EU Product Security Push

The European Union has moved product security from a best practice to a market-access rule for connected devices and software sold in Europe. (digital-strategy.ec.europa.eu) The Cyber Resilience Act entered into force on December 10, 2024, and its main obligations apply from December 11, 2027. A first deadline arrives earlier: from September 11, 2026, manufacturers must report actively exploited vulnerabilities and severe incidents. (digital-strategy.ec.europa.eu) The law covers “products with digital elements,” the European Commission’s term for hardware and software with a direct or indirect data connection. The Commission says those products will need to be designed, developed, and maintained with security in mind across their lifecycle. (eur-lex.europa.eu) In practice, that means manufacturers must be able to show how a product meets the act’s essential cybersecurity requirements before it is placed on the European Union market. Compliant products will carry the CE mark, and national market-surveillance authorities will enforce the rules. (digital-strategy.ec.europa.eu) The push reaches beyond device makers. The regulation places obligations on manufacturers, importers, and distributors, and it ties cybersecurity to the same kind of conformity process Europe already uses for other product rules. (eur-lex.europa.eu) The European Union wrote the act to address two problems it says have persisted across the market: products shipped with too many vulnerabilities, and weak or inconsistent security updates after sale. The regulation says users also often lack enough information to judge whether a product is secure. (eur-lex.europa.eu) Some products will face stricter checks than others. ENISA, the European Union Agency for Cybersecurity, says the act sorts certain products into “important” and “critical” categories, with tougher obligations for higher-risk products. (certification.enisa.europa.eu) The European Commission is still filling in the playbook. In February 2026 it published draft guidance for feedback, and ENISA has been mapping existing standards to the act’s requirements so manufacturers can use technical standards to show a presumption of conformity. (digital-strategy.ec.europa.eu) (enisa.europa.eu) ENISA is also building the Single Reporting Platform for the 2026 incident-reporting deadline, so manufacturers can file one report for actively exploited vulnerabilities and severe incidents instead of reporting separately to multiple bodies. (enisa.europa.eu) For companies that sell software, smart devices, or embedded systems into Europe, the calendar is now specific: reporting starts in September 2026, and the broader compliance regime starts in December 2027. The question is no longer whether product security will be checked, but whether manufacturers can document it. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2)