Switzerland is not an EU member – yet the Cyber Resilience Act (CRA) directly affects Swiss manufacturers. Every product with digital elements sold on the EU market must meet CRA requirements. For Switzerland's export-oriented industry, this means: if you want to continue selling into the EU, you need to act now.
Why the CRA Applies to Swiss Companies
The CRA is an EU regulation that applies directly across all 27 member states. Switzerland does not need to transpose it into national law – but that is irrelevant for Swiss manufacturers. What matters is: the CRA regulates the EU single market. Every product placed on the EU market must be compliant – regardless of where it was manufactured.
This is particularly significant for Switzerland because the EU is by far its most important trading partner. Around 44 percent of all Swiss exports go to the EU. In the area of digital products – from industrial controllers through medical technology to IoT devices – the dependency on the EU market is even more pronounced.
Unlike some other EU regulations, there are no bilateral agreements between Switzerland and the EU that would provide mutual recognition for the CRA. Swiss manufacturers are legally treated as third-country manufacturers. This has concrete implications for their obligations.
Special Obligations for Third-Country Manufacturers
Swiss companies distributing products with digital elements in the EU must observe several additional requirements that do not apply to EU-based manufacturers.
Authorized representative in the EU. Manufacturers based outside the EU must appoint an authorized representative in an EU member state. This representative serves as the contact point for market surveillance authorities and bears certain obligations. The appointment must be made in writing, and the representative must be named on the declaration of conformity and product information.
Importer obligations. When a Swiss manufacturer does not sell directly to end customers in the EU but through an EU-based importer, that importer assumes additional responsibility. The importer must verify that the product meets CRA requirements and that the necessary technical documentation is available. In practice, EU importers will increasingly demand proof of CRA conformity before adding products to their portfolio.
CE marking. Swiss manufacturers must – like all manufacturers – affix the CE marking before the product enters the EU market. The conformity assessment process is identical to that for EU manufacturers, but the documentation must name the EU authorized representative.
What Swiss Manufacturers Must Do Now
The path to CRA compliance can be organized into five action areas that Swiss companies should tackle in parallel.
1. Analyze your product portfolio. Identify all products that fall within the CRA scope. This covers every product with digital elements that can establish a direct or indirect data connection to a network. Clarify product classification (standard, important Class I/II, critical), as this determines the required assessment procedure.
2. Appoint an authorized representative. If you do not yet have an authorized representative in the EU, you should appoint one now. This can be your own subsidiary in the EU, a specialized service provider, or an existing business partner willing to take on the role. Ensure the representative has the necessary capacity and technical understanding.
3. Implement technical requirements. CRA security requirements apply identically to Swiss manufacturers: security by design, no default passwords, encrypted communication, secure update mechanisms, SBOM creation, and vulnerability management. Systematically review which requirements your products already meet and where gaps exist.
4. Establish reporting processes. From September 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours. This applies to Swiss manufacturers whose products are on the EU market. Set up a process that ensures detection, assessment, and reporting within this timeframe.
5. Prepare documentation. The technical documentation, EU declaration of conformity, and SBOM must be available for market surveillance authorities upon request. Documentation must be available in an official language of the EU member state where the product is distributed – in practice, usually German, French, or English.
Deadlines for Swiss Manufacturers
CRA deadlines apply equally to all manufacturers, regardless of company headquarters. From September 2026, the obligation to report actively exploited vulnerabilities takes effect. From December 2027, all newly placed products must be fully CRA-compliant.
Given the development cycles of many Swiss industrial products – often 12 to 24 months – time is short. Products intended to enter the EU market by late 2027 must incorporate CRA requirements in their development now.
For existing products: as long as no substantial modification occurs, they do not need to be retroactively made CRA-compliant. However, any major update affecting the security architecture triggers a reassessment.
Swiss Standards and International Frameworks as a Bridge
Swiss companies already working with international standards such as IEC 62443, ISO 27001, or ETSI EN 303 645 have a head start. These standards are expected to serve as the basis for CRA harmonized standards. However, full alignment does not exist – CRA-specific requirements like the SBOM obligation, reporting duties, and the EU declaration of conformity must be addressed separately.
The Swiss standards organization SNV is following CRA developments and participating through European standardization organizations in developing relevant standards. Swiss manufacturers should actively monitor these developments and incorporate them into their implementation plans early.
The CRA as an Opportunity for Swiss Quality
The CRA establishes a common security level for the entire EU market. For Swiss manufacturers who traditionally emphasize quality and reliability, this can be a competitive advantage. Those who can demonstrate CRA compliance early position themselves as trustworthy suppliers – especially compared to competitors from countries with lower security standards.
Kunnus supports Swiss manufacturers in building CRA compliance systematically – from gap analysis through SBOM management to complete documentation. Our platform is designed to make the entire process efficient, including for companies that must fulfill additional requirements as third-country manufacturers.
Take the first step: Our free CRA readiness assessment shows you in just a few minutes where your company stands and which measures you should prioritize for EU export.