a differentiator. Demonstrating conformity early and with clean documentation mainly reduces friction in sales: fewer importer queries, shorter audits, less exposure to market withdrawals – and as a result, better delivery reliability, which in many industrial contracts matters more than any marketing statement.

Three points are operationally decisive: a reliable authorised representative in the EU, a maintainable SBOM and vulnerability pipeline, and documentation that holds up to a market surveillance review. Everything else – classification, harmonised standards, SME reliefs – resolves along these three axes. That is the honest answer: not a leap forward, but clean homework with a clear benefit.

How Kunnus supports

Kunnus helps Swiss manufacturers build CRA compliance systematically – from gap analysis through SBOM and vulnerability management to audit-ready documentation. The platform is EU-hosted, addresses third-country manufacturer obligations, and will cover the upcoming Swiss regulation on the same data basis once the consultation defines its shape. We work with family businesses, publicly listed MEM groups, and SMEs with a clearly focused portfolio – the logic stays the same, the scope does not.

Concrete next steps:

Share:

Continue Reading

Ready to tackle CRA compliance?

Kunnus gives manufacturers of every size the tools to achieve full CRA compliance — from SBOM management to ENISA reporting, in one platform.