Partnerblog
The Cyber Resilience Act (CRA) aims to ensure that manufacturers design more cyber-secure products and make it easier for users to keep those products in a secure state throughout their lifecycle. It addresses the expanding cyber-threat landscape and seeks to make the Internet of Things (IoT) safer. It does this by imposing minimum cybersecurity requirements on all products with digital elements (PDEs) placed on the EU market. The intended purpose or reasonably foreseeable use of PDEs includes a direct or indirect logical or physical data connection to a device or network. We refer to our previous blogpost on the topic for further background about the CRA and on the one about the first FAQ of the European Commission.
The rules will be implemented in phases. Most obligations of manufacturers will apply as from 11 December 2027, while certain obligations will already apply from 11 September 2026.
Under the CRA, manufacturers of PDEs have specific obligations to ensure the cybersecurity those products. If a vulnerability exists or an incident occurs, manufacturers must remedy the known vulnerability or cyber-incident. In addition, in certain circumstances, they also have reporting or notification obligations, which are discussed hereafter.
As from 11 September 2026, manufacturers placing PDEs on the EU market will have mandatory reporting obligations under the CRA. It is therefore essential for an entity, prior to that date, to determine whether it qualifies as a manufacturer under the CRA to ensure compliance with these mandatory reporting requirements. Note that, beyond this mandatory reporting obligation, manufacturers and any third party can make a voluntary report of:
(i) any known vulnerability;
(ii) cyber threats that could affect the risk profile of a PDE or any incident having an impact on the security of the PDE; or
(iii) any near miss that could have resulted in such an incident.
This article aims to provide a first look at how to determine whether an entity qualifies as “manufacturer”, and which mandatory reporting obligations it will have as from 11 September 2026, in order to prepare for compliance with this Regulation.
Who qualifies as a manufacturer?
A manufacturer is defined as the natural or legal person who
(1) develops or manufactures PDEs or has them designed, developed or manufactured; and
(2) markets them under its name or trademark, whether for payment, money or free of charge.
However, an importer, distributor or any natural person can still qualify as a manufacturer under the CRA if they make a substantial modification to a PDE that has been placed on the market by the manufacturer and subsequently makes that modified PDE available on the market, or if an importer or distributor places the PDE on the market under their own name or trademark. These are alternative criteria.
What must be reported?
Manufacturers have reporting obligations in the two following situations. Firstly, they must report any incident which fulfil two cumulative conditions, namely it is severe and it has an impact on security products. A severe incident means an incident that either negatively impacts or is capable of negatively impact the ability product to protect the confidentiality, integrity, authenticity or availability of sensitive or important data or functions, or it has led or is capable of leading to the introduction or execution of malicious code in product or in network and information systems of a user of the product.
Secondly, they need to report any actively exploited vulnerability, which is a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.
How and when must this reporting be done?
These reporting obligations must be made to the Computer Security Incident Response Team (CSIRT), designated as coordinator for the Member State, and the European Union Agency for Cybersecurity (ENISA). It must also be notified to the impacted users of the concerned PDE, and where appropriate to all users.
• To report to users, by analogy with reporting to users under NIS2, the manufacturer can use any available (communication) means, such as publishing information on the website, using a mailing list, sending a message through an application or communication via printed materials.
• To report to CSIRT and ENISA, a single reporting platform is being created. Manufacturers must report through the electronic notification endpoint of the CSIRT designated as coordinator of their main establishment. A notification submitted through this platform will automatically reach the relevant CSIRT designated coordinator and be simultaneously accessible to ENISA.
After this platform becomes operational, ENISA is expected to publish guidance on how to report. Member States will then be able to establish their own electronic notifications endpoints.
Where to report?
In order to be able to report to the correct national CSIRT, a manufacturer must determine where its main establishment is under the CRA. A manufacturer is considered to have its main establishment in the European Union in the Member State where the decisions related to the cybersecurity of its PDEs are predominantly taken.
In the situation where this cannot be determined, the manufacturer is considered to have its main establishment in the Member State where it has the establishment with the highest number of employees in the European Union.
In case the manufacturer has no main establishment in the Union, they must submit the notifications in the Member State determined pursuant to the following order:
(1) The Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of its PDEs is established;
(2) The Member State in which the importer placing on the market the highest number of its PDEs is established;
(3) The Member State in which the distributor making available on the market the highest number of its PDEs is established;
(4) The Member State in which the highest number of users of its PDEs are located.
Reporting deadlines
The reporting obligations on the single platform are threefold. First, the manufacturer must make an early warning notification without undue delay, and within maximum 24 hours after becoming aware of the severe incident having an impact on security or of any actively exploited vulnerability. This report must specify the affected PDE, and where applicable, in which Member State they are aware that this product has been made available.
The FAQ provides examples of situations in which a manufacturer is considered to become aware of such a vulnerability or incident. This notably includes cases where a customer or partner organisation informs the manufacturer of unusual activity or a compromise, and provides reliable evidence that an actively exploited vulnerability is present in the PDE. Other possibilities include threat intelligence reports; notifications from governmental cybersecurity agencies that have detected exploitation of a vulnerability through their monitoring systems; reports from ethical hackers about a vulnerability that is already being exploited; or detection through the manufacturer’s own internal monitoring, scanning activities or telemetry.
Secondly, the manufacturer must make a vulnerability or incident notification without undue delay and within maximum 72 hours after becoming aware of this vulnerability or incident. This notification must include general information on the affected PDE, the nature of the vulnerability or incident, mitigating or corrective measures that have been taken and that users can take, how sensitive they consider the notified information to be, and in case of an incident, an initial assessment of it.
The Digital Omnibus proposal would change the GDPR’s personal data breach notification deadline from 72 hours to 96 hours after becoming aware of the breach. It is therefore possible that the 72-hour deadline under the CRA may likewise be extended to 96 hours.
Finally, the manufacturer must provide a final report, either within 14 days after corrective or mitigating measures are available in case of a vulnerability, or within one (1) month after the submission of the incident notification. This report must include a description of the incident or vulnerability, including its severity and impact. In case of a vulnerability, it must inform where available on the malicious actor that has or is exploiting the vulnerability and give details of security updates and corrective measures that are made available to remedy to this vulnerability. In case of an incident, this report must inform on the type of threat or root cause that is likely to have triggered the incident and give the applied and ongoing mitigation measures.
Next to this, the CSIRT can always request an intermediate report on relevant status updates. The term “without undue delay” likely means reporting as soon as possible, without waiting for the maximum deadline, by analogy with the CCB Notification Guide for NIS2. Waiting until the end of the 24- or 72-hour period would only be justified in exceptional circumstances.
If you would like assistance in determining whether you qualify as a manufacturer and how you can prepare yourself for this mandatory reporting, please do not hesitate to contact us.
Authors
