Cyber Resilience Act Manufacturer Requirements and Obligations

23/06/2026

    What Are the Cyber Resilience Act Manufacturer Obligations?

    Article 13 of the Cyber Resilience Act (CRA) defines the core manufacturer obligations that must be implemented across the entire lifecycle of products with digital elements.

    While the CRA establishes a comprehensive regulatory framework for cybersecurity, this article focuses specifically on manufacturer obligations under Article 13, which go beyond conformity assessment and require manufacturers to establish structured cybersecurity processes, documentation, and lifecycle management practices.

    For a broader overview of the regulation, see our CRA Essential Guide.
    For incident and vulnerability reporting requirements under Article 14, see our CRA Reporting Obligations article.

    For guidance on how to implement these obligations, explore our CRA Compliance Services.
     

    Why CRA Manufacturer Obligations Are Challenging

    The Cyber Resilience Act represents a significant shift for manufacturers, introducing lifecycle cybersecurity responsibilities that go far beyond traditional compliance approaches.

    Key challenges include:

    • Managing cybersecurity across the entire product lifecycle, from design to post-market support.
    • Ensuring secure integration of third-party components, including open-source software.
    • Maintaining continuous vulnerability monitoring and response processes.
    • Aligning with evolving harmonized standards and regulatory expectations.
    • Providing long-term security updates and support commitments.

    This reflects a core principle of the CRA: cybersecurity is not a one-time requirement, but an ongoing operational responsibility for manufacturers. 

    CRA Essential Cybersecurity Requirements and Risk Assessment

    Manufacturers must ensure that products comply with the essential cybersecurity requirements defined in Annex I of the CRA. 

    A key element is the cybersecurity risk assessment, which must be performed before placing a product on the market and maintained throughout its lifecycle.

    This assessment must:

    • Analyze cybersecurity risks based on the product’s intended purpose.
    • Consider reasonably foreseeable use and misuse.
    • Evaluate the operational environment and protected assets.
    • Take into account the expected product lifetime.

    It must also clearly document:

    • How essential requirements apply to the product.
    • How they are implemented.
    • How vulnerability management requirements are addressed.

    This ensures that cybersecurity is embedded from design to end-of-life, rather than treated as a one-off requirement.

    Vulnerability Handling and Due Diligence under the CRA

    Manufacturers must exercise due diligence when integrating third-party components, such as:

    • Commercial software.
    • Open-source software.
    • Hardware modules.

    These components must not compromise the cybersecurity of the final product.

    When vulnerabilities are identified, manufacturers must:

    • Report them to the component maintainer.
    • Implement remediation measures.
    • Share fixes or mitigation guidance where appropriate.

    Additionally, manufacturers must establish structured vulnerability handling processes, including:

    • Continuous monitoring of vulnerabilities.
    • Documentation of cybersecurity issues.
    • Updating risk assessments when necessary.
    • Coordinated vulnerability disclosure policies.

    These processes must handle both internally detected issues and externally reported vulnerabilities.

    Incident and vulnerability reporting obligations are defined separately under Article 14 (see our CRA Reporting Obligations article).

    Security Updates and Support Period Requirements

    The CRA requires manufacturers to ensure that vulnerabilities are effectively addressed throughout a defined support period. The support period must reflect the expected product lifetime and, in general, must be at least five years, unless the intended use of the product justifies a shorter duration. 

    Manufacturers must:

    • Provide ongoing security updates.
    • Ensure updates remain available over time.
    • Clearly communicate the support period to users.

    The support period must reflect:

    • The expected product lifetime.
    • User expectations.
    • The intended use of the product.
    • Applicable regulatory requirements.

    Manufacturers must ensure that security updates remain available for an extended period, typically at least 10 years or for the duration of the defined support period.

    The CRA also promotes secure-by-default configurations and continuous updates as essential cybersecurity practices. 

    CRA Technical Documentation and Information Requirements

    Manufacturers must prepare and maintain technical documentation demonstrating compliance with CRA requirements. 

    This includes:

    • The cybersecurity risk assessment.
    • Documentation of security controls.
    • Product design and development information (including SBOM where applicable).

    Technical documentation requirements are further detailed in Article 31 and Annex VII of the CRA, while information and instructions to users are defined in Annex III.

    The Software Bill of Materials (SBOM), as part of technical documentation, will be explored in detail in a dedicated article.

    Documentation must:

    • Be available to market surveillance authorities upon request.
    • Be retained for at least 10 years or the duration of the support period.

    In addition, manufacturers must provide users with clear instructions and information regarding:

    • Secure use of the product.
    • Security updates.
    • Known risks.

    Technical documentation plays a critical role in ensuring traceability and accountability across the product lifecycle. 

    Product Identification and Manufacturer Responsibilities

    The CRA also establishes obligations related to product traceability and communication.

    Manufacturers must:

    • Ensure products are clearly identifiable (e.g. type, batch, or serial number).
    • Provide their name, address, and contact details.
    • Designate a single point of contact for cybersecurity issues and vulnerability reporting.

    EU Declaration of Conformity and CE Marking under the CRA

    Before placing a product on the EU market, manufacturers must conduct a conformity assessment to demonstrate compliance with CRA requirements.

    Once compliance is confirmed:

    • An EU Declaration of Conformity must be issued.
    • The product must bear the CE marking.

    Manufacturers must also:

    • Ensure continued compliance for products produced in series.
    • Retain documentation and conformity evidence.
    • Cooperate with market surveillance authorities.

    Depending on the product category, different compliance routes may apply, including self-assessment or third-party evaluation through notified bodies. 

    When manufacturers release substantially modified versions of software products, they may choose to maintain compliance only for the latest version, provided that:

    • users can access the latest version free of charge.
    • users do not need to upgrade their hardware or environment.

    Manufacturers may also maintain public archives of historical software versions, but users must be clearly informed about the risks of using unsupported software.

    How Applus+ Helps Manufacturers Meet CRA Requirements

    Meeting Cyber Resilience Act manufacturer obligations requires both regulatory understanding and technical expertise.

    Applus+ Laboratories supports manufacturers across the full compliance journey:

    Not sure where your organization stands today? Complete our CRA Readiness Questionnaire to assess your current level of compliance and identify the next steps in your CRA journey.

    These services enable manufacturers to:

    • Reduce regulatory risk.
    • Avoid rework and delays.
    • Align with CRA requirements early.

    To learn how to implement these obligations step by step, explore our CRA Compliance Services.
     

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel