Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

The EU Cyber Resilience Act (CRA): What Swiss Companies Need to Know
young-business-woman-portrait
Laetitia Steybe
|
02.06.2026
(updated on: 03.06.2026)

It’s Tuesday morning. Your robot vacuum is quietly doing its rounds while you’re in a meeting – a perfectly ordinary situation that you don’t give a second thought to. After all, it’s just a device, a little convenience.

To an attacker, however, this very robot vacuum isn’t just an everyday helper – it’s a gateway into your network. It is precisely this scenario that has EU lawmakers concerned, which is why they drafted the Cyber Resilience Act (CRA). This law also applies to Swiss companies that sell, import, or distribute products with digital elements throughout the EU.

Table of Contents

What Is the Cyber Resilience Act?

In most cases, the vulnerabilities that attackers find in the network are not sophisticated zero-day exploits – they are usually hard-coded passwords, default usernames, or update functions that do not verify signatures.

Anyone who works in cybersecurity knows this reality all too well. Most security breaches aren’t the result of sophisticated attacks. It’s usually simply a lack of time that gets in the way, or a decision someone made years ago during product design – whether intentionally or simply because the development process didn’t prioritize security.

Case Study

Now things get a little more complicated: Let’s go back to our fictional example of the robot vacuum. The image below shows, in broad terms, what’s inside your robot vacuum manufactured by RoboClean:

graph-cra-example-with-components

No single company built this device – it is the result of many independent decisions. And in the past, these individual decision-makers were able to shirk responsibility without consequence. When incidents occurred, the damage all too often fell on the retailer or even the user – even though they had no part in the decision-making process.

This is where the CRA is expected to bring about changes. Starting in December 2027, manufacturers bearing the CE marking will be required to provide proof to their users that their product meets the CRA’s essential cybersecurity requirements. The CE marking signifies compliance with several EU regulations.

The following graphic illustrates how liability changes with the introduction of the CRA:

graph-before-and-after-cra-liability

What Does the Cyber Resilience Act Entail?

The CRA applies to any product with digital elements (PDE) sold on the EU internal market. This is subject to the condition that the intended purpose or reasonably foreseeable use of the product involves a direct or indirect logical or physical data connection with a device or network (Article 2 CRA).

In short: The CRA applies to products capable of exchanging data over a network or via a device.

This includes all data exchanged via network interfaces, cloud connections, wireless protocols (Wi-Fi, Bluetooth, etc.), or other digital communication channels (e.g., personal data, configuration data, sensor and telemetry data, cloud-synchronized data).

The CRA is subject to the New Legislative Framework (NLF), which also applies to sunglasses, toys, and pressure vessels. Accordingly, five conditions must be met in order for the CE marking to be recognized:

  • Harmonized requirements form the basis for EU-wide rules that all products in a specific category must meet.
  • European standardization organizations (CEN, CENELEC, ETSI) develop harmonized European standards to specify these requirements.
  • Economic actors, i.e., anyone who manufactures products intended for sale in the EU, must conduct a conformity assessment (internal/external), draw up a declaration of conformity, compile technical documentation, and affix the CE marking.Notified bodies (e.g., TÜV) conduct third-party conformity assessments when required.
  • Market surveillance authorities conduct random inspections and investigate incidents. This includes ordering product recalls and imposing fines.

Who Is Affected by the CRA?

Below is a brief overview of the responsibilities of the various economic actors:

Economic ActorDefinition According to the CRACritical Responsibility
ManufacturerA natural or legal entity who develops a PDE or has it developed and markets it under their own name.Ensuring secure design and development (Annex I of the CRA), conducting risk analysis, ensuring vulnerability management during the support period, reporting actively exploited vulnerabilities within 24 hours, informing users, preparing technical documentation, affixing the CE marking, issuing the EU Declaration of Conformity
ImporterAny legal entity established in the EU that places a product from a third country on the market.Verifying manufacturer compliance, assessing conformity prior to placing the product on the market, obtaining the necessary documentation from the manufacturer
RetailerAny entity in the supply chain that supplies a product, excluding the manufacturer or importer.Checking the CE-marking, ensuring that accompanying documents and user information are available, verifying compliance before placing the product on the market
Open source stewardLegal entity that provides ongoing support for the development of specific FOSS (Free and Open Source Software) products.Ensuring vulnerability management for software, facilitating security fixes; open-source stewards are NOT required to affix the CE marking

Which Products Are Affected by the CRA?

Anything from hardware to software – the scope of the CRA covers virtually the entire spectrum of IT, the IoT, industrial control systems, as well as embedded devices and machines.

While pure SaaS services that are operated exclusively in the cloud are not covered by the CRA, the following applies: Remote data processing solutions or cloud components that are necessary for a product’s core functionality are also covered. Example: In the case of a robot vacuum that is not functional without its cloud connection, this connection also falls within the scope of the CRA (Article 3, Paragraph 2 of the CRA).

