In a significant move for companies dealing with digital products, Nemko Digital has unveiled a detailed compliance roadmap and checklist designed to assist organizations in aligning with the European Union’s Cyber Resilience Act (CRA). This initiative is particularly timely as manufacturers face a looming deadline: by September 11, 2026, they are required to be fully equipped to report actively exploited vulnerabilities and significant incidents within 24-hour and 72-hour timeframes. The roadmap’s release follows a highly attended webinar on CRA compliance, highlighting the escalating concern within the industry as the regulatory deadline approaches.
The Cyber Resilience Act imposes mandatory cybersecurity standards for both hardware and software products with digital elements marketed in the EU. This comprehensive regulation impacts a wide range of products, from consumer IoT devices and smart home products to enterprise software, industrial control systems, and connected vehicles. While full compliance is mandated by December 2027, the critical milestone in September 2026 necessitates immediate attention. This demands that organizations establish robust governance frameworks, consolidate software bills of materials (SBOMs), and develop auditable incident response capabilities to meet the CRA’s stringent requirements.
Pepijn van der Laan, Global Technical Director, AI Trust at Nemko Digital, emphasized that the 2026 deadline is aimed at ensuring operational readiness. By this date, companies must be able to identify vulnerabilities in their products and report incidents within the specified regulatory timelines. The stakes are high, as non-compliant products will be barred from the EU market after December 2027, and companies risk facing penalties of up to €15 million or 2.5 percent of global annual turnover for serious violations. Despite these pressures, about 70 percent of manufacturers, according to Nemko Digital’s webinar poll, are still in the initial phases of their compliance efforts.
To aid organizations, Nemko Digital’s CRA Compliance Roadmap offers a 6-step framework to simplify the complex regulatory requirements into actionable programs. Developed by CRA experts and validated by over 500 compliance professionals, the roadmap guides teams through essential stages, including discovery, applicability assessment, gap analysis, remediation, validation, and continuous monitoring. A 30-item checklist accompanies the roadmap, providing detailed tasks for product teams, security leaders, and compliance officers. Bas Overtoom, Global Business Development Director at Nemko Digital, advises that starting the compliance journey now is crucial to avoid difficulties later.
Summer poses an additional challenge due to the traditional vacation period in Europe, potentially slowing implementation momentum. Nemko Digital recommends that organizations complete most of their analysis and planning by early July to avert bottlenecks in August. Those with existing RED (Radio Equipment Directive) certification have a head start, as there is a significant overlap in requirements. However, the CRA introduces new obligations related to vulnerability handling and secure development practices. The CRA Compliance Roadmap, available at digital.nemko.com/cra-compliance-roadmap, is offered as a free resource, requiring no registration and free to share among compliance teams.