How the CRA applies to your specific sector — classification, key obligations, CVD requirements, Article 14 reporting, and conformity assessment pathways. Deadline: September 2026.
Automotive OEMs and Tier-1 suppliers placing connected electronic control units, telematics modules, or in-vehicle infotainment systems on the EU market must comply with the EU Cyber Resilience Act by September 2026. Products with safety-critical network interfaces typically fall under Class I, requiring third-party conformity assessment. CVD Portal provides the vulnerability disclosure infrastructure mandated by Article 13.
Vendors of connected vehicle telematics platforms, vehicle-to-everything (V2X) communication units, and fleet management systems sold into the EU market face CRA obligations as manufacturers of products with digital elements. The automotive sector's adoption of UNECE WP.29 Regulation 155 (vehicle cybersecurity) creates a parallel regulatory framework for type-approved vehicle systems, but aftermarket and fleet connectivity products outside the type approval scope are fully subject to the CRA. Vendors must navigate the boundary between type-approved vehicle systems and CRA-regulated aftermarket products carefully.
Fleet management and telematics vendors placing OBD dongles, connected vehicle gateways, tachograph interface hardware, and fleet management software on the EU market must comply with the EU Cyber Resilience Act by September 2026. Telematics hardware that connects to vehicle CAN bus systems or transmits location and operational data via cellular networks is classified as Important Class I, given its direct interface with vehicle systems and the sensitivity of the operational data it processes.
Manufacturers of connected laboratory instruments — including mass spectrometers, chromatography systems, automated liquid handlers, and scientific imaging systems with network interfaces — must comply with the CRA for their EU-market products. Laboratory instruments increasingly integrate with LIMS platforms, cloud data repositories, and remote diagnostic services, creating network exposure that the CRA directly addresses. Manufacturers must establish vulnerability disclosure programmes, maintain SBOMs for complex instrument software stacks, and implement Article 14 notification procedures.
Electronic health record (EHR) and clinical IT vendors selling software to EU healthcare providers face obligations under both the CRA and the emerging European Health Data Space (EHDS) regulation. EHR systems are critical healthcare infrastructure — their compromise directly affects patient safety, treatment continuity, and the confidentiality of some of the most sensitive personal data categories under GDPR. Ransomware attacks on hospital EHR systems have repeatedly caused patient harm through care disruption, making CRA compliance an urgent clinical safety matter as well as a regulatory obligation.
Healthcare IT and clinical software vendors providing electronic health record systems, clinical decision support software, hospital information systems, laboratory information management systems, and health data integration platforms to EU healthcare organisations must comply with the EU Cyber Resilience Act by September 2026. Software products that connect to clinical networks, process patient data, or integrate with medical devices are within CRA scope and typically classified as Important Class I.
Manufacturers of connected home health devices — including blood pressure monitors, pulse oximeters, blood glucose meters, and smart scales with network connectivity — must comply with the CRA in addition to any applicable Medical Device Regulation requirements. These devices collect sensitive physiological data in consumer home environments and must meet stringent security-by-design standards. The consumer deployment context means that usability and security must be engineered together, with automatic update mechanisms and clear end-of-support policies particularly important.
Medical device manufacturers placing connected devices on the EU market face overlapping obligations under both the EU Medical Device Regulation (MDR) and the EU Cyber Resilience Act. Software as a Medical Device (SaMD) and hardware devices with network interfaces are subject to CRA requirements that run in parallel with MDR cybersecurity guidance. Class I classification is likely for devices processing patient data or connected to clinical networks.
Pharmaceutical manufacturing automation vendors — supplying SCADA systems, batch management software, process analytical technology (PAT) platforms, and manufacturing execution systems (MES) to EU pharmaceutical manufacturers — must comply with the CRA for their products. The intersection of CRA cybersecurity requirements and EU GMP computerised systems validation (CSV) obligations creates a dual compliance framework that demands careful coordination between security and validation activities. CRA non-compliance by automation vendors directly threatens their customers' GMP compliance status and product supply security.