Do the Same Requirements Apply to All Products?

According to the CRA, different products are subject to varying levels of strictness in their requirements. The vast majority of all connected products fall into the standard category and are required only to meet the CRA’s general basic requirements.

For particularly critical products, as defined in Annex III and IV of the CRA, the strictest requirements apply, foremost among them mandatory testing by an external body such as the TÜV. These include:

  • Basic IT infrastructure: browsers, operating systems, routers, modems, firewalls
  • Products with security features: authentication systems, password managers, VPNs, SIEM, smart home security devices
  • Products that can collect personal data from children or health data: internet-connected toys and baby monitors, wearables with health features

How Can Manufacturers Determine Whether the CRA Applies to Their Product?

First, it must be checked which of the company’s products are listed in Annex III or IV of the CRA. For these products, an external conformity assessment is required. For all other products with digital elements, a simplified self-assessment applies.

A practical guideline is: If your product exchanges data with another device or network – whether via Wi-Fi, Bluetooth, cellular networks, or a cable – it falls within the CRA’s scope of testing.

When Does the CRA Take Effect?

timeline-cra-compliance

The CRA came into effect in December 2024, but mandatory implementation will take place in phases. Starting in September 2026, the reporting requirement for vulnerabilities and incidents will apply. For actively exploited vulnerabilities, the following three-tier reporting regime applies in accordance with Article 14, paragraphs 1–4 of the CRA:

  • Early warning to ENISA and national CSIRTs within 24 hours
  • Full report within 72 hours with additional details on the vulnerability
  • Final report after 14 days or, in the case of serious security incidents, after 1 month

The CRA is expected to take full effect in December 2027.

What Are the Key Requirements of the CRA?

The essential requirements for the products in question are listed in Annex I of the CRA:

  • Prevention by design: secure standards, minimized attack surfaces, no default passwords, minimal access rights (principle of least privilege)
  • Commitment to transparency: logging, monitoring, and incident mitigation capabilities
  • Minimum duration of security support: Manufacturers must provide security updates for at least 5 years, or longer if the product is used for a longer period. Shorter periods are only permitted for products with a short lifespan or subscription models (Article 14, Paragraph 60 of the CRA).

Since the CRA also imposes stricter requirements on product categories with critical functions, classification is certainly a good first step for companies. In this context, the intended purpose must be defined and documented in accordance with Article 3, paragraph 23 of the CRA.

Mandatory Documents for Manufacturers

In addition, there are three mandatory documents that every manufacturer must prepare for their products:

  • EU Declaration of Conformity (formal statement of compliance)
  • Technical documentation (non-public dossier containing design details, risk analysis, and test reports); this technical documentation must remain available for 10 years after the product is placed on the market
  • User information (a type of safety manual for end users)

The CRA in the Case Study of RoboClean’s Robot Vacuum

Let’s take another look at the details of the Cyber Resilience Act in the example of RoboClean’s robot vacuum.

The robot vacuum is not considered a critical product under Annex III or IV of the CRA. Nevertheless, it is subject to the fundamental CRA requirements. Even before entering the market, the manufacturer must systematically identify and document risks:

  • What happens if attackers take control of the camera and stream live footage?
  • What happens if the cloud connection is compromised and the robot can be controlled remotely?
  • What happens if a vulnerability in the app compromises the home network?

This risk analysis is mandatory and must be documented, kept up to date, and reviewed on an ongoing basis.

Sounds complex? It is! But no worries: With Oneconsult’s Security Consulting, we’ll help you navigate the compliance jungle.

What Distinguishes the CRA From Existing Standards?

Unlike standards such as IEC 62443 or ISO 27001, the CRA is mandatory. Without compliance, RoboClean will therefore not be granted access to the EU market.

Existing safety standards remain relevant, however: The harmonized standards developed by CEN/CENELEC, particularly IEC 62443-4-2, are expected to establish a presumption of conformity. Manufacturers with existing certifications therefore have a clear advantage.

In addition, RoboClean’s robot vacuum must comply with the CRA’s “Secure by Design” requirement. Among other things, this means that the robot must be released to the market without any known security vulnerabilities. Camera footage and room data must be transmitted and stored in encrypted form. The Robo app may also only have access to the functions it needs. Unnecessary interfaces must be disabled. The user must be able to permanently destroy all data using cryptographic methods. In addition, the cloud connection is also a component covered by the CRA, meaning that the manufacturer is responsible for it as well.

How Does the CRA Relate to Other Regulations?

This raises the following question for RoboClean: Since the robot vacuum is a machine, the Machinery Directive applies. If AI is also used, the product falls under the EU AI Act as well. And the NIS2 Directive may even apply to maintaining cybersecurity. Doesn’t that mean I’m already sufficiently regulated?

