A classic black and white alarm clock being held by a hand, depicting the concept of time.

CRA Compliance Deadline: Why Your Customers Won’t Wait Until December 2027

ByStefan Karg

Most manufacturers plan their CRA compliance around one date: 11 December 2027. That’s when the Cyber Resilience Act fully applies, and that’s the CRA compliance deadline their project plans are built around. From a regulatory perspective, this makes sense. From a business perspective, it’s already too late.

The regulatory date is not the market date

The CRA’s transition timeline is defined in Article 71 CRA. The regulation entered into force on 10 December 2024. Reporting obligations for actively exploited vulnerabilities apply from 11 September 2026. The full set of requirements – conformity assessment, technical documentation, the essential cybersecurity requirements from Annex I – applies from 11 December 2027.

That’s the timeline the EU set. It is not the timeline your market is setting.

Customers are already asking – and they’re not waiting

In recent projects, I’ve seen manufacturers of industrial and railway components are being asked by their customers for CRA compliance roadmaps – as part of procurement decisions and on-going projects, not as a nice-to-have.

Some are demanding evidence of conformity well before December 2027. Others put it more bluntly: if your product can’t demonstrate the path to CRA compliance, we won’t buy it anymore.

The reason is structural, not just competitive. Article 13(5) CRA requires manufacturers to exercise due diligence when integrating third-party components. If your customer is a manufacturer who integrates your product into theirs, they need to ensure your product doesn’t compromise the cybersecurity of their overall system. They can’t wait until you’re compliant. They need evidence now that you’re on track – because their own conformity depends on it.

Once one supplier in a market segment starts communicating CRA-readiness, the others are measured against that benchmark. The regulation technically allows more time. The customer doesn’t care.

This creates a real gap

If you’re planning your CRA compliance around December 2027, you’re technically correct – but commercially exposed. The regulation gives you time. Your market does not.

What I find particularly challenging: most manufacturers I talk to haven’t even mapped their products against the CRA scope yet. They’re still figuring out whether their products fall under the CRA as “products with digital elements.” And while they’re working through that question, their customers are already asking for dates.

What I’d recommend as a minimum

The gap between “regulation applies from December 2027” and “customer demands compliance roadmap in 2026” is real, and it’s catching manufacturers off guard. You don’t need to be fully compliant tomorrow. But you need to be able to answer the questions that are already being asked.

Concretely, that means:

  • Know your product classification under the CRA – default category, important products (Annex III), or critical products (Annex IV).
  • Understand the essential requirements from Annex I, Part I (security properties) and Part II (vulnerability handling) in relation to your product.
  • Know the gap between your product’s current state and those requirements.
  • Be able to communicate a credible timeline – with milestones, not just a target date.

Not because the EU demands it right now. But because your next customer meeting might.

The question isn’t whether December 2027 is the regulatory deadline. It is. The question is whether your business can afford to treat it as the only one that matters.

Similar Posts