Did you buy a “smart” lamp, a smartwatch, or a baby camera? They're probably running on firmware that was never updated, with a "admin123″ password that was never changed. That's about to end. The EU's Cyber Resilience Act (CRA) forces manufacturers to think about security before putting a product on the market— and to support it throughout its entire lifecycle.
📖 Read more: WhisperPair: Millions of Bluetooth Devices at Risk
📜 What Is the Cyber Resilience Act
The Cyber Resilience Regulation is European Union legislation that establishes mandatory security requirements for every product with digital elements sold in the EU. From the simplest USB stick to the most complex industrial controller, everything must meet specific standards.
The European Commission presents the proposal
Political agreement between Parliament and Council
Publication in the Official Journal, start of transitional period
Full enforcement - non-compliant products are banned
🎯 Which Products Are Covered
The CRA has a very broad scope. It covers almost every device or software that connects—directly or indirectly—to a network. This includes:
Exceptions: Medical devices, automobiles, and aviation products are covered by separate legislation. Additionally, open source software without commercial activity is exempt.
⚖️ Manufacturer Obligations
The CRA shifts security responsibility from consumers to manufacturers. Companies must design with security in mind from the start—not “patch it” later. The key obligations:
Security by Design
Security must be built in from the design phase, not added on. This means threat modeling, secure coding practices, and penetration testing before release.
Security Updates for 5+ Years
Manufacturers are required to provide security updates for at least 5 years or the expected product lifetime—whichever is longer.
Vulnerability Reporting Within 24 Hours
When an actively exploited vulnerability is discovered, the manufacturer must notify ENISA within 24 hours. No more months of silence.
Documentation & SBOM
Every product must include a Software Bill of Materials (SBOM)—a list of all components and libraries it uses, so vulnerabilities can be quickly identified.
📖 Read more: Cloud Security 2026: The 7 Settings You Must Check
🎁 What We Gain as Consumers
🔒 More Secure Devices
No more default passwords like "0000″ and open ports. Devices will come with strong encryption, unique passwords, and an enabled firewall out of the box.
📅 Long-Term Support
That cheap IP camera you bought won't become “orphaned” after 6 months. It will receive updates for years, protecting your home long-term.
📋 Transparency
You'll know exactly what software is running, what data is collected, and how long the device will be supported—before you buy it.
⚡ Faster Response
When a security issue is discovered, the fix will arrive in days, not months. And you'll be notified immediately.
⚠️ What Happens If They Don't Comply?
The CRA has teeth. The penalties are designed to hurt even the biggest market players:
or 2.5% of global turnover
For serious violations
(whichever is higher)
or 2% of global turnover
For other violations
(whichever is higher)
Sales Ban
Non-compliant products
will not be sold in the EU
💡 What You Should Do Now as a Consumer
Check the Support
Before buying, ask: how many years will the device receive updates?
Choose Well-Known Brands
Major manufacturers will comply first
Enable Auto-Updates
Automatic updates are the best defense
Retire Old Devices
If they no longer receive updates, disconnect them from the network
The Cyber Resilience Act is not just another EU bureaucratic regulation. It is a fundamental shift in how digital products are designed, manufactured, and supported. For the first time, manufacturers will be forced to think about security from the start—and to support it long-term.
For us consumers, this means safer homes, more reliable devices, and fewer worries about whether our security camera could become a spying tool. The change is coming—and this time, it's in our favor.
OnOff Policy Team
We monitor European legislation and explain how it affects the technology you use.
