Close search
Cyber Resilience Act: Are you in scope—and what should you do in 2026? - Gorrissen Federspiel
Search

HomeCyber Resilience Act: Are you in scope—and what should you do in 2026?

Cyber Resilience Act: Are you in scope—and what should you do in 2026?

5 February 2026

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. While full compliance applies from 11 December 2027, CRA is in practice a lifecycle regulation: the outcome in 2027 is largely determined by decisions made earlier, i.e. how products are scoped, how support and updates are committed to, and how supplier and customer contracts allocate responsibilities and access to evidence.

This is why we are raising CRA now. For many organisations, 2025-2026 is the window where product roadmaps, sourcing, and contracting must be aligned – otherwise remediation later becomes expensive and commercially disruptive.

A point that often comes as a surprise is that software and apps may also fall within scope, where they qualify as products with digital elements and are placed on the EU market.

Is your organisation in scope? (30-second check)

Your organisation is likely in scope if you answer yes to any of the following:

  • You sell hardware or software that includes software/firmware and is intended to connect (directly or indirectly) to a device or network
  • You act as a manufacturer, importer, or distributor in the EU supply chain
  • You private label, bundle, integrate, or materially customise products for customers
  • Your products require security updates over a defined support period
  • You change products post-delivery (updates, new features, integrations) in a way that could qualify as a substantial modification

Why this matters now

CRA will shape expectations around support periods, security updates, technical documentation (including SBOMs), vulnerability handling, and conformity. If these elements are not addressed early—both operationally and contractually—companies risk delays, renegotiations, or difficulties placing products on the EU market.

How we help (practical, to the point)

We offer a focused CRA Scope & Lifecycle Review (tailored to your needs), providing:

  • A clear assessment of whether you are in scope, and in which role (manufacturer/importer/distributor)
  • An overview of key trigger points (placing on the market / making available / substantial modification)
  • A short, prioritised set of actions for 2026 (contracts, update/support commitments, evidence pack)

If this is relevant for you, please give us a call or drop us a mail, and we will suggest a practical next step.