Skip to content
  • There are no suggestions because the search field is empty.

Understanding the EU Cyber Resilience Act: What manufacturers in Ireland and Northern Ireland  need to know

This article explains what the EU Cyber Resilience Act rules mean for manufacturers, particularly SMEs operating in Northern Ireland and Ireland. We will focus on practical implications, helping you understand what you need to do and when.

If your company makes products that connect to the internet or other devices, significant changes are coming this year and next. New EU-wide cybersecurity rules are being introduced to address a problem we've all experienced: too many digital products are released with poor security, rarely updated, and abandoned by manufacturers while still in use.

For businesses making software, hardware, or connected devices, these rules will fundamentally change how you approach product development and support. While formal adoption happened in December 2024, the main requirements apply from December 2027. However, critical reporting obligations start much sooner: from 11 September 2026 you must report actively exploited vulnerabilities to authorities, even for products you have already placed on the market before 11 December 2027[1].

Understanding the Cyber Resilience Act's scope and application

What products are covered by the Cyber Resilience Act?

The Cyber Resilience Act applies to products with digital elements made available on the EU market where the intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This broad definition encompasses both hardware products (such as routers, IoT devices, and smart home products) and software products (including operating systems, browsers, and security applications).

The regulation introduces essential cybersecurity requirements organised into two categories: requirements relating to product properties (Part I of Annex I) and vulnerability handling requirements (Part II of Annex I). Products must be designed to ensure appropriate cybersecurity based on risk assessment, be delivered without known exploitable vulnerabilities, include secure-by-default configurations, and support security updates throughout a defined support period.

What are the key exclusions and overlaps of the Cyber Resilience Act

Certain products fall outside the Cyber Resilience Act 's scope due to existing sector-specific regulations. Medical devices governed by Regulations (EU) 2017/745 and 2017/746 are excluded, as are vehicles covered by Regulation (EU) 2019/2144 and aviation products certified under Regulation (EU) 2018/1139. Products developed exclusively for national security or defence purposes, or specifically designed to process classified information, also remain outside the regulation's reach.

The Cyber Resilience Act 's application timeline provides manufacturers with a 3 year transition period. The regulation becomes fully applicable from 11 December 2027. However, manufacturers must comply with vulnerability reporting obligations from 11 September 2026, and conformity assessment body notification procedures commence from 11 June 2026.

The "commercial activity" concept

These rules apply to products "made available on the market in the course of a commercial activity". This sounds straightforward but has nuances important for smaller businesses.

You are conducting commercial activity if you:

  • Sell products or charge for support beyond actual cost recovery
  • Intend to monetize somehow (advertising, data collection, premium features)
  • Require users to provide personal data for purposes beyond security and compatibility
  • Accept donations exceeding your development and operational costs.

However, genuine non-profit operations, open-source projects without commercial intent, and projects accepting modest donations purely to cover costs may not be considered commercial activities. The distinction matters because it determines whether these rules apply to you.

Core manufacturer’s obligations

Manufacturers bear primary responsibility for ensuring products meet essential cybersecurity requirements before market placement. This necessitates conducting comprehensive cybersecurity risk assessments that consider intended purpose, reasonably foreseeable use, operational environment, and assets requiring protection. The assessment must identify which security requirements apply to specific products and inform implementation approaches.

How do I ensure due diligence on components integration?

When integrating third-party components, including open-source software, manufacturers must exercise appropriate due diligence. This involves verifying that component manufacturers have demonstrated Cyber Resilience Act conformity (where applicable), confirming components receive regular security updates, checking components are free from known vulnerabilities in public databases, and conducting additional security testing where risks warrant.

The regulation requires manufacturers to identify and document all components, including through software bills of materials (SBOMs) covering at minimum top-level dependencies in commonly used machine-readable formats. This transparency enables manufacturers to track vulnerabilities across their supply chains and respond appropriately when issues emerge in integrated components.

What does support period determination mean?

