Business.gov.nl uses cookies to improve the website. These functional and analytical cookies do not contain your personal data. Do you want to watch video content? Third parties may place tracking cookies to track your online behaviour. You can refuse these tracking cookies. How cookies are used on Business.gov.nl.

Products must meet mandatory cybersecurity requirements (CRA)

Published by:
Netherlands Enterprise Agency, RVO
Effective date of this change in law: 11 September 2026

The Cyber Resilience Act (CRA) is an EU Act that aims to enhance the security of products with digital elements. The CRA is also known the Cyber Resilience Regulation (Verordening cyberweerbaarheid). 

The Act applies to software and hardware with digital functions. Components thereof are also covered by the Act. Remote data processing solutions are only covered by the CRA if they are necessary for the functioning of the digital product. Services are not covered by the CRA.

What changes?

Digital products, such as apps, software, and devices with an internet connection must meet various requirements. The most important are:

  • Safer products: As of 11 December 2027 all products with a digital component such as apps, video cards, or smart devices must be designed and manufactured securely. This is known as security by design.
  • Obligations for entrepreneurs: Do you make, import, or sell digital products? Then you need to provide security updates and report issues promptly.
  • CE marking: Your product must bear CE marking to indicate that they comply with the requirements the CRA sets. You may often assess yourself whether your product is safe, but in some cases an external party must do so.
  • Reporting obligation in case of problems: From 11 September 2026 manufacturers must report serious issues with their digital products.  Reporting must be done via the digital reporting desk of the National Cyber Security Centre (NCