New EU Security Rules from September 2026 - What the Cyber Resilience Act Means for All of Us

Introduction

Imagine buying a smart doorbell, a smartwatch, or a simple accounting app - and the manufacturer has known about a critical security flaw for weeks without telling anyone. That is exactly the kind of situation the EU Cyber Resilience Act aims to end from September 2026 onwards. Europe is tightening its grip on digital product security in a way that will affect every consumer and business across the continent.

What Is the Cyber Resilience Act?

The Cyber Resilience Act is the first European regulation to establish a binding minimum level of cybersecurity for all connected products available on the EU market. Until now, a manufacturer could sell a connected device or app with serious security vulnerabilities without being held directly accountable under EU product law. That changes fundamentally with this regulation.
The law applies to both connected hardware products such as smartphones, laptops, smart home devices, smartwatches, and connected toys, as well as to software-only products such as accounting software, video games, and mobile apps. The Cyber Resilience Act entered into force on 10 December 2024 and is being rolled out in stages - with the first major milestone for consumers and businesses arriving on 11 September 2026.

What Changes Specifically from September 2026?

From 11 September 2026, manufacturers must submit an initial early warning within 24 hours of becoming aware of any actively exploited vulnerability or severe security incident. A fuller notification with additional details must follow within 72 hours, and a final report is required within one month of the initial warning. These reports go directly to the EU cybersecurity agency ENISA as well as to national authorities, all submitted through a new central platform specifically created for this purpose - the CRA Single Reporting Platform.
For consumers, this means something very practical: if a manufacturer discovers a security flaw in your device, it must notify the authorities within a single day - and subsequently inform affected users. The long-standing practice of staying silent to protect brand reputation will no longer be legally viable. Violations of core obligations can result in fines of up to 15 million euros or 2.5 percent of global annual revenue - figures large enough to get the attention of even major corporations. Crucially, it makes no difference whether the manufacturer is based inside or outside the EU. What matters is whether the product is being sold on the European market.

How Prepared Are Companies - and Why Is Time Running Short?

The honest answer is: not prepared enough. According to the ONEKEY Report 2025, only 32 percent of German industrial companies are familiar with the requirements, and 38 percent have taken no steps to prepare whatsoever. That is a worrying figure given how close the deadline now is. For mid-sized manufacturers, the Cyber Resilience Act means every connected sensor, machine controller, and software component falls under the regulation.
A central element of the new framework is something called a Software Bill of Materials, or SBOM - essentially a complete ingredient list for software. Manufacturers must compile a comprehensive inventory for each connected product, listing all programs, libraries, frameworks, and dependencies with exact version numbers. In practice, this is challenging for many companies, particularly those that source components from external partners or rely on open-source code. Businesses that do not yet have a functioning process for detecting and reporting security incidents need to build one now - and six months is not a generous window for that kind of organizational change.

What Does This Mean for Consumers - and What Should You Do Now?

For consumers across Europe, the Cyber Resilience Act is fundamentally good news. Products will be more secure by design, and when something does go wrong, manufacturers will be legally required to act faster and communicate more openly. The next major milestone follows in December 2027, when all connected products on the EU market must carry CE marking as proof of CRA compliance - without a conformity certificate, products will no longer be permitted on the market at all.
Practical steps you can take right now as a consumer: when buying connected devices, look for manufacturers that offer regular security updates and are transparent about known vulnerabilities. For smart home products in particular, check how long the manufacturer commits to providing security patches. If after September 2026 a security warning is issued for your device and the manufacturer fails to respond, you can contact the relevant national cybersecurity authorities - BSI in Germany, CERT.at in Austria, or the NCSC in Switzerland.
For businesses: if you manufacture or distribute connected products, now is the time to take stock. Which of your products fall under the CRA? Do you have a process in place to detect and report security incidents? If not, build one now. September 2026 is closer than it sounds - and the consequences of being caught unprepared are not trivial.
Quellen
BSI - Bundesamt für Sicherheit in der Informationstechnik: Cyber Resilience Act, bsi.bund.de
European Commission - Digital Strategy: Cyber Resilience Act, digital-strategy.ec.europa.eu
ONEKEY GmbH: Cyber Resilience Act Phase 1 - Meldepflicht fur Hersteller startet 2026, onekey.com
ADVISORI FTC GmbH: Was ist der Cyber Resilience Act?, advisori.de
bbv Software Services AG: Cyber Resilience Act - Was Hersteller ab September 2026 beachten mussen, bbv.ch
MyBusinessFuture: Cyber Resilience Act - Was Hersteller jetzt tun mussen, mybusinessfuture.com
BOS: Cyber Resilience Act - Pflichten, Fristen und Anforderungen, bos-kg.de
IAPP: Navigating the new EU cybersecurity standards - NIS2 and Cyber Resilience Act, iapp.org
Created with