MilesGuard
DE
CRAEU RegulationIoTManufacturers

Cyber Resilience Act: What Swiss Manufacturers Must Do Now

19 January 2026|7 min read

The EU Cyber Resilience Act has been in force since December 2024. The reporting obligation applies from September 2026, full compliance from December 2027. Swiss manufacturers exporting to the EU must act now.

You develop a connected medical device, an industrial control system or a smart home component and sell it in the EU. Then the Cyber Resilience Act (CRA) applies to you. EU Regulation 2024/2847 has been in force since December 2024 and, for the first time, regulates the cybersecurity of all products with digital elements sold on the EU market. Switzerland is not an EU member state, but Swiss manufacturers with an EU sales market must comply with the requirements in full.

The Timeline

The timeline is tight. From September 2026, manufacturers must report actively exploited vulnerabilities and serious security incidents to ENISA within 24 hours. From December 2027, the full requirements apply: security by design, documented risk assessment, vulnerability management across the entire product lifecycle (at least 5 years) and technical documentation for CE marking.

Four Product Categories

The CRA distinguishes four categories. Default products (e.g. simple IoT sensors, roughly 90% of all products) can be self-assessed for conformity. Important products, Class I (e.g. routers, password managers, operating systems) require harmonised standards or a third-party assessment. Important products, Class II (e.g. firewalls, hypervisors, industrial intrusion detection systems) require a mandatory third-party assessment. Critical products per Annex IV (e.g. smartcards, hardware security modules, smart meter gateways) require mandatory EU cybersecurity certification (EUCC) by a designated body.

Concrete Preparation Steps

Concrete preparation steps for Swiss manufacturers: inventory all products that fall under the CRA. Conduct a gap analysis against the requirements in Annex I of the regulation. Implement a Secure Development Lifecycle (SDLC) per IEC 62443 or ISO 27034. Set up coordinated vulnerability management with CVE assignment. Create a Software Bill of Materials (SBOM) in CycloneDX or SPDX format for each product.

How MilesGuard Helps

MilesGuard supports Swiss manufacturers on the path to CRA compliance: from product classification through gap analysis to implementation of vulnerability management. Start now, because the reporting obligation from September 2026 is approaching faster than expected.

Quellen

  • [1] European Commission (digital-strategy.ec.europa.eu)
  • [2] EU Regulation 2024/2847
  • [3] BSI (bsi.bund.de)
Share:LinkedIn

Weitere Beiträge

ISG Reporting Obligation: What Swiss Companies Need to Know Now

6 April 2026

nDSG and IT Security: 10 Technical Measures for SMEs

9 March 2026

What Does a Penetration Test Cost in Switzerland?

20 February 2026

Related Services

Security Audits →Penetration Testing →
Miles Strässle

Miles Strässle

Founder, MilesGuard GmbH

Security questions? Talk to us.

Our blog posts are continually updated on the original site. For individual advice, we are available at any time.

Schedule a Consultation