Point-of-care diagnostic and in vitro diagnostic (IVD) manufacturers placing network-connected diagnostic instruments and software on the EU market face obligations under both the IVDR (2017/746) and the CRA. Connected blood analysers, point-of-care PCR systems, and laboratory information management interfaces that transmit test results electronically are products with digital elements. The interaction between IVDR conformity assessment and CRA requirements creates dual compliance obligations that must be carefully managed across product development and post-market activities.
Telemedicine platforms and remote patient monitoring (RPM) devices face dual regulatory obligations under both the EU Medical Device Regulation (MDR 2017/745) and the CRA. Vendors must determine precisely which components qualify as medical devices under MDR and which are standalone software or connectivity products subject to the CRA independently. Security failures in RPM devices — which transmit real-time physiological data from patients' homes — carry both patient safety and data protection consequences, making robust security engineering a clinical as well as regulatory obligation.
Chemical and process plant automation vendors supplying distributed control systems (DCS), safety instrumented systems (SIS), and process SCADA platforms to EU chemical manufacturers face the highest tier of CRA obligations, given the catastrophic potential consequences of automation system failure in chemical production environments. The intersection of CRA cybersecurity requirements with Seveso III Directive major accident prevention obligations creates a complex dual regulatory framework. CRA compliance for chemical automation vendors is not only a market access requirement but a fundamental component of major hazard risk management.
Vendors of computer-aided facilities management (CAFM) software, integrated workplace management systems (IWMS), and IoT-connected building maintenance platforms sold to EU customers are manufacturers of products with digital elements under the CRA. CAFM systems increasingly integrate with building management systems, access control, energy management, and workplace sensor networks — creating complex connected architectures that must be secured under Annex I. Vendors must establish CVD programmes and incident notification capabilities by September 2026.
Food and beverage automation vendors supplying SCADA systems, batch controllers, filling line automation, and quality control inspection systems to EU food manufacturers must comply with the CRA as manufacturers of products with digital elements. The food industry's increasing connectivity — driven by Industry 4.0 adoption and supply chain traceability requirements — significantly expands the attack surface that must be addressed under Annex I. Ransomware attacks on food processing plants have demonstrated the severe operational consequences of inadequate OT security.
HVAC and climate control manufacturers placing networked heating, ventilation, air conditioning, and refrigeration systems on the EU market must comply with the EU Cyber Resilience Act by September 2026. Connected HVAC controllers, building management system (BMS) integration gateways, and smart thermostats are products with digital elements. Industrial HVAC systems integrated into building automation networks face Important Class I classification; residential smart thermostats are typically Default Class.
Industrial automation vendors placing programmable logic controllers, SCADA components, industrial gateways, and HMI systems on the EU market must comply with the EU Cyber Resilience Act by September 2026. OT products connecting to operational technology networks or managing industrial processes are broadly classified as Important Class I under Annex III. The CRA introduces mandatory CVD policies and incident reporting obligations that many OT vendors currently lack entirely.
Robotics and collaborative robot (cobot) manufacturers placing industrial robots, autonomous mobile robots (AMRs), and cobot platforms on the EU market must address CRA obligations alongside existing Machinery Regulation requirements. Network-connected robotic systems with remote programming, monitoring, or update capabilities are classified as Important Class I under the CRA, given their direct role in manufacturing safety and production continuity.
Cybersecurity product vendors — including manufacturers of firewalls, intrusion detection systems, endpoint security platforms, SIEM appliances, and identity management products — face Important Class I or Critical Class II classification under the CRA. Security products are among the most closely scrutinised product categories given that vulnerabilities in defensive tools directly enable attacker access to protected environments. CRA compliance is therefore both a regulatory obligation and a market credibility requirement.
Enterprise networking equipment vendors — including manufacturers of switches, routers, firewalls, load balancers, and network management appliances — face Important Class I classification under the CRA for virtually all product lines. Network infrastructure products are explicitly named in Annex III as Important Class I by default due to their critical role in enabling network security and connectivity for organisations across the EU.
Firewall and network security appliances are explicitly listed as Important Products Class II in Annex III of the CRA, requiring mandatory third-party conformity assessment by an EU notified body. Manufacturers face the highest tier of CRA obligations, including stringent secure-by-design requirements under Annex I, mandatory CVD programmes, and 24-hour vulnerability exploitation reporting under Article 14. Given the frequent targeting of security appliances in nation-state and ransomware campaigns, robust vulnerability management is both a regulatory and reputational imperative.
