What is the Cyber Resilience Act?

With the Cyber Resilience Act (Regulation EU 2024/2847), the European Union is introducing mandatory requirements for cybersecurity in products with digital elements. Products with digital elements are defined as all products that can be networked or communicate with other devices.
From September 11, 2026, vulnerabilities must be reported to the European Authorities ENISA. From December 2027, new products must meet all CRA requirements. Manufacturers who do not comply with the CRA risk market exclusion and heavy fines (upto €15 Million or 2.5% of turnover).

What exactly does the CRA mandate?

Requirement	Implications
Security by Design	Security risks must be identified and taken into account as early as the concept phase/development stage.
Vulnerability Management	Systematic detection, assessment, and remediation of security vulnerabilities—including those in open-source or third-party components used.
SBOM	A complete list of all software components contained in a product, including the respective version numbers, must be created.
Secure Update	Relevant security updates have to be provided over the lifetime of a product (minimum of 5 years).
Reporting obligation	If a security vulnerability in the product is actively exploited and detected, it must be reported to the relevant authorities within 24 hours (effective September 2026).
Tecnical Documentation	Proof of conformity to authorities and market surveillance - basis for CE marking.

 

Which Products are affected?

The CRA applies to all “products with digital elements”, which include:

• IoT devices
• Industrial control systems
• Network devices
• Software und operating systems
• Applications and product containing networking or communication interfaces

Not affected are:

• Non commercially distributed open-source software
• Specific product categories like medicinal, defense and aerospace
• Legacy products which have been placed on the market* before 2027, and to which no substantial changes are made

*Placing on the market: First time each single product is supplied for distribution, consumption or use in the course of commercial activity, whether in return for payment or free of charge.

The affected products are classified in the following categories:

Does the CRA also apply to Swiss companies?

Yes- the relevant market determines this, not the company’s location. Any company that brings products with digital elements onto the EU market or distributes them must comply with the CRA requirements. For many Swiss SMEs in the electro-mechanical and plant engineering sector that have customers in the EU, the CRA is therefore directly relevant.
In addition, Switzerland is planning its own CRA-oriented legislation — establishing compliance structures at an early stage pays off twice.

Common challenges for companies

• Unclear regulatory requirements
• Lack of expertise within the team
• Time pressure during implementation
• Fear of high audit-costs and liability risks

We support you in making the topic tangible and help you revise your products and applications in accordance with CRA guidelines.

How Sotronik can help

We are an engineering firm with over 25 years of experience in embedded systems, firmware, and industrial communication—precisely the areas where CRA requirements such as security by design, SBOM, and vulnerability management become most concrete.
For us, cybersecurity in embedded products is not an isolated compliance issue, but an extension of our existing engineering expertise. We are systematically expanding this knowledge and providing our customers with pragmatic support: We work with you to analyze where your product stands today, identify what the CRA specifically requires of you — and help where we can add the most value.

Not sure if your product is affected?

Talk to us. In a short initial consultation, we will clarify together whether and to what extent the CRA is relevant for your products—free of charge and without obligation.