What Smart Equipment Manufacturers need to know about the EU Cyber Resilience Act
Warren DeLay
Connected products are no longer a niche. They’re embedded in everything from factory floors to hospital wards. But as we race ahead with digital innovation, cybersecurity has struggled to keep pace. That’s where the EU’s Cyber Resilience Act (CRA) comes in.
If you design, build, or sell smart products in Europe, the CRA is about to become part of your reality. And this isn’t just another set of best practices. It’s enforceable law.
From "nice to have" to legal requirement
The CRA applies to nearly every product with digital elements that connects to a network. Consumer, industrial, or otherwise. The rules are broad and strict: manufacturers must build in security from the start, maintain it throughout the product lifecycle, and be ready to report issues within days.
Ignore it, and the penalties are steep. Up to €15 million or 2.5% of global revenue. So yes, this is a boardroom issue, not just one for engineering or IT.
The countdown is on
While the law came into effect in early 2024, most of the requirements kick in by December 2027. That may seem far off, but in the world of product development, it’s really not. Key obligations, like reporting exploited vulnerabilities, arrive even sooner in September 2026.
If you’re running complex systems, managing long product lifecycles, or supporting fleets of devices already in the field, now’s the time to act.
Why this is hard, and why it matters
Let’s be honest: CRA compliance is not just a patch or a checklist. It touches everything. Software updates, vulnerability tracking, SBOMs, documentation, and proving you’ve done it all correctly. Many manufacturers still rely on fragmented tools and manual processes. That won’t cut it.
The CRA is forcing a shift: from reactive security to built-in resilience. That’s painful for some; but it’s also an opportunity. Companies that get this right can turn security into a competitive advantage.
Where Cumulocity comes in
At Cumulocity, we help smart equipment manufacturers get CRA-ready without starting from zero.
Our platform supports secure over-the-air updates, rollback mechanisms, real-time monitoring, and compliance-ready reporting; all at scale. Whether you’re managing 500 or 500,000 devices, you’ll have the visibility and control you need.
We’ve also published a practical reference guide to help you align your architecture and operations with CRA requirements, quickly and clearly.
What to do next
If you haven’t started preparing for the CRA, don’t panic; but don’t delay.
Begin by assessing your current capabilities against CRA obligations. Where are the gaps? Who needs to be involved? What can be automated? Use this to build a focused, cross-functional roadmap.
Above all, treat this as a strategic initiative; not just a regulatory box to tick. Strong cybersecurity processes don’t just keep you compliant. They keep your business running, your customers happy, and your brand intact.
Let's talk
Cumulocity works with global manufacturers to simplify smart product operations. We’re ready to help you navigate CRA compliance; whether you need architectural guidance, technical support, or just a sounding board.
Read our whitepaper, Navigating the EU Cyber Resilience Act: What Smart Equipment Manufacturers Need to Know.
Book a CRA Readiness Consultation. Speak with Cumulocity’s experts to get support in evaluating your current architecture, identifying gaps, and implementing a solution that aligns your business with the CRA.