14 January 2026

The EU Cyber Resilience Act – New Market Entry Barriers for Swiss IoT Products

  • Articles
  • Compliance
  • Legal
  • Data / Technology / IP
  • Trade / Logistics / Competition

Without CRA-compliant CE marking and the required cybersecurity documentation including a Software Bill of Materials, products with digital elements may no longer be imported into the EU.

  • Dr. Martin Eckert

    Legal Partner

The EU has adopted numerous regulations in recent years addressing data driven markets and digital matters such as the AI Act, the GDPR, the NIS 2 Directive, the Data Act, the Digital Markets Act, the Digital Services Act, the RED Delegated Act and sector specific rules such as DORA or the EU Machinery Regulation. How can Swiss companies that export to the EU keep track of all this?

Experts speak of a regulatory tsunami. Even specialists struggle to stay current. It has also become clear that these rules are not always consistent. The EU itself has recognized this problem. Through an “omnibus” process, the Commission intends to pause and streamline the regulatory landscape.

Does this mean Swiss manufacturers should wait and see?

Unfortunately not. Regulations that are already in force remain binding until new rules replace them. My advice is to first identify whether there are regulations that, if ignored, will block or significantly impede market access to the EU. These requirements are not only governance matters. They have direct business impact.

Can you give us an example of a regulation that prevents Swiss products from being imported into the EU if the rules are not met?

Many Swiss companies are unaware of the Cyber Resilience Act (CRA), which entered into force in December 2024. The CRA establishes comprehensive, technology neutral cybersecurity requirements for products with digital elements. It imposes far reaching obligations on manufacturers, affecting product development, production and lifecycle management. From a business perspective, the critical point is that products with digital elements may only be placed on the EU market if the manufacturer prepares technical documentation and completes a conformity assessment procedure. These steps are prerequisites for the declaration of conformity and CE marking. EU importers and distributors act as control bodies. Simply put, without CE marking and the required cybersecurity documentation including a Software Bill of Materials, products with digital elements may no longer be imported into the EU. 

Which products fall under the Cyber Resilience Act?

The CRA covers all “products with digital elements” that include a direct or indirect logical or physical data connection with a device or a network. It applies to connected products, both hardware and software, embedded or stand alone. It includes IoT products integrated into or connected through an electronic information system and therefore potentially usable as attack vectors. Examples include end user devices such as smartphones, laptops, smartwatches, smart home devices, machinery and industrial equipment with remote control functions, network components such as routers, modems and switches, and software such as mobile apps, operating systems or industrial control systems. Some categories are excluded because sector‑specific EU rules already apply, for example medical devices, civil aviation, motor vehicles, marine equipment, or products for national security or defense purposes. Special rules apply to open source software and cloud solutions.

Are companies in Switzerland also affected?

Yes. The CRA has extraterritorial effect. Swiss companies that place products with digital elements on the EU market as part of their business activities must comply with the CRA. Manufacturers must adapt their product design and production processes if they want to sell these products in the EU. EU importers and distributors must ensure that the products meet the CRA requirements before import or sale. Obligations also apply to “open source software stewards”, meaning legal entities that systematically and sustainably support the development and usability of commercial open source software.

What general duties apply to manufacturers?

Manufacturers face a set of duties that must be documented carefully, including:

  • Regularly updated risk assessments and compliance with core cybersecurity requirements, including security by design and security by default.
  • Supply chain due diligence such as risk assessments of components, verification of supplier trustworthiness, documentation of security characteristics of third party components and contractual safeguards including vulnerability management. A complete Software Bill of Materials is essential.
  • Vulnerability management, including free and timely security updates during the entire support period, and notification duties toward ENISA, national CSIRTs and users.
  • Conformity assessment and CE marking, including technical documentation and completion of the applicable conformity assessment procedure. Depending on the product category, this can be done by the manufacturer, by a notified body or through certification under a European cybersecurity scheme.
  • Transparency obligations regarding safe use, security features, intended purpose, support periods, update procedures and known cyber risks.

What cybersecurity requirements does the EU impose?

Annex I of the CRA defines the core cybersecurity requirements. Products with digital elements must be designed, developed and manufactured to ensure an appropriate level of cybersecurity based on the associated risks. They must not contain known exploitable vulnerabilities at the time they are placed on the market. The EU has so far issued few product‑specific requirements. Manufacturers remain responsible for security and will rely on recognized industry standards, frameworks and best practices.

What risks arise for Swiss manufacturers if they fail to comply with the CRA?

The main commercial risk is that EU importers and distributors refuse to import products if CRA requirements are not met. Products already on the EU market are subject to surveillance by national market authorities, which have broad powers including prohibitions, restrictions, product recalls, requests for technical documentation and unannounced inspections. The CRA includes strict administrative sanctions, including fines of up to 2.5 percent of global annual turnover. Civil liability risks such as breach of contract and product liability also apply. A product is defective if it does not provide the safety that users may reasonably expect. A connected product that does not meet key cybersecurity requirements is likely also defective under the EU Product Liability Directive. The manufacturer is liable for resulting damage even without fault. The CRA must be taken very seriously.

What is the EU timeline?

The rules for notifying conformity assessment bodies apply from June 11, 2026. Vulnerability management and notification duties apply from September 11, 2026. The general obligations apply from December 11, 2027, when the CRA becomes fully applicable to most covered products. Products placed on the market before that date fall under the CRA only if they undergo a substantial modification after December 11, 2027.

Is cyber resilience also addressed under Swiss law?

Cyberattacks do not stop at borders. Switzerland currently has few product specific cybersecurity rules. The Federal Council intends to enhance cyber resilience for digital products. On August 20, 2025, it mandated the DDPS, together with DETEC and SECO, to prepare a draft bill by fall 2026.

What is the practical advice for Swiss manufacturers of digital products?

Companies need a clear roadmap to be ready for the CRA. First, manufacturers must analyze which of their own and integrated products fall within scope. Second, they should conduct a risk assessment. Based on that, they can perform a gap analysis and prepare an action plan. Core tasks include implementing security functions, establishing CRA compliant vulnerability management and preparing technical documentation including a complete SBOM for each product.

In addition to regulatory requirements, customer expectations must be considered. Certification under the IEC 62443 series appears to be gaining importance. Cybersecurity of connected products must be addressed at top management level. Numerous processes will require adjustments, including risk management, internal controls, supplier contracts, insurance coverage, quality and technical documentation, customer contracts, sales documentation, support processes, update processes and market surveillance activities. Cybersecurity is not a one time exercise. The CRA requires systematic, ongoing and regularly updated documentation and controls. An interdisciplinary challenge for every company affected!

This article appeared in German in the Swiss journal “Finanz und Wirtschaft”.

The MME data law team offers a half-day workshop on the pragmatic implementation of CRA for Swiss companies.

 

Click here to learn more about our expertise:
Back