The manufacturing sector is staring down the biggest shift in product compliance requirements in more than two decades, and most companies are still underestimating how far-reaching it will be.
Two major pieces of legislation, known as the European Union’s Cyber Resilience Act (CRA) and the updated Product Liability Directive (PLD), will go into full effect over the next 24 months. Together, they fundamentally expand what “safety” means for any product that includes digital components. Since Europe is the world’s largest regulatory trend-setter, these standards will influence compliance regimes in other countries in short order.
For any manufacturer building products with software, from industrial equipment and IoT systems to vehicles and consumer appliances, product security is no longer just a best practice reserved for high-risk sectors. Under the EU’s new rules, it becomes a universal legal obligation.
Two Laws, One Message: Secure-by-Design Is Now Mandatory
The EU’s new regulatory framework makes it clear that security must be built into every connected product from the very beginning. The Cyber Resilience Act and the updated Product Liability Directive approach this from different angles, but they converge on the same expectation that manufacturers treat cybersecurity as a core safety requirement.
The CRA effectively transforms cybersecurity into a prerequisite for CE-marking, placing it on equal footing with electrical and physical safety. Although it entered into force at the end of 2024, its most significant obligations begin applying in December 2027, with some reporting requirements arriving even earlier.
The law applies broadly to nearly any product with digital elements, whether that’s embedded firmware inside industrial machinery, software-driven consumer devices, or network-connected equipment used across factories and supply chains.
Under this regulatory framework, manufacturers are now responsible for integrating cybersecurity into design, development, production, maintenance, and long-term support. This includes conducting risk assessments, managing third-party software components, providing secure default configurations, and ensuring a reliable process for vulnerability handling and security updates.
The updated PLD takes this further by expanding the definition of what counts as a “product.” Beginning in December 2026, software, firmware, digital design files, and AI-enabled components will all be treated the same as physical goods when it comes to liability.
A cybersecurity flaw is no longer just an IT issue, as it can now constitute a legally recognized defect. If insecure defaults, unpatched vulnerabilities, poor lifecycle maintenance, or inadequate documentation lead to damage, manufacturers may be held strictly liable.
In this sense, the PLD picks up where the CRA leaves off as companies that fail to design securely under the CRA may face liability exposure under the PLD. Unlike the CRA, there is no prescribed cap to liability, which means companies are potentially facing an existential threat. Fortunately for manufacturers, the PLD protections impact consumers but not corporate buyers.
The CRA and PLD don’t just add a new compliance requirement, as they reshape how digital products must be designed and supported. For many manufacturers that have thus far escaped regulatory scrutiny, this will require rethinking processes that haven’t materially changed in decades.
Many manufacturers assume they have until 2026 or 2027 to act, but any product that will be put on the market in those years is likely already in development. Long hardware lifecycles and slow certification timelines mean today’s design choices determine tomorrow’s compliance.
What accelerates the urgency is the sector’s rapid digitization. Sensors, connectivity, remote updates, and cloud integrations have quietly turned traditional equipment into software-defined systems. A pump or actuator with even minimal embedded firmware is now judged not only on mechanical reliability, but on cybersecurity resilience. Once software becomes part of the safety profile, expectations change quickly among regulators, insurers, and customers.
The supply chain adds more pressure. Modern products rely on layers of open source components, vendor SDKs, communication stacks, and increasingly AI-driven logic. Under the CRA, manufacturers are accountable for the security of all of it. This level of visibility into software dependencies is something many organizations simply don’t have yet.
The market is moving even faster than the law. Industrial buyers and European OEMs have already begun preparing their procurement processes for the CRA, following guidance from ENISA and the European Commission that encourages organizations to align supplier requirements with upcoming obligations.
Major insurers, including Allianz and Munich Re, have publicly noted that the growing cyber risks associated with connected and software-driven products are influencing how they assess exposure and underwrite policies. Because the updated PLD imposes new responsibilities on distributors and importers for software defects, many are already reviewing what documentation and secure-by-design evidence they will need from manufacturers as enforcement approaches.
While enforcement hasn’t begun yet, the expectations have. Companies that wait for the official deadlines will be reacting to a landscape that has already shifted.
What Manufacturers Must Do
1. Map your product portfolio for digital exposure. Most manufacturers are surprised by how many of their products count as “digital” under the CRA. Anything with embedded firmware, connectivity, or third-party code is in scope. Building an accurate inventory (i.e., what software runs where, and which components communicate externally) is essential. Without this visibility, companies risk discovering compliance gaps far too late.
2. Assess your gaps against CRA requirements. A realistic comparison between current development practices and CRA expectations often reveals major shortcomings. Many teams still rely on ad hoc reviews or late-cycle testing, while the CRA expects risk management, and secure design practices. Knowing the gap early allows companies to prioritize the remediation that matters most.
3. Build secure-by-design practices directly into engineering workflows. Security can no longer be bolted on. It must be woven into design and development through practices like documenting and testing security requirements, threat modeling, automated security testing, code and architecture reviews, dependency tracking, and secure default configurations. For higher-risk products, deeper testing is needed. Regulators want evidence that security is integrated, not optional.
4. Create a reliable vulnerability and update process. Lifecycle security is core to both laws. Manufacturers need a dependable way to receive, triage, and fix vulnerabilities, and to deliver secure updates in a timely, documented manner. Under the PLD, failing to provide reasonable updates can constitute a defect, making patching not just good practice but a legal requirement.
5. Get control of your software supply chain. Modern products depend heavily on third-party and open source components, and the CRA holds manufacturers responsible for the security of these dependencies. This means maintaining SBOMs, monitoring upstream vulnerabilities, evaluating supplier security, and replacing unsupported components. This is an ongoing governance problem, not a one-time exercise.
6. Prepare for the documentation burden these laws impose. Compliance will hinge on the ability to produce solid evidence with documented security requirements, test results, update histories, architecture decisions, and more. This documentation supports CE cybersecurity declarations and must be maintained throughout the product’s lifecycle. Trying to assemble it at the end of development will be nearly impossible.
The real deadline is the product development cycle itself. While the CRA and PLD fully apply in late 2026 and 2027, any product that will still be sold in those years must already be designed with these principles in mind. By then, it will be too late to assemble documentation, redesign update mechanisms, or justify architectural decisions after the fact. The manufacturers that struggle will be those attempting to retrofit security once enforcement begins.
At the same time, these laws create a real competitive advantage for manufacturers that move early. Secure-by-design practices reduce recalls, warranty costs, and incident-response burdens, while making products more attractive to insurers and enterprise buyers. They also strengthen leverage with suppliers, many of whom will soon need to demonstrate their own security posture to stay in the chain. Most importantly, companies that invest now will be first in line for contracts that increasingly require verifiable cybersecurity maturity.
In the end, readiness isn’t just about compliance; it’s about who earns the right to compete in the next era of digital manufacturing.
