Society now depends on networked devices for nearly everything—communications from our wrists to the operational technology controlling large manufacturing systems, healthcare delivery, energy production, and space travel. Unfortunately, device manufacturers have often prioritized speed-to-market over device security in many of these areas.
Such economic incentives have exposed everyone to unsecured devices that have proven to be vectors for significant data breaches and disruptions in availability throughout supply chains. By mandating vulnerability disclosures, free security updates through a product's expected lifecycle, and standardized testing for IoT devices, the EU's Cyber Resilience Act (CRA) aims to close the gaps in existing directives like GDPR and NIS2, which lacked product-specific mandates.
Many security experts see the new rules as a necessary boost to connected-device security, realigning economic incentives, and increasingly essential as connected devices control more vital functions in society.
"The CRA is a necessary initiative, as there are still a lot of products both in, and coming to, the market that have cybersecurity as an afterthought," said Jonathan Sword, director at UK-based Agility Cyber.
"While it used to be the case that if a product was insecure, it had limited impacts. With more and more devices being connected and often serving a security purpose such as remote monitoring or smart locks, the impacts of a compromise can [now] be substantial. The impacts are even more if we consider the risk of digital devices being in corporate environments and more sensitive networks," Sword added.
Brian Honan, founder of cybersecurity consultancy BH Consulting, agrees. "The CRA is certainly a good step because while the free market is wonderful overall, it just hasn't worked out that products with adequate security have surfaced to the top," he said.
The CRA was adopted by EU member states in October 2024 and entered partially into force on Dec. 10, 2024, with various requirements becoming mandates incrementally on prescribed dates over time. The CRA sets security standards for connected hardware and software products sold in the EU market, regardless of where they are
Essentially, the CRA requires manufacturers to eliminate known vulnerabilities in products such as smart devices, IoT systems, and software before release while requiring manufacturers to provide free security updates—without delay—for a period determined by the expected lifecycle of the product.
Key provisions—including vulnerability reporting within 24 hours of discovery and secure by design development practices—will fully apply by December 2027, with phased-in deadlines for incident reporting coming in September 2026 and conformity assessments in June 2026. The law also enforces penalties of up to €15 million or 2.5% of global revenue for non-compliance.
The CRA aims to align manufacturer incentives toward higher cybersecurity expectations for device and software manufacturers. By holding manufacturers liable for vulnerabilities—even for free software (except for non-commercial open source software), the framework pushes firms to prioritize robust security protocols over rapid market deployment, balancing innovation with consumer protection.
"The biggest incentive for companies to comply is that, if they don't, they won't be able to sell their product in the EU," said Sword. "The fines are a big stick for companies, but there's not much in terms of a carrot yet; hopefully, the cybersecurity state of devices will be published to help the more secure devices stand out," Sword added.
With EU Cyber Resilience Act deadlines, manufacturers must determine whether they can delay compliance planning and implementing the capabilities to meet requirements. They risk missing implementation timelines or incurring penalties if they're not mature enough.
"You need to start preparing for [CRA] now because you're going to have to look closely at how you manage and deliver digital products, what your supply chain looks like, and how you secure that supply chain. None of that will be quick and easy."
—Brian Honan
Sword believes there's more room for more support provided to manufacturers so they have the proper framework for building more secure products.
"The key part of making the CRA a success will be to bring companies along on the journey to mature their cyber security stance. It's a perfect opportunity for an educational outreach program, perhaps using the national security bodies of each member state to share tried and tested approaches to cyber security that enable companies to learn without the fear of being pitched to or buying yet another security product to deploy inside their development lifecycle."
The CRA's phased deadlines—starting with conformity assessments in June 2026 and full compliance by December 2027—leave manufacturers with shrinking windows to overhaul product design, vulnerability monitoring, and documentation practices. Delaying preparations risks supply chain bottlenecks, as companies must map software bills of materials (SBOMs), train teams on incident reporting, and integrate cybersecurity into development cycles. This process could take at least a year or more.
"You need to start preparing for it now because you're going to have to look closely at how you manage and deliver digital products, what your supply chain looks like, and how you secure that supply chain," Honan said. "None of that will be quick and easy," he added.
"I think the CRA will be more impactful than previous attempts in this area. Prior legislation has been opt-in and best practice-based, which often meant the majority of products did not adhere to the guidance, as commercial priorities outweighed cyber security."
—Jonathan Sword
Those companies that have already embraced secure design and development practices will find they're much better positioned to comply fully over the next few years. "If you're developing with security in mind, and if you've built security into your product from the very beginning, and you're doing secure code reviews, and you're checking your supply chain, then you're going to have to bridge a much smaller gap to reach CRA compliance than others," Honan said.
Software and device buyers won't see direct results from the CRA soon. It's going to take years for these security requirements to make connected devices noticeably more secure.
Still, both Honan and Sword are hopeful improvements to device and software security will be coming in time.
"I think the CRA will be more impactful than previous attempts in this area," Sword said. "Prior legislation has been opt-in and best practice-based, which often meant the majority of products did not adhere to the guidance, as commercial priorities outweighed cyber security," Sword said.
Honan is also bullish in the long term: "I do see the CRA having a very positive impact on device and software security. I've been beating the drum for many years that we need better regulations in cybersecurity to make our products more secure and help make the world a more secure place."
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
