CE Marking Under the Cyber Resilience Act (CRA)
The EU’s Cyber Resilience Act (CRA) is reshaping the compliance landscape for digital products in Europe. While most attention has focused on the Act’s new cybersecurity obligations, there is another important consequence: CE marking will now also reflect compliance with the CRA.
CRA and the CE Mark: What Does This Mean in Practice?
If your connected product line, such as smart home or office appliances, was CE-marked years ago under another EU directive (for example, the Electromagnetic Compatibility Directive), it may still carry that mark. However, the mark does not automatically extend to CRA requirements. To continue placing products on the EU market after the CRA applies (December 2027), manufacturers must ensure conformity with the CRA’s cybersecurity provisions. They must also update their technical documentation and EU Declaration of Conformity.
In other words: the CE mark is not a one-time badge. It represents ongoing compliance with the current legal framework which is now evolving to include cybersecurity.
Evolving Threats, Evolving Compliance
The logic is straightforward: cyber threats evolve quickly, so a device secure in 2019 might now contain exploitable vulnerabilities. The CRA requires, in Article 6(a), that products with digital elements may only be placed on the market if they meet essential cybersecurity requirements. Article 13(12) further clarifies that manufacturers are responsible for carrying out the conformity assessment and affixing the CE marking.
When Product Changes Trigger Reassessment
Products already lawfully placed on the EU market before the CRA compliance date are not automatically “invalidated.” However, if those products remain on the market after December 2027 and undergo substantial changes that alter their initial risk level, they must be reassessed against the CRA. Minor software updates or routine maintenance will not necessarily trigger a new conformity assessment, but significant changes will. Given the broad scope of the term ‘substantial modification,‘ the Commission has been requested to provide guidance on how to determine what qualifies as a substantial modification.
CRA: Making Cybersecurity the Default
For companies, this may feel like a heavy lift especially with large product portfolios. But it is also a long-overdue step toward a harmonised baseline for product cybersecurity in the EU.CE marking under the CRA is not just a label: it signals that resilience and security are integral to a product’s lifecycle, from design to deployment.
Now is the right time for companies to ask: how will the CRA affect our products, processes, and update cycles? There is still a transition period, but not an unlimited one. Cybersecurity is no longer an afterthought. With the CRA, it becomes the default.
Advisense supports your CRA transition. Contact us today to prepare your organisation.
