Starting in December 2027, a new reality will apply in the EU for digital products: no software update, no IoT device, and no connected product may be placed on the market without CE marking. No documented patch process? No SBOM? No market access.

The EU Cyber Resilience Act — Regulation (EU) 2024/2847, published in November 2024 — is not an abstract vision of the future. The regulation has been in force since December 2024. The clock is ticking.

And yes, this also affects Swiss companies. Directly.

What the Cyber Resilience Act requires

For the first time, the CRA systematically regulates the cybersecurity of products with digital elements. Until now, most software products had no mandatory security requirements before market entry. That is changing fundamentally.

The core requirements can be reduced to four pillars:

Security by Design. Products must be developed securely from the outset. No known exploitable vulnerabilities at market launch. Secure default configurations. Protection of data confidentiality and integrity. Minimal data processing. This is not new as a principle — but it is new as a legal obligation.

Vulnerability management throughout the entire lifecycle. Manufacturers must identify, document, and remediate vulnerabilities — for the entire support period. Security updates must be provided free of charge. Actively exploited vulnerabilities must be reported to ENISA within 24 hours (early warning), with a full report within 72 hours.

SBOM — Software Bill of Materials. Every manufacturer must create a machine-readable SBOM that identifies at least top-level dependencies. It must be updated at market launch and with every security update. It does not have to be public, but it must be made available to authorities upon request.

CE marking and conformity assessment. In the future, digital products will need a CE mark confirming CRA conformity. This requires technical documentation, an EU declaration of conformity, and depending on the product category, either a self-assessment or third-party assessment.

Who it affects — and when

Not every product is treated the same. The CRA divides digital products into categories with different conformity requirements:

The standard category includes the majority of products — photo software, smart speakers, games, simple IoT devices. Here, self-assessment is sufficient, provided harmonized standards are available.

Important Class I applies to products with elevated risk: VPNs, identity management systems, network management, SIEM solutions, routers, and modems. Self-assessment is possible if harmonized standards are available — otherwise third-party review.

Important Class II applies to high-risk products: operating systems, hypervisors, firewalls, intrusion detection systems, industrial control systems. Third-party conformity assessment is mandatory here.

And then there are critical products — hardware security modules, smart cards, secure elements — which require European cybersecurity certification.

The deadlines are staggered:

• September 2026: Reporting obligation for actively exploited vulnerabilities becomes effective

• December 2027: All CRA requirements become fully applicable

That sounds far away. But: conformity assessments, SBOM tooling, process documentation, and third-party reviews require lead time. If you start in autumn 2027, you are too late.

What this means for Swiss companies

This is where it becomes unexpected for many: Switzerland is not an EU member, but the CRA still affects Swiss companies on several levels.

As a software manufacturer: If you sell digital products in the EU market, you must fulfill all CRA requirements as a manufacturer. There is no Swiss special privilege. Your EU importer or authorized representative is responsible for ensuring your product is compliant — but the work is yours.

As an importer/distributor: Swiss companies that bring digital products from the EU into Switzerland have no CRA obligations there (yet). But anyone distributing products onward in the EU assumes verification obligations.

As an IT buyer: Something changes even without your own manufacturer obligations. If your software suppliers must be CRA-compliant, that becomes a procurement criterion. You can request SBOM data. You can review vulnerability management processes. And you should — because it helps you assess your own security level.

Switzerland has not yet announced its own legislation equivalent to the CRA. But for any company with an EU market presence, the question is not whether, but when implementation must begin.

The open-source elephant in the room

One topic generating lots of discussion: How does the CRA affect open-source software?

The short answer: Open source developed outside commercial activity is exempt. But the definition of "commercial activity" is broader than many think. Paid support, use as a component in commercial products, or the processing of personal data can bring open source into CRA scope.

To address this, the CRA introduces a new role: the Open Source Software Steward — organizations such as foundations that coordinate the development of commercially used open source. They have lighter obligations (security policy, cooperation with authorities, vulnerability reporting), but they are not exempt.

For manufacturers using open-source components in their products, the level of responsibility changes. You are responsible for the CRA conformity of your entire product — including all integrated open-source libraries. The SBOM requirement naturally applies here as well.

Fine risk: not ignorable

If regulatory requirements alone are not convincing: the fine framework is significant.

Violations of essential cybersecurity requirements can cost up to 15 million euros or 2.5% of global annual turnover — whichever is higher. Violations of other CRA obligations: up to 10 million euros or 2%. Misleading statements to authorities: up to 5 million euros or 1%.

That is GDPR-level. And as with the GDPR, enforcement likely will not begin immediately on day one. But it will come — and market surveillance authorities will be able to remove non-compliant products from the market.

What to do now — concretely

The deadline is December 2027. What can you tackle now?

Take inventory. Which of your products fall under the CRA? Which category (standard, Class I, Class II)? That determines the effort required for conformity assessment.

Leverage what already exists. Do you already have ISO 27001? NIS2 measures? An ISMS? Many CRA requirements overlap with existing standards. Security by Design, vulnerability management, documentation — this does not have to be built from scratch. We regularly see with our clients that 40–60% of requirements are already covered by existing compliance programs.

Introduce SBOM tooling. If you are not yet generating an SBOM, start now. The tooling landscape is mature (CycloneDX, SPDX). The biggest effort is not the tool, but integration into the build process.

Formalize the vulnerability process. 24-hour reporting obligation to ENISA for exploited vulnerabilities from September 2026. For that, you need a process, not just a tool. Who responds? Who reports? Who patches?

Adjust procurement criteria. As an IT buyer: require SBOM data and documented vulnerability processes from your suppliers. This is not micromanagement — this is forward-looking supply chain risk management.

The next step

December 2027 will come. The question is whether you arrive with a structured plan or in panic mode.

If you take one thing away from this article: do the inventory. Which products, which category, which gaps against CRA requirements. That is an afternoon’s work — and it determines everything that follows.

(We support Swiss companies in implementing cybersecurity compliance pragmatically — without consultant theatrics and without panic. If you want to know where you stand, talk to us.)