Get Ahead or Get Caught Out: What the EU Cyber Resilience Act and UK Cyber Security Bill Mean for Manufacturers

As cyber threats continue to evolve, so too does legislation. The EU’s Cyber Resilience Act (CRA) and the UK’s Cyber Security and Resilience Bill are ushering in a new era of mandatory cybersecurity standards—particularly for manufacturers and processors relying on digital technologies.

While the CRA covers EU member states and the UK bill addresses domestic defences, both pieces of legislation share a common goal: boosting resilience and protecting critical services from cyber attack. For manufacturers and equipment suppliers, this means understanding not only what’s expected of them—but also what’s expected of the products they make, use, or maintain.

Who Needs to Pay Attention?

If you’re in the manufacturing or processing industry, and your operations depend on connected hardware or software—think sensors, automation systems, or smart machinery—you’re in the spotlight.

The CRA applies to products with ‘digital elements’, meaning anything that includes or relies on software or connected components. This includes machinery, monitoring tools, and embedded systems. In short, if it connects, it counts.

Secure by Design: Not Just a Buzzword

One of the CRA’s cornerstones is the ‘Secure by Design’ principle. This isn’t just about building safe tech—it’s about thinking cybersecurity from day one. That includes the design, development, and production phases—not just the operational life of a product.

Manufacturers must now evaluate cybersecurity risks throughout the product’s life cycle, and ensure vulnerabilities can be addressed through regular security updates. If a flaw is found, you’re on the hook to fix it—and fast.

Handling Vulnerabilities: It’s the Law

The CRA lays out strict obligations for vulnerability handling:

• Manufacturers must identify and assess security vulnerabilities early.

• They must provide free security updates for the product’s expected lifetime.

• If a serious issue is found, they must issue a security advisory and notify the EU Agency for Cybersecurity (ENISA), product users, and any relevant repair/maintenance providers.

This means having processes in place to not only detect and fix issues, but also to communicate effectively and comply with documentation requirements.

Know Your Risk Class

To comply with the CRA, manufacturers must meet the Essential Requirements set out in Annex I. But not all products are treated equally. The risk classification of a product determines the route to conformity:

• Low-risk products: Manufacturers can self-declare conformity (pending the development of harmonised standards).

• Important and critical products: These may require third-party assessment by a notified body.

Important products are further divided into two classes, depending on their complexity and impact.

Transparency Is Non-Negotiable

Comprehensive documentation is another key demand. Manufacturers must provide:

• A list of security features and technical characteristics.

• A description of possible cybersecurity risks and the conditions under which they could occur.

• A designated contact point for reporting vulnerabilities.

The aim is clear: users should know exactly what they’re working with—and how to react if things go wrong.

Act Now, Not Later

Although the CRA doesn’t come into full force until 11 December 2027, manufacturers would be wise to start aligning with its requirements now. Implementing secure design principles, creating robust vulnerability response procedures, and getting ahead of documentation obligations will all pay dividends in the long run.

Cybersecurity is no longer a bonus—it’s a baseline. And when the regulations kick in, being unprepared won’t just be risky. It’ll be illegal.