Managed service providers (MSPs) who develop and distribute their own on-premises software products — including remote monitoring and management (RMM) tools, professional services automation (PSA) software, backup agents, and security management platforms — are manufacturers under the CRA and must comply with all applicable obligations. MSP tooling occupies a privileged position in customer IT environments, making it a high-value target for supply chain attacks. The CRA's security requirements are particularly pertinent for MSP software given the cascading risk that a compromise of MSP tooling poses across the entire customer base.
Energy management system vendors providing demand response platforms, building energy management systems (BEMS), grid-edge controllers, and energy optimisation software to EU markets face the highest CRA classification tiers due to the critical infrastructure context of energy systems. Products interacting with the electrical grid or managing energy consumption at scale are subject to Important Class I or Critical Class II requirements and face the most rigorous conformity assessment pathways under the regulation.
Oil and gas automation vendors supplying SCADA systems, RTUs, and PLCs to EU operators fall within the CRA's scope as manufacturers of products with digital elements used in critical infrastructure. The regulation imposes mandatory vulnerability disclosure policies, secure-by-design requirements, and 24-hour incident reporting obligations that significantly expand existing IEC 62443 compliance programmes. Vendors must align security documentation, conformity assessment, and post-market monitoring with CRA timelines by September 2026.
Smart meter and Advanced Metering Infrastructure (AMI) manufacturers placing electricity, gas, and water metering products on the EU market face Important Class I classification under the CRA. Smart meters are deployed at scale across EU households — over 225 million units projected by 2027 — making systematic vulnerabilities in metering hardware or the AMI communication network a critical infrastructure concern that regulators will scrutinise closely.
Solar inverter monitoring platforms, SCADA gateways for wind farms, and energy management systems sold into EU markets are products with digital elements under the CRA. Vendors in this sector must implement secure-by-design engineering, publish coordinated vulnerability disclosure policies, and meet Article 14 incident reporting timelines by September 2026. The rapid cloud-connectivity trend in renewable monitoring increases the attack surface and the regulatory stakes simultaneously.
Water treatment and utilities automation vendors supplying SCADA systems, remote telemetry units, and control systems to EU water utilities are subject to the CRA as manufacturers of products critical to essential services. The water sector's classification as critical infrastructure under NIS2 means that automation product vendors face intense scrutiny from both CRA market surveillance authorities and water utility customers implementing their own NIS2 supply chain obligations. Demonstrated CRA compliance is rapidly becoming a mandatory procurement criterion for EU water utility contracts.
Consumer electronics brands placing connected products — including smart TVs, streaming devices, Bluetooth speakers, tablets, laptops, and networked peripherals — on the EU market must comply with the EU Cyber Resilience Act by September 2026. The CRA introduces mandatory security standards and vulnerability disclosure requirements that will materially change product development, launch timelines, and post-market support obligations for consumer electronics brands of all sizes.
Gaming hardware manufacturers producing gaming consoles, handheld gaming devices, gaming peripherals with network connectivity, and gaming-specific networking hardware for the EU market must comply with the EU Cyber Resilience Act by September 2026. Gaming consoles with online services, account management, and payment processing present a substantial attack surface — and the large, active user base makes vulnerabilities in gaming platforms high-value targets for both financial fraud and account compromise.
Professional audio-visual equipment vendors manufacturing networked AV processors, digital signage players, conference room systems, streaming encoders, and broadcast infrastructure hardware for the EU market must comply with the EU Cyber Resilience Act by September 2026. AV equipment with IP networking, cloud management, and remote control capabilities is within CRA scope, and large format display systems and control processors used in critical facility infrastructure may be classified as Class I.
Smart appliance manufacturers producing connected washing machines, dishwashers, refrigerators, ovens, and other networked household appliances for the EU market must comply with the EU Cyber Resilience Act by September 2026. While individual smart appliances are typically Default Class, manufacturers with large connected appliance portfolios must establish CVD programmes, maintain SBOMs, and declare support lifetimes that reflect the 10–15 year operational life consumers expect from major household appliances.
