EU Cyber Resilience Act — Guide for Board Director & Executive Leadership

The CRA establishes obligations at the level of the 'manufacturer' — a legal entity, not an individual role. This means the board of directors and senior management are accountable for ensuring the organisation meets its CRA obligations. Article 13 requires the manufacturer to put in place appropriate internal processes and governance to ensure compliance throughout the product lifecycle. Boards that treat the CRA as a purely technical matter — delegated entirely to engineering — expose the organisation to regulatory sanction for governance failures as well as technical non-conformities. Effective board-level oversight requires: a designated executive owner for CRA compliance (typically the CISO or CTO reporting to the CEO), a defined compliance roadmap with board-approved milestones, and regular board reporting on conformity status.

Non-compliance with the CRA exposes the manufacturer to administrative penalties of up to €15 million or 2.5% of global annual worldwide turnover, whichever is higher. For Class I and Class II Important Products, providing false conformity information can attract penalties of up to €20 million or 4% of turnover. Beyond direct regulatory penalties, the CRA creates an environment in which the EU Product Liability Directive — updated contemporaneously — enables consumers and businesses to claim damages from manufacturers for harm caused by defective digital products. Directors in jurisdictions where corporate liability for regulatory failures can attach to individuals personally — as is increasingly common under EU financial and data protection law — should take legal advice on their personal exposure. The CRA is not a compliance exercise that can be deferred; the risk accumulates from the application date.

Effective CRA governance requires formal structures rather than ad hoc arrangements. The board should require a quarterly CRA compliance report from the executive team covering: current product classification and conformity assessment status; status of the technical file for each product line; Article 14 notification history and any open incidents; supply chain compliance status; and any NCA communications or market surveillance activity. A cross-functional CRA steering group — including representation from legal, security, engineering, product, and finance — should meet monthly and escalate material issues to the board. The Declaration of Conformity should be reviewed and re-signed by an authorised executive at each major product release. Board committees with existing risk and audit mandates should incorporate CRA compliance into their remits.

Achieving CRA conformity is not cost-free. The European Commission's impact assessment estimated that compliance costs for SMEs would average €29,000 per product and substantially more for complex products requiring notified body assessment. Boards must allocate budget to cover: SBOM tooling and integration, security testing expansion, potential penetration testing or red team exercises, technical file documentation effort, legal review of the Declaration of Conformity and associated commercial agreements, and — for Class II Important Products — notified body fees. Boards should also assess whether the organisation has the internal expertise to meet these requirements or whether specialist advisory support is needed. Investment in compliance before the December 2027 application date is substantially cheaper than responding to market surveillance action after it.

Commission an executive-level briefing from legal and security leadership on the organisation's current CRA exposure — covering which products are in scope, which classification applies, and what the current conformity gap is. Request a CRA readiness score for each in-scope product line and review it at the next board meeting. Approve a CRA compliance project with defined milestones, a budget allocation, and a named executive sponsor. Confirm that product liability insurance adequately covers CRA-era regulatory exposure and request legal advice if not. Establish a regular CRA reporting cadence into the board's audit or risk committee. Direct the CISO to confirm that Article 14 notification procedures are documented and that someone has authority to approve submissions within the 24-hour early warning window.