One of the Cyber Resilience Act 's most significant requirements involves determining appropriate support periods during which manufacturers must manage vulnerabilities effectively. Support periods must reflect the time products are expected to remain in use, considering reasonable user expectations, product nature and intended purpose, relevant EU law determining product lifetimes, and other factors including available guidance.

The regulation establishes a baseline minimum support period of five years unless product lifetime is demonstrably shorter. For hardware components like motherboards, microprocessors, and network devices, as well as software such as operating systems, manufacturers should anticipate longer support periods reflecting extended use expectations. Products intended for industrial settings often require significantly longer support given their typical operational lifespans.

Manufacturers must clearly specify support period end dates at purchase time in easily accessible formats, including on products, packaging, or through digital means where applicable. When products reach support period conclusion, manufacturers are encouraged to release source code to enable continued vulnerability handling, either through other undertakings or publicly.

Vulnerability handling and reporting

The Cyber Resilience Act introduces mandatory vulnerability handling requirements that manufacturers must maintain throughout support periods. These include applying effective regular testing and security reviews, addressing and remediating vulnerabilities without delay through security updates, and implementing policies for coordinated vulnerability disclosure.

What are my reporting obligations under the Cyber Resilience Act?

Manufacturers must notify actively exploited vulnerabilities and severe incidents having security impacts using the Single Reporting Platform managed by the European Union Agency for Cybersecurity (ENISA). Notifications follow structured timelines:

For actively exploited vulnerabilities, manufacturers must submit early warning notifications within 24 hours of awareness, vulnerability notifications within 72 hours providing general information about the exploit and available corrective measures, and final reports within 14 days after corrective measures become available, detailing the vulnerability, exploitation information, and remediation steps.

Severe incidents follow similar timelines with early warnings within 24 hours, incident notifications within 72 hours, and final reports within one month providing detailed descriptions, root causes, and mitigation measures.

These reporting obligations apply to all products with digital elements in scope, including those placed on the market before the Cyber Resilience Act's enter in effect date of 11 December 2027[1].

Conformity assessment procedures

The Cyber Resilience Act establishes risk-based conformity assessment procedures based on four product categories.

The Default category (sometimes referred to as "unclassified") covers approximately 90% of all products in scope - the vast majority of connected products that most SMEs produce. Examples include smart home devices, printers, Bluetooth speakers, mobile and desktop applications, and media player software. Manufacturers in this category can self-assess their compliance against the essential requirements set out in Annex I of the CRA, following the self-assessment protocol in Annex VIII, and affix the CE mark on that basis. This requires drawing up technical documentation, implementing quality processes to ensure ongoing compliance, and issuing an EU Declaration of Conformity.

What are Important and critical products under the Cyber Resilience Act?

Products categorised as "important" or "critical" based on cybersecurity-related functionality or significant risk potential face stricter assessment requirements.

Important Class I products carry a higher cybersecurity risk profile. The complete list is defined in Annex III of the CRA and includes identity and access management (IAM/PAM) systems, standalone and embedded browsers, password managers, anti-malware software, virtual private network (VPN) products, network management systems, operating systems, boot managers, routers and modems intended to connect to the internet, and switches. Manufacturers of Class I products can self-assess  - avoiding the need for third-party assessment - provided they can demonstrate compliance through one of three recognised routes: applying a relevant Harmonised Standard, applying a Common Specification adopted by the European Commission, or using a European Cybersecurity Certification scheme. Where none of these routes is available for a given product, third-party assessment by a notified Conformity Assessment Body (CAB) is required.