Smart home device manufacturers producing connected doorbells, smart locks, home automation hubs, security cameras, smart plugs, and similar IoT products for the EU market must comply with the EU Cyber Resilience Act by September 2026. Smart home products present some of the most common cybersecurity vulnerabilities found in consumer IoT — default credentials, unencrypted cloud communications, and absent update mechanisms — which the CRA directly targets.
Wearable technology brands producing smartwatches, fitness trackers, health monitoring wearables, smart glasses, and connected hearables for the EU market must comply with the EU Cyber Resilience Act by September 2026. Wearables that process health data, integrate with smartphones, or include payment functions face Important Class I classification. The intimate personal data these devices collect — heart rate, sleep patterns, location — makes security failures particularly consequential for users.
Vendors of private 5G network equipment, industrial Wi-Fi infrastructure, and CBRS/NR-U industrial wireless systems deployed in EU manufacturing, logistics, and critical infrastructure environments face CRA obligations as manufacturers of products with digital elements. Private 5G gNBs, core network components, and network management platforms are likely Important Products under Annex III, given their role as foundational connectivity infrastructure. The intersection of CRA obligations and Radio Equipment Directive (RED) cybersecurity delegated act requirements creates a dual compliance framework for wireless equipment vendors.
Telecom equipment vendors manufacturing base station hardware, optical transport systems, CPE devices, SIM-based modules, and network management systems for the EU market face Important Class I or Critical Class II classification under the CRA. Telecommunications infrastructure is explicitly recognised as critical infrastructure under EU law, elevating the compliance burden for vendors whose products underpin mobile and fixed network operations across the bloc.
Access control and physical security vendors manufacturing electronic door controllers, card readers, biometric terminals, visitor management systems, and integrated security platforms for the EU market face Important Class I classification under the CRA. Physical access control products that process biometric data, authenticate identities, or control entry to secured facilities present elevated cybersecurity risk — a compromise of these systems can directly enable physical security breaches.
Electronic lock and smart door manufacturers placing network-connected access control products on the EU market must comply with the CRA. Smart locks with Bluetooth, Wi-Fi, or Z-Wave connectivity, electronic door access controllers, and cloud-connected access management platforms are products with digital elements. These products control physical access to homes, offices, and facilities — meaning security failures can translate directly to physical security breaches. Manufacturers must implement robust cryptographic security, establish CVD programmes, and address the specific challenge of long-lifecycle physical security hardware.
Video surveillance and CCTV vendors placing IP cameras, network video recorders, video management systems, and cloud-based surveillance platforms on the EU market must comply with the EU Cyber Resilience Act by September 2026. IP cameras have been among the most heavily exploited connected devices globally — Mirai and its variants specifically targeted IP cameras with default credentials — making CRA compliance both a regulatory obligation and a fundamental product security baseline for this sector.
Smart parking management systems — including IoT-connected parking sensors, access barrier controllers, payment terminals with network connectivity, and cloud-based parking management platforms — are products with digital elements subject to the CRA. Vendors serving EU municipalities, airports, and commercial operators must implement Annex I security requirements, establish CVD policies, and prepare for CE marking by September 2026. Payment data processing in parking systems adds PCI-DSS obligations that run alongside CRA requirements.
Railway signalling and train control systems represent some of the highest-consequence digital products in EU critical infrastructure, and their manufacturers face both CRA obligations and stringent rail-specific safety certification requirements under the ERA framework. Vendors of ETCS, CBTC, interlocking systems, and level crossing controllers must navigate the intersection of functional safety requirements and the CRA's cybersecurity mandate. Classification as Important Products Class II is likely for most safety-critical signalling components, mandating third-party conformity assessment.
Smart traffic management systems — including adaptive traffic signal controllers, urban traffic control platforms, variable message signs, and connected intersection management systems — are likely Important Products Class I or Class II under the CRA due to their direct role in public safety and urban mobility. Vendors must implement robust security-by-design controls, establish mandatory CVD programmes, and prepare for notified body assessment where applicable. Traffic management systems in EU cities are increasingly targeted in demonstrations of disruptive cyberattack capability, making security programme maturity a reputational as well as regulatory imperative.
