Article 13 of the Cyber Resilience Act (CRA) defines the core manufacturer obligations that must be implemented across the entire lifecycle of products with digital elements.
While the CRA establishes a comprehensive regulatory framework for cybersecurity, this article focuses specifically on manufacturer obligations under Article 13, which go beyond conformity assessment and require manufacturers to establish structured cybersecurity processes, documentation, and lifecycle management practices.
For a broader overview of the regulation, see our CRA Essential Guide.
For incident and vulnerability reporting requirements under Article 14, see our CRA Reporting Obligations article.
For guidance on how to implement these obligations, explore our CRA Compliance Services.
The Cyber Resilience Act represents a significant shift for manufacturers, introducing lifecycle cybersecurity responsibilities that go far beyond traditional compliance approaches.
Key challenges include:
This reflects a core principle of the CRA: cybersecurity is not a one-time requirement, but an ongoing operational responsibility for manufacturers.
Manufacturers must ensure that products comply with the essential cybersecurity requirements defined in Annex I of the CRA.
A key element is the cybersecurity risk assessment, which must be performed before placing a product on the market and maintained throughout its lifecycle.
This assessment must:
It must also clearly document:
This ensures that cybersecurity is embedded from design to end-of-life, rather than treated as a one-off requirement.
Manufacturers must exercise due diligence when integrating third-party components, such as:
These components must not compromise the cybersecurity of the final product.
When vulnerabilities are identified, manufacturers must:
Additionally, manufacturers must establish structured vulnerability handling processes, including:
These processes must handle both internally detected issues and externally reported vulnerabilities.
Incident and vulnerability reporting obligations are defined separately under Article 14 (see our CRA Reporting Obligations article).
The CRA requires manufacturers to ensure that vulnerabilities are effectively addressed throughout a defined support period. The support period must reflect the expected product lifetime and, in general, must be at least five years, unless the intended use of the product justifies a shorter duration.
Manufacturers must:
The support period must reflect:
Manufacturers must ensure that security updates remain available for an extended period, typically at least 10 years or for the duration of the defined support period.
The CRA also promotes secure-by-default configurations and continuous updates as essential cybersecurity practices.
Manufacturers must prepare and maintain technical documentation demonstrating compliance with CRA requirements.
This includes:
Technical documentation requirements are further detailed in Article 31 and Annex VII of the CRA, while information and instructions to users are defined in Annex III.
The Software Bill of Materials (SBOM), as part of technical documentation, will be explored in detail in a dedicated article.
Documentation must:
In addition, manufacturers must provide users with clear instructions and information regarding:
Technical documentation plays a critical role in ensuring traceability and accountability across the product lifecycle.
The CRA also establishes obligations related to product traceability and communication.
Manufacturers must:
Before placing a product on the EU market, manufacturers must conduct a conformity assessment to demonstrate compliance with CRA requirements.
Once compliance is confirmed:
Manufacturers must also:
Depending on the product category, different compliance routes may apply, including self-assessment or third-party evaluation through notified bodies.
When manufacturers release substantially modified versions of software products, they may choose to maintain compliance only for the latest version, provided that:
Manufacturers may also maintain public archives of historical software versions, but users must be clearly informed about the risks of using unsupported software.
Meeting Cyber Resilience Act manufacturer obligations requires both regulatory understanding and technical expertise.
Applus+ Laboratories supports manufacturers across the full compliance journey:
Not sure where your organization stands today? Complete our CRA Readiness Questionnaire to assess your current level of compliance and identify the next steps in your CRA journey.
These services enable manufacturers to:
To learn how to implement these obligations step by step, explore our CRA Compliance Services.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.