Harmonised standards are European standards developed by recognised European Standards Organisations - CEN, CENELEC and ETSI - following a mandate from the European Commission. Where a manufacturer demonstrates compliance with a relevant harmonised standard, they are presumed to meet the corresponding essential cybersecurity requirements of the CRA, significantly reducing the burden of conformity assessment. No harmonised standards specifically covering the CRA essential requirements currently exist; the EU Commission issued a standardisation request in early 2025, and work is now underway. A total of 41 standards have been requested, divided into two categories:

  • Horizontal standards (15 in total) are product-agnostic and apply to all products within scope. They follow the essential requirements and vulnerability handling requirements in Annex I of the CRA. The first two horizontal standards - covering cybersecurity-by-design principles and vulnerability handling - are due for adoption by 30 August 2026, ahead of the vulnerability reporting obligations that come into force on 11 September 2026. All remaining horizontal standards are due by 30 October 2027, close to the end of the main transition period on 11 December 2027.
  • Vertical standards (25 in total) are product-specific and apply only to Important Class I, Important Class II, and Critical Class products. For Class I products, achieving compliance with a relevant vertical standard enables self-assessment and avoids third-party conformity assessment. For Class II and Critical products, a third-party assessment remains mandatory, but the vertical standards provide clear guidance on what cybersecurity level must be achieved. All vertical standards are due by 30 October 2026, giving manufacturers of higher-risk products more than a year to use them before the main transition deadline. Vertical standards for Critical products will be developed in a restricted setting to protect sensitive information. Some existing standards, such as EN IEC 62443 for operational technology products, are being used as a basis, meaning manufacturers already aligned to these may have less work to do.

SMEs in Ireland and Northern Ireland should monitor progress closely. Given that some adoption deadlines fall very close to the main transition deadline of 11 December 2027, manufacturers cannot rely on harmonised standards being available in time for all product launches. Where standards are not yet available, manufacturers will need to use alternative methods - such as Common Specifications or their own internal technical documentation - to demonstrate conformity. Further information on the CRA standardisation programme is available at www.stan4cra.eu.

Class II important products (including hypervisors, firewalls, intrusion detection systems, and tamper-resistant microprocessors) always require third-party assessment involving notified bodies, regardless of standard application.

Critical products (hardware security boxes, smart meter gateways, and smartcards) may require European cybersecurity certification at substantial assurance levels where the Commission mandates such certification through delegated acts.

For manufacturers qualifying as microenterprises or small enterprises, the Commission will establish simplified technical documentation forms alleviating administrative burdens whilst maintaining compliance requirements. As per principle of proportionality, Conformity assessment bodies (CABs) must consider SME interests and needs when setting fees for conformity assessments procedures, applying them following a risk-based approach.

Cross-Border considerations for SME manufacturers in Ireland and Northern Ireland

Manufacturers based in Ireland benefit from straightforward EU market access through Cyber Resilience Act compliance. However, those operating in Northern Ireland face additional complexity given the Windsor Framework arrangements governing Northern Ireland's relationship with EU single market rules for goods.

What does the Windsor Framework mean for Cyber Resilience Act application?

The Windsor Framework (amending the NI Protocol) keeps Northern Ireland aligned with EU rules, requiring the CE mark for most goods to ensure free circulation in the EU Single Market. While the Protocol required strict adherence, the Framework simplifies, allowing UK bodies to certify goods for NI using a UK(NI) mark alongside the CE mark. Products following the "UK internal market system" intended solely for Great Britain markets need not comply with Cyber Resilience Act requirements but must meet any equivalent UK cybersecurity regulations (which at present do not exist in comparable comprehensive form).

The Trade Hub has a useful complete guide to general product safety markings that you might want to refer to.

CE Marking and market surveillance

The Cyber Resilience Act requires CE marking on compliant products, indicating conformity with essential cybersecurity requirements. For Northern Ireland businesses, CE marking enables market access across the EU single market including Ireland. Products bearing CE marking may also display UKCA marking for Great Britain market access, though separate conformity assessment may be required depending on recognition arrangements.

Market surveillance authorities designated under the Cyber Resilience Act in each Member State will monitor compliance and enforce requirements. Manufacturers should establish clear processes for responding to market surveillance inquiries, providing technical documentation, and implementing corrective measures when non-compliance is identified.

