Rutronik supports industry in implementing complex EU requirements
The European Union is setting new standards for cybersecurity with the Cyber Resilience Act (CRA), which presents electronics manufacturers, importers, and distributors with significant challenges. Small and medium-sized enterprises, in particular, are confronted with complex requirements, short deadlines, and significant liability risks. Rutronik is addressing this development together with its partners 1ACUE, TÜV Süd and Infineon, offering its customers practical support during implementation.
From 2027, electronic products with interfaces may only be sold in the EU if they meet the comprehensive requirements of the CRA. These include risk classification, complete documentation of certificates and manuals, and data sheets. For the first time, it also includes a software bill of materials and security updates throughout the entire product life cycle — i.e., the expected product service life or at least five years after the last sale. There are also strict reporting requirements (in some cases within 24 hours) for vulnerabilities. Violations are subject to severe penalties: up to €15 million or 2.5% of global group turnover. Depending on the risk class, the CE mark may no longer be issued by the manufacturer. The queues at approved certification bodies and security certification bodies will be correspondingly long until the reporting obligation comes into force in September 2026 or until the law finally takes effect in December 2027.
Importers will bear almost the same responsibility as manufacturers in future. It is particularly important to note that anyone who purchases products directly from non-European manufacturers will become an importer in legal terms. This includes all archiving, testing and reporting obligations. Many companies are not yet fully aware of this liability trap.