Unfortunately, the answer is no. That is precisely one of the biggest misconceptions in the European compliance jungle.

The reason for this is that the CRA applies to products with digital elements. NIS2, however, applies to companies, the AI Act to AI systems, and the Machinery Regulation to machinery. Each regulatory framework therefore addresses different risks from different perspectives. There is no simple rule of precedence. RoboClean could therefore theoretically fall under all four regulatory frameworks – and must therefore comply with all requirements.

How Should Vulnerabilities Be Addressed?

If a critical vulnerability is discovered in a RoboClean robot vacuum, the CRA stipulates that there are only 24 hours to issue an early warning to ENISA and the relevant national authorities.

However, for RoboClean to even know where potential vulnerabilities lie, a software bill of materials (SBOM) is required. Ideally, it documents all of the product’s software components. This includes not only the app itself, but also all the libraries used and their further dependencies. The SBOM thus maps the entire network of software dependencies, must be machine-readable – for example, in SPDX or CycloneDX format – and must be updated on an ongoing basis.

Even before entering the market, RoboClean must also prepare the technical documentation. In addition to the SBOM, this includes a product description, architecture and threat models, applicable standards related to Annex I of the CRA, the EU Declaration of Conformity, and evidence of vulnerability management. Authorities may request these documents, as well as process evidence – such as design reviews, penetration test reports, or patch logs – for up to ten years. This is intended to make it possible to verify whether the manufacturer has indeed developed their product in a secure manner.

Who Is Liable in the Event of an Incident?

The big question, however, is: Who is liable if the vulnerability lies in a third-party component? This is precisely where things get tricky for RoboClean, because the primary responsibility lies with the manufacturer. While commercial component suppliers can also be considered manufacturers, open-source maintainers are largely exempt. This is entirely intentional from a political perspective, as the EU does not want to overburden the open-source community. Companies that use open-source components commercially or integrate them into their own products therefore bear full responsibility for compliance.

In addition, RoboClean must define a support period of at least five years. Security updates must be provided during this time. Furthermore, a central point of contact for security reports is required, as well as clear documentation on the safe use of the product.

What Are the Potential Consequences?

Violations can be costly:

  • up to 15 million euros or 2.5% of global annual turnover for violations of Annex I of the CRA
  • up to 10 million euros or 2% of global annual turnover for other breaches of obligations
  • up to 5 million euros or 1% of global annual turnover for false statements

To What Extent Are Swiss Companies Affected by the CRA?

Switzerland generally aligns its regulatory framework with EU standards, particularly in areas affecting cross-border trade. The German GDPR and Switzerland’s nDSG (Revised Federal Act on Data Protection) provide an illustrative example: Switzerland observed, adapted, and implemented its own version based on the GDPR.

Accordingly, the Swiss government is currently taking a very active interest in the CRA. The Federal Office for Cybersecurity (BACS) has published guidelines (in German only) that acknowledge the importance of the CRA and contribute to the professional debate. Switzerland’s existing Information Security Act (ISG) and its broader cybersecurity strategy already reflect similar principles.

What Should Be Considered When Dealing With the CRA?

The Cyber Resilience Act therefore results in significantly more complex guidelines and processes. To ease the burden on internal processes, it is advisable to rely on our Security Consulting service. Oneconsult’s cyber security experts act as translators and provide clarity on various levels:

  • To senior management: Our experts report on residual risk and translate technical vulnerabilities into financial liability risks.
  • To the CISO: Our experts maintain the evidence pipeline and ensure that the software bill of materials remains up to date.
  • To the Product Owner: Our experts support the security architect and help integrate automated scans and penetration tests into the development process in a way that ensures security does not hinder innovation.

Support Needed?

Are you affected by the Cyber Resilience Act and want to implement its requirements efficiently? Get targeted support in the following areas now:

  • Mapping your product portfolio for EU exposure
  • Assessing your current security status (gap analysis)
  • Operational support for vulnerability management, threat modeling, and risk management
  • Creating a compliance roadmap with realistic timelines

Categories

All Categories
Active Directory / Entra ID
Attack Simulation / Red Teaming
Cybersecurity
Cybersecurity Awareness
Digital Forensics
Incident Response
IoT/OT-Security
News & Advisories
Penetration Testing

Vulnerability Management

This might also be of interest to you:

Receive support in handling the CRA
Contact us
young-business-woman-portrait

Author

Laetitia Steybe has been working as Cyber Security Coordinator at Oneconsult AG since January 2025 and supports clients with security initiatives, the coordination of penetration tests, and the tracking of security measures. In this role, she works closely with C-level stakeholders to ensure the effective implementation of a strategic cybersecurity plan. She is CISSP-certified and brings extensive expertise in information security to the table. Previously, she spent several years working in IT project consulting, where she gained extensive experience collaborating with various departments.

LinkedIn

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts

Don’t miss anything! Subscribe to our free newsletter.