10 June 2026
The Cyber Resilience Act (CRA) applies from 10 December 2024. What must Swiss companies consider when placing digital products on the EU market?
What is it about?
From connected household appliances and enterprise software to industrial control systems, digital products are now ubiquitous. As important as these products are, security vulnerabilities can make them an entry point for cyberattacks. Through the CRA, the EU is responding to this development and, for the first time, introducing uniform cybersecurity requirements for products with digital elements.
Which products are affected?
The CRA covers software and hardware products as well as remote data processing solutions, provided that their intended use involves the exchange of data with other devices or networks. This includes, in particular, connections via USB, Ethernet, Wi-Fi or Bluetooth, as well as software interfaces, remote access or cloud-based functionalities.
Which companies are affected?
The requirements apply to manufacturers, importers and distributors of products with digital elements that are made available on the EU market. Consequently, Swiss companies that supply or distribute such products in the EU are also affected, as are companies that, as part of the supply or distribution chain of European market participants, are indirectly confronted with the requirements.
What obligations does the legislation impose?
Manufacturers must ensure that their products comply with the cybersecurity requirements of the CRA. In particular, this requires a risk assessment, technical documentation of the relevant cybersecurity requirements, the implementation of processes for handling vulnerabilities, and the provision of security updates throughout the intended support period of a product. Prior to placing products on the market, companies must demonstrate, as part of the conformity assessment procedure, that the requirements of the CRA are met and document such conformity in the EU Declaration of Conformity. In addition, from 11 September 2026 onwards, actively exploited vulnerabilities and severe security incidents must be reported to the competent authorities, irrespective of when the affected product was placed on the market.
Where is action required?
Companies should assess at an early stage which products fall within the scope of the CRA and whether their processes comply with the new requirements. As a general rule, the Regulation applies only to products placed on the market from 11 December 2027 onwards. However, the requirements may also become relevant for products already on the market if they subsequently undergo substantial modifications. To support implementation, an expert group appointed by the European Commission has published a comprehensive report containing specific model contractual clauses. The expert group is supporting the implementation of the CRA and is currently working on guidance regarding the application of the Regulation and its interaction with the AI Act and DORA.
As numerous questions concerning interpretation and application remain unresolved, the further work of the European Commission and the expert group will be of particular interest in practice. We support and advise affected companies in assessing and implementing the new requirements.
