Many organizations still view the Cyber Resilience Act (CRA) as something that only applies to new connected products from 2027 onwards. However, this assumption is only partly correct. As early as September 2026, a mandatory reporting obligation for cybersecurity incidents will come into force. This requirement affects all existing products, including smartphone apps and server-side applications that are part of your product ecosystem. What does this mean for you as a manufacturer of machines and appliances?
