CRA Compliance for Swiss Manufacturers
Over 60% of Swiss exports go to the EU. Without CRA compliance, your EU market access is at risk. Kunnus is the platform that manages your compliance, tracks your products, and gets you audit-ready.
Swiss manufacturers are doubly affected
EU Cyber Resilience Act (CRA)
Any product with digital elements sold on the EU single market must be CRA-compliant by December 2027 — regardless of where the manufacturer is based. Swiss exporters are fully in scope.
Swiss Cybersecurity Audits (Motion 24.3810)
The Swiss Federal Council must propose its own cybersecurity regulation for digital products by autumn 2026 — closely aligned with the EU CRA.
More at National Cyber Security Centre NCSCAct now, comply once
Companies that prepare for the EU CRA today will be well-positioned for the upcoming Swiss regulation. Kunnus will cover both with a single platform.
Challenges Swiss exporters face today
- No centralized view of CRA readiness across your product portfolio
- SBOM management via Excel — not scalable for EU conformity assessment
- Manual vulnerability monitoring across CVE databases and advisories
- Compliance evidence scattered across teams, tools, and emails
- Unclear how Motion 24.3810 will differ from the EU CRA
Kunnus solves all of this — see it live in 15 minutes.
Built for Swiss export industries
See Kunnus live — in 15 minutes
What happens after you request a demo
We confirm
You'll receive a confirmation email within minutes.
We prepare
Our team reviews your products, export markets, and compliance needs.
15-min demo
A personalized walkthrough of Kunnus tailored to Swiss manufacturers.
What Kunnus does for you
Product Inventory
Manage your entire product portfolio. Classify products per CRA risk categories automatically.
SBOM Management
Import, analyze, and track Software Bills of Materials in CycloneDX and SPDX formats.
Vulnerability Tracking
Automated detection with SLA tracking and ENISA 24h notification support.
Audit-Ready Reports
One-click self-assessment reports. Export audit packages for EU conformity assessment bodies.
The clock is ticking — for both regulations
EU CRA reporting obligations start — 24h vulnerability reporting to ENISA
The Swiss Federal Council presents its own cybersecurity regulation for digital products
Full EU CRA compliance required — all products must meet requirements
Swiss cybersecurity law expected to take effect — compliance obligations begin
EU non-compliance: up to €15M or 2.5% of global annual turnover
CRA Relief for Swiss SMEs
As a micro or small enterprise, you benefit from targeted CRA exemptions: fine exemption for late early warnings, simplified documentation, dedicated helpdesks, and priority sandbox access. These apply to all EU market participants — including Swiss exporters.
All 8 relief measures in detailFAQ for Swiss Manufacturers
Does the EU Cyber Resilience Act apply to Swiss manufacturers without an EU presence?
Yes. The CRA follows the market location principle (Art. 2(1)): any product with digital elements made available on the EU market falls within scope — regardless of where the manufacturer is based. Swiss manufacturers must appoint an authorised representative in an EU member state (Art. 26). The representative is the point of contact for market surveillance authorities and must retain the technical documentation for 10 years.
Does inventory produced in 2026 need to be patched before shipping in 2028?
Yes. The CRA applies per individual unit at the time of placing on the market (Art. 13(8), Annex I §2(a)). A device manufactured in 2026 and shipped in 2028 must be free of known actively exploited vulnerabilities at the moment of shipment. For Swiss machine builders with 12–24 month inventory cycles, this means every individual serial number requires its own up-to-date patch status — manual Excel tracking does not scale.
Is IEC 62443 or ISO 27001 enough as CRA preparation?
Both are strong foundations but do not fully cover the CRA. Specifically missing: SBOM obligation (Annex I §2), 24-hour notification of actively exploited vulnerabilities to ENISA (Art. 14), EU Declaration of Conformity per Annex V, and product-specific risk assessment. Harmonised CRA standards will likely build on IEC 62443 and ETSI EN 303 645 — investments in these standards are not lost, but need targeted extension.
When does our cloud application (SaaS) become a regulated CRA product?
A cloud application falls within CRA scope as a Remote Data Processing Solution (RDPS) per Art. 3(2) when it is an integral part of the product function — for example an app controlling a machine, or a backend without which a connected device cannot perform its main function. Standalone web apps or SaaS platforms without hardware coupling remain outside CRA scope (but may fall under NIS2 or data protection law).
We are a Swiss SME with fewer than 50 employees — are there reliefs?
Yes. Art. 33(5) allows simplified technical documentation for micro-enterprises (<10 staff, ≤€2M turnover) and small enterprises (<50 staff, ≤€10M). Additionally: exemption from fines for late 24h early warnings, reduced conformity assessment fees, CSIRT helpdesks and priority sandbox access. Important: The security requirements in Annex I are not reduced — only the procedural burden.
Who is liable when an EU importer distributes our Swiss product?
Shared responsibility. The EU importer must verify before placing on the market that CRA conformity is in place, that technical documentation is available, and that the manufacturer has appointed an authorised representative (Art. 19). Violations may be sanctioned for both importer and Swiss manufacturer — fines up to €15M or 2.5% of global annual turnover. EU importers increasingly require CRA evidence before adding products to their portfolio.
What will Motion 24.3810 bring for Switzerland?
The Swiss Federal Council was mandated to propose its own cybersecurity regulation for digital products by autumn 2026 — closely aligned with the EU CRA. The Swiss law will be a safety net for the domestic market, not a delay for the EU export obligation. Anyone selling into the EU from December 2027 must implement the EU CRA today. Those who implement the EU CRA will largely be prepared for the upcoming Swiss equivalent.
How does the 24-hour ENISA notification work from Switzerland?
From 11 September 2026: when an actively exploited vulnerability affects a product placed on the EU market, manufacturers must notify ENISA directly (Art. 14). Three-stage process: 24h early warning, 72h full notification, 14d final report. The EU authorised representative supports but is not the primary reporting channel — the deadline applies to the manufacturer itself. A Single Reporting Platform operated by ENISA will bundle notifications from 2026.
Which of our products fall into a higher CRA risk class?
Annex III defines important products (Class I and II), Annex IV defines critical products. Class I includes firewalls, VPN software, microcontrollers with security functions, identity management components. Class II covers hypervisors, PKI solutions, IoT security gateways. Swiss industrial products — particularly machine controllers with embedded security functions — land in Class I more often than expected. Classification should be product-specific during conformity assessment.
What does CRA compliance cost without automated tooling?
For a mid-sized Swiss product portfolio (10–30 variants), manual effort typically runs 3–5 FTE-years for initial compliance, plus ongoing vulnerability monitoring with 24-hour response deadlines. With automated SBOM management, vulnerability tracking and audit documentation, this reduces to 0.2–1 FTE — with higher audit certainty. Methodology with sources and assumptions: https://kunnus.tech/en/methodology.