Agricultural IoT and precision farming vendors placing connected soil sensors, irrigation controllers, crop monitoring systems, livestock tracking devices, and precision agriculture platforms on the EU market must comply with the EU Cyber Resilience Act by September 2026. While many basic agricultural sensors fall into Default Class, connected controllers managing irrigation, fertilisation, or livestock environmental systems — and platforms that aggregate farm operational data — face Class I classification.
Precision livestock farming (PLF) technology vendors — supplying connected ear tags, activity monitors, automated milking systems, indoor climate sensors, and livestock health monitoring platforms to EU farmers — must comply with the CRA for their network-connected products. While agricultural technology has not traditionally been considered high-risk from a cybersecurity perspective, the increasing connectivity of livestock management systems and their role in food production and animal welfare creates obligations that vendors must address. The agricultural sector's CRA compliance journey is typically earlier-stage than industrial sectors, making now the critical time to establish foundations.
Precision agriculture and AgTech vendors placing autonomous field robots, variable rate application systems, GPS-guided machinery controllers, drone-based crop monitoring systems, and farm data integration platforms on the EU market must comply with the EU Cyber Resilience Act by September 2026. Precision agriculture hardware with autonomous control capabilities, safety-critical functions adjacent to human workers, or integration into farm management information systems requires careful CRA classification — some products face Class I obligations.
Digital signage and kiosk vendors manufacturing networked display systems, interactive self-service kiosks, wayfinding terminals, and digital menu board systems for EU retail, hospitality, and public venue operators must comply with the EU Cyber Resilience Act by September 2026. Kiosks and signage systems connected to corporate networks and content management platforms are products with digital elements that require CRA compliance, with interactive kiosks processing payment or personal data likely classified as Important Class I.
Point-of-sale system and payment terminal vendors placing connected card readers, POS terminals, mobile payment devices, and integrated POS software on the EU market must comply with the EU Cyber Resilience Act by September 2026. Payment terminals that process cardholder data and connect to payment networks face Important Class I classification and must satisfy CRA obligations in parallel with PCI DSS and PCI PTS requirements already mandated by the payment industry.
Avionics and aerospace systems manufacturers selling products to EU civil aviation operators are subject to the CRA for their commercially distributed digital products, creating a new regulatory layer alongside existing EASA certification requirements. While military-use products are generally excluded from CRA scope, commercial avionics — including flight management systems, communications equipment, and ground support software sold under commercial contracts — fall within the regulation. Manufacturers must determine scope carefully and establish CVD and incident reporting capabilities that complement EASA's safety reporting framework.
Drone and UAV manufacturers placing commercial and consumer unmanned aircraft systems on the EU market face CRA obligations that run in parallel with the EU UAS Regulation (EU 2019/945) and EASA airworthiness requirements. Connected drones with ground control interfaces, telemetry links, and over-the-air update capabilities are classified as Important Class I under the CRA, given the potential physical and safety consequences of compromised drone operation.
Vendors of electronic chart display systems (ECDIS), AIS transponders, vessel management systems, and integrated bridge systems sold to EU-flagged vessels or EU ports are subject to the CRA as manufacturers of products with digital elements. Maritime systems face dual regulatory pressure from both the CRA and IMO MSC-FAL.1/Circ.3 cyber risk management guidelines, and vendors must reconcile these frameworks. The integration of navigation systems with satellite communications and shore-side networks significantly expands the attack surface that must be addressed under Annex I.
Port and logistics automation vendors supplying terminal operating systems (TOS), automated container handling equipment, vessel traffic services software, and cargo tracking platforms to EU ports face CRA obligations as manufacturers of products with digital elements. EU ports are classified as critical infrastructure under multiple frameworks including the CER Directive and NIS2, making supply chain cybersecurity a regulatory obligation for port operators — and therefore a procurement requirement for their automation vendors. The CRA deadline of September 2026 coincides with accelerating port automation investment across EU member states.
CVD Portal provides a complete vulnerability disclosure programme — public submission portal, Article 14 deadline tracking, and CSAF advisory generation. Free for EU manufacturers.
Set up your free portal