Practical Cyber Resilience Act implementation steps

SME manufacturers should begin Cyber Resilience Act preparation by conducting gap analyses comparing current practices against essential cybersecurity requirements. This involves reviewing product security features, vulnerability handling processes, component management approaches, and documentation practices.

Establishing or enhancing vulnerability management capabilities represents a critical priority. Manufacturers must implement coordinated vulnerability disclosure policies, designate single points of contact for vulnerability reporting, maintain software bills of materials, and develop processes for timely security update development and distribution.

Technical documentation should be developed systematically following Annex VII requirements, including general product descriptions, design and development specifications, risk assessments, support period determinations, and conformity evidence. As per Article 33(5) of the Cyber Resilience Act, Microenterprises and small enterprises should expect the option to provide all elements of the technical documentation in simplified format, when the option will become available through Commission implementing acts.

Selecting appropriate conformity assessment routes requires understanding product categorisation. Manufacturers should determine whether products qualify as important or critical based on functionality and risk characteristics, identify applicable harmonised standards or certification schemes that could support internal control procedures, and identify suitable notified bodies for third-party assessment where required.

For manufacturers operating cross-border between Ireland and Northern Ireland, establishing clear market strategies proves essential. This includes determining which markets products will target (Ireland/EU only, UK only, or both), understanding when Windsor Framework provisions apply to Northern Ireland operations, preparing for potential dual conformity assessment under Cyber Resilience Act and any future UK equivalents.

Penalties and enforcement

The Cyber Resilience Act establishes significant penalties for non-compliance. Violations of essential cybersecurity requirements can result in administrative fines up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Lesser violations such as documentation failures incur fines up to €10 million or 2% of turnover, whilst providing incorrect information to authorities can trigger fines up to €5 million or 1% of turnover.

However, the regulation provides important protections for SMEs. Microenterprises and small enterprises face no administrative fines for failures to meet the 24-hour early warning notification deadlines for actively exploited vulnerabilities or severe incidents. When determining fine amounts, enforcement authorities must consider business size and whether fines have already been applied by other Member State authorities for similar infringements, ensuring proportionality.

Conclusion

The Cyber Resilience Act fundamentally reshapes the regulatory landscape for products with digital elements across the EU market. For SME manufacturers, the regulation presents both challenges and opportunities. Compliance requires investment in security capabilities, documentation, and conformity assessment, with particular complexity for businesses navigating cross-border arrangements between Ireland and Northern Ireland.

However, the Cyber Resilience Act also creates benefits through harmonised requirements replacing fragmented national approaches, clearer market access conditions, and reduced competitive disadvantage relative to larger manufacturers lacking security investment. By commencing preparation now, engaging with emerging guidance, and building appropriate capabilities, Irish and Northern Ireland SMEs can position themselves for successful compliance whilst strengthening their products' security and market competitiveness.

The regulation's phased implementation provides time for adaptation, with most obligations applying from December 2027 but vulnerability reporting requirements commencing September 2026. Manufacturers should use this transition period to conduct gap analyses, enhance vulnerability handling capabilities, develop appropriate documentation, engage with conformity assessment bodies, and establish cross-border compliance strategies appropriate to their specific market focus and operational structure.

Support and resources

EU funding: The Digital Europe Programme and other EU funding mechanisms support cybersecurity capacity building, particularly for SMEs. For example, the Secure project for eligible EU/EEA based manufacturers: https://www.secure4sme.eu/

EU Commission help pages: Updated and official source of Cyber Resilience Act information and implementation guides:     
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

European Union Agency for Cybersecurity - ENISA:
https://www.enisa.europa.eu/topics/product-security-and-certification

Standards bodies: NSAI (National Standards Authority of Ireland): can provide information about relevant standards and specifications: https://www.nsai.ie/

Do you need further help or advice?

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026

 

References



1. EU Commission FAQs on the Cyber Resilience Act (live document) https://ec.europa.eu/newsroom/dae/redirection/document/122331