Back to BlogRegulations

    Cyber Resilience Act 2027: The Hardware Compliance Wall Most Teams Are Underestimating

    Thomas AubertApril 16, 20268 min
    Cyber Resilience Act 2027: The Hardware Compliance Wall Most Teams Are Underestimating

    The EU Cyber Resilience Act was published in the Official Journal in November 2024. The first reporting obligations kick in September 2026. Full enforcement, including the full set of essential cybersecurity requirements, applies from December 11, 2027. Any product with digital elements sold into the EU is in scope. That includes connected industrial machines, medical devices, robotics, defense systems, and a long tail of IoT hardware most companies have not classified yet.

    What the CRA Actually Requires

    The CRA imposes three categories of obligations on hardware manufacturers. First, security by design across the full lifecycle: every product must be designed, developed, and produced in a way that ensures an appropriate level of cybersecurity based on the risks. Second, vulnerability handling: manufacturers must identify, document, and remediate vulnerabilities for the entire expected product lifetime, with mandatory reporting of actively exploited vulnerabilities to ENISA within 24 hours. Third, conformity assessment: every product must carry a CE marking that includes cybersecurity evidence, with notified body involvement for important and critical product classes.

    The fines for non-compliance reach €15M or 2.5 percent of global turnover, whichever is higher. National market surveillance authorities can pull non-compliant products from the EU market.

    The Hardware-Specific Pain Point

    For software vendors, the CRA mostly formalizes practices many already have (CVE tracking, security patches, SBOM). For hardware vendors, it surfaces a much harder problem: the lifecycle requirement.

    Hardware products often stay in service for 10, 15, or 25 years. The CRA requires the manufacturer to handle vulnerabilities across the expected product lifetime, defined as not less than five years and as long as the product is reasonably expected to be in use. For a CT scanner with a 20-year service life, that means two decades of vulnerability tracking on every connected component, every firmware version, and every third-party library used.

    This is impossible without a configuration management system that holds the full as-built record per unit, indexed by deployed serial number. Most hardware companies do not have this. They have a generic BOM and a fleet database that lost track of revisions three years ago.

    The SBOM Mandate

    The CRA explicitly requires hardware manufacturers to maintain a Software Bill of Materials for every product placed on the market, with vulnerability tracking against that SBOM throughout the lifecycle. ENISA's draft technical guidance, published in February 2026, specifies the SPDX or CycloneDX format and requires the SBOM to be machine-readable and queryable.

    The hardware industry is generally not ready. A March 2026 survey by VDMA found that only 23 percent of European industrial machinery manufacturers maintain a formal SBOM for their connected products, and only 9 percent maintain SBOMs at the per-serial-number level required for accurate vulnerability response.

    The Architecture That Survives the CRA

    Manufacturers who will pass CRA enforcement share a common architecture. The engineering graph holds the requirement, the design, the BOM, and the SBOM as connected artifacts. The fleet database is not a separate system; it is a layer of the same graph, recording the as-built SBOM per deployed unit. When a vulnerability is disclosed in a third-party library, a single query identifies every affected unit, every customer, and the regulatory reporting obligations triggered.

    Without this architecture, vulnerability response is a manual investigation that takes days. With it, response is a query that takes seconds. The CRA's 24-hour reporting window for actively exploited vulnerabilities makes the difference between compliance and a €15M fine.

    What to Do Before September 2026

    The first step is scope assessment: every product with digital elements sold into the EU after December 2027 is in scope. The second step is SBOM coverage: get a formal SBOM in place for every product, indexed to as-built records per serial number. The third step is the architectural one: pick an engineering backbone that holds the SBOM as part of the configuration graph, not as a parallel artifact in a security tool.

    Koddex was designed for this convergence. Configuration management, SBOM, and vulnerability tracking are not separate systems. They are three views on the same graph. CRA compliance becomes a query, not a quarterly fire drill.

    Quality EngineerQuality Engineer
    Systems EngineerSystems Engineer
    Methods EngineerMethods Engineer
    Test EngineerTest Engineer
    Config ManagerConfig Manager
    R&D LeadR&D Lead
    Koddex

    Drive complex systems and ship certifications without frictions.

    Stop bleeding hours on version chasing, audit prep and cross-team sync. Ship certified hardware faster, on a foundation built for the next decade of complexity.

    Enterprise-grade security. Library of certification-friendly templates. Custom deployment for teams of 200+.