Cyber Resilience Act: Why many medium-sized products will no longer be marketable from 2026 onwards
The CRA and the quiet revolution in product safety
From 2026, the Cyber Resilience Act will determine whether digital products are still marketable. It is not technology, but rather a lack of evidence, processes, and responsibilities that will pose a risk—especially for small and medium-sized enterprises. Cybersecurity will become a mandatory management task.
Index
The problem runs deeper than technology
Many medium-sized companies look at their products with justified pride. They function reliably, have grown over the years, and are often optimized down to the last detail. Customers know them, trust them, and recommend them to others. Technically, there is little cause for concern. And yet it is precisely these products that face a problem that cannot be solved by another update, patch, or new feature.
From 2026 onwards, many of these products will face the question of whether they are still considered marketable at all. Not because they have become inferior, but because the standard by which marketability is judged has changed. The trigger for this is called the Cyber Resilience Act.
The unpleasant thing about this regulation is not its severity, but its silence. There has been no media outcry, no wave of public outrage, no political debate as there was with the GDPR or the NIS 2 Directive. The Cyber Resilience Act CRA comes across as matter-of-fact, technocratic, almost inconspicuous – and yet it has a deeper impact on business models than many other digital laws before it.
Marketability does not arise on the cut-off date, but in the preparation. Development cycles, product approvals, CE conformity, supplier contracts, and update architectures cannot be adapted at short notice. A product that is to be sold in 2026 is either in development, in planning, or already on the market today. It is precisely these products that come under the scrutiny of the Cyber Resilience Act.
In practice, this means that products whose security architecture has never been properly documented will be difficult to further develop in the future without raising regulatory issues. Products for which there is no clear update and patch strategy will gradually lose their regulatory acceptance – regardless of how well they function technically. And products without defined end-of-life logic become a risk, not only technically, but also legally and economically.
The Cyber Resilience Act thus poses a simple but momentous question: Is a digital product not only functional, but also verifiably secure – throughout its entire life cycle?
When marketability is redefined
Until now, many companies have had a clear division of responsibilities: The product is built, sold, and delivered. IT is then responsible for operational security, the customer for problems, and, in case of doubt, “the hackers” for attacks. The Cyber Resilience Act puts an end to this division of labor.
In the future, it will no longer be solely a question of whether a product fulfills its function, but whether its digital components are regulated. Security becomes a product feature. Not optional, not negotiable, not delegable. Anyone who brings a product with digital elements to the European market assumes responsibility for ensuring that this product meets basic security requirements – not just on the first day, but permanently.
This shifts the focus from the operating environment to the product itself. Market access is linked to security. Not abstractly, but very specifically via CE marking, conformity assessment, and market surveillance. A product that does not meet these requirements does not become unsafe in terms of IT risk – it simply becomes inadmissible.
The most consequential mistake in small and medium-sized businesses
In many conversations with small and medium-sized business managers, a sentence that is symptomatic of the problem comes up early on: “That doesn’t affect us, we’re not a software company.” Ten years ago, this statement might have been understandable. Today, it is dangerous.
The Cyber Resilience Act is not interested in self-descriptions. It does not ask whether a company sees itself as a machine manufacturer, service provider, or software house. It asks whether a product has digital functions. And that is the case for a surprising number of products today: control software, update functions, remote maintenance, apps, cloud connectivity, or additional digital modules.
Anyone who sells such products under their own name is, from a regulatory perspective, the manufacturer of a product with digital elements. Period. Legal responsibility arises not from the code, but from the product being placed on the market. This is precisely where the real explosive potential for small and medium-sized businesses lies.
What the Cyber Resilience Act actually requires
The Cyber Resilience Act does not require perfect security. It requires something else, something that is much more inconvenient for many companies: structure, accountability, and verifiability. It is no longer enough for security to be “somehow considered.” It must be designed, documented, and controlled.
Products must be designed in such a way that security risks are not addressed after the fact. Insecure default settings, open interfaces, or provisional protection mechanisms are no longer considered pragmatic solutions, but design flaws. Security belongs in the design, not in support.
Added to this is the obligation to actively address vulnerabilities. Not reactively, not on an ad hoc basis, but systematically. Those who only act when customers report issues or security researchers apply pressure are acting too late. The CRA expects processes, not coincidences.
The end of a product’s life cycle is particularly underestimated. Many medium-sized products do not disappear; they are phased out. They are no longer sold, but continue to be used. This is exactly where the CRA comes in. Security does not end with the last sale. Those who do not have a clear end-of-life strategy create a regulatory risk – in practical terms, not just theoretically.
