Obligations, deadlines, and risks: Significant impact on development and delivery processes
From 2027, electronic products with interfaces may only be sold in the EU if they meet the comprehensive requirements of the CRA. These include risk classification, complete documentation of certificates and manuals, and data sheets. For the first time, it also includes a software bill of materials and security updates throughout the entire product life cycle — i.e., the expected product service life or at least five years after the last sale. There are also strict reporting requirements (in some cases within 24 hours) for vulnerabilities. Violations are subject to severe penalties: up to €15 million or 2.5% of global group turnover. Depending on the risk class, the CE mark may no longer be issued by the manufacturer. The queues at approved certification bodies and security certification bodies will be correspondingly long until the reporting obligation comes into force in September 2026 or until the law finally takes effect in December 2027.
Importers will bear almost the same responsibility as manufacturers in future. It is particularly important to note that anyone who purchases products directly from non-European manufacturers will become an importer in legal terms. This includes all archiving, testing and reporting obligations. Many companies are not yet fully aware of this liability trap.
Strong partnerships are key to gaining information advantages
Rutronik is committed to transparency and education at an early stage. In June 2025, the distributor organized an international CRA webinar day in collaboration with TÜV Süd, the cyber security consulting company 1ACUE, and the semiconductor manufacturer Infineon. The event attracted a great deal of interest, with around 500 participants from Europe, Asia, and North America.
The presentation by Stefan Würth, Head of Industrial and Automotive Cyber Security at TÜV SÜD Product Service, highlighted the central importance of the CRA for industry – particularly with regard to the upcoming certification requirements and the significant penalties for non-compliance. This was a clear wake-up call for affected companies to stop postponing the implementation of the compliance requirements.
Dr. Sergejs Rogovs, Chief Engineer Cyber Security at 1ACUE, provided valuable guidance in the complex web of new EU regulations such as CRA, NIS-2, and ETSI/RED. The focus was on providing practical answers to key questions. Which guidelines apply to whom? How can a legally compliant risk analysis be conducted? Which products are affected? How can compliance be ensured efficiently? Those who want to not only meet regulatory requirements, but also use them strategically, are in an excellent position with a specialized partner such as 1ACUE.
Participants gained a particular knowledge advantage from the insights provided by Dr. Detlef Houdeau, Senior Director of Business Development at Infineon Technologies AG, with regard to an expert group set up by the EU Commission to define risk classes for electronic components, in which Infineon is involved. As a webinar speaker, he provided exclusive insights into the ongoing standardization work, offering electronics manufacturers an outlook on what to expect by the end of 2025.
Rutronik as a solution provider for process reliability and future viability
As an interface between over 250 manufacturers and more than 40,000 customers worldwide, Rutronik supports its partners with more than just component supply. Rutronik also helps its partners evaluate and prepare for regulatory challenges. These include:
- Support with preliminary risk assessment of components
- Advice on new documentation, reporting, and update requirements
- Access to reliable supplier information
- Internally trained teams for CRA-relevant processes
"We see ourselves as bridge builders between technology suppliers, legislators, and OEMs," says Bernd Hantsche, Vice President Technology Competence Center at Rutronik. "The CRA presents many of our customers with major challenges, but it also presents them with the opportunity to make their processes future-proof and resilient. We actively support them in this."
Conclusion: Cybersecurity as a location factor
Although it requires a lot of effort, Rutronik believes that CRA is an opportunity for manufacturers to distinguish themselves in the long term by prioritizing quality and safety. While non-European suppliers might be rethinking their EU strategy, companies that organized their processes early on will have better market access and earn their customers' trust.
Do you have questions about cybersecurity and require more individualized, in-depth advice?
1A CUE Consulting & Engineering GmbH
Martin Aschenmeier
Email: martin.aschenmeier@1acue.de
Office: +49 89 37156449 20