Why small and medium-sized businesses in particular are coming under pressure
Large companies have departments, committees, and formalized processes. Small and medium-sized businesses have something else: experience, pragmatism, and established structures. These strengths are real – but under the CRA, they quickly become weaknesses.
Many products have evolved over time. Safety decisions were made but never documented. Responsibilities exist, but they are implicit rather than clearly defined. External developers or suppliers have taken over parts of the process without the overall responsibility ever being clearly defined.
The CRA does not ask about the history of a product. It evaluates the current state. And this is precisely where the pressure arises: products whose safety is not controlled organizationally lose their regulatory acceptance. Not abruptly, but gradually – and often just when they are to be further developed or modernized.
Why suppliers are no salvation either
Another common misconception is: “Our service provider takes care of it.” That no longer works under the CRA either. European product law follows a clear logic: the party responsible is the one who markets a product under their own name. Not the programmer, not the cloud provider, not the supplier.
Of course, tasks can be outsourced. Responsibility cannot. Those who do not know what software is in their own product lose control. Those who have no influence over security updates lose marketability. The CRA forces companies to disclose these dependencies – and to actively manage them.
The real pressure comes from above
The Cyber Resilience Act is not an IT law. It is a governance law. It shifts responsibility to where it has long been avoided: to corporate management.
Products that are not regulated are not a technical problem, but an organizational failure. Delegation without control is no longer sufficient. “We didn’t know” is not an argument, but a risk. The CRA has a similar effect here to the GDPR or the NIS 2 Directive – only with a direct reference to the product and thus to the core of the business model.
2026 is closer than many think
When people talk about the Cyber Resilience Act “from 2026,” it sounds like the future to many. In fact, it is the present. Products that are planned, developed, or continued today must be CRA-compliant in 2026. Security architectures, update strategies, and governance structures cannot be introduced at the push of a button. Those who only react when market surveillance or customers ask questions are reacting too late.
The key point is that products that are new or significantly modified and come onto the market from 2026 onwards must comply with the CRA requirements. This applies not only to new developments, but also to existing products that are being further developed, updated, or functionally enhanced. Anyone planning products today that are to be sold in 2026 or later is already developing under CRA conditions – whether they are aware of it or not.
In addition, individual obligations will take effect even before the CRA is fully implemented. These include, in particular, requirements for vulnerability management and the internal organization of product safety. Companies must therefore be in a position to systematically identify, assess, and address security gaps even before 2026. Those who only start to build these structures once market surveillance becomes active will not be able to establish them in time.
The Cyber Resilience Act as a strategic turning point
The CRA is inconvenient, no question. But it is also an opportunity. It separates products that can be accounted for from those that are only managed. For small and medium-sized businesses with their short decision-making processes, this is actually an advantage.
Those who create clarity now – about products, responsibility, and security strategy – will not only ensure compliance but also future viability. Those who wait risk having functioning products become obsolete due to regulations. At some point, perhaps even their own company.
Conclusion: Marketability is a matter for top management
The Cyber Resilience Act does not determine security in the data center. It determines which products will still be allowed to be sold in the future. Cybersecurity is no longer an additional function, an optional feature, or a topic for later releases. It is becoming a prerequisite for market access for products with digital elements – and thus a key competitive factor in the European single market.
This is a profound change for small and medium-sized enterprises. Many products are technically mature, economically successful, and have been established for years. But it is precisely these products that are coming under pressure from the Cyber Resilience Act if their digital security is not managed organizationally. In the future, marketability will no longer be defined solely by functionality, price, or quality, but by the ability to demonstrate cybersecurity throughout the entire product life cycle.
The Cyber Resilience Act thus forces companies to make a strategic decision: Which products do we want to be responsible for in the long term – technically, organizationally, and regulatorily? And which products can no longer be meaningfully developed under the new framework conditions? These questions are not IT questions. They concern the product portfolio, the innovation strategy, and ultimately the future viability of the business model.
Those who take the Cyber Resilience Act seriously at an early stage will gain room for maneuver. Investing now in clear responsibilities, structured security processes, and robust product governance will not only increase regulatory robustness but also the trust of customers, partners, and markets. Those who wait, on the other hand, risk seeing functioning products gradually lose their marketability—not because of technical deficiencies, but because of a lack of organizational maturity.
Market access has always been a management issue.
The Cyber Resilience Act makes this abundantly clear.
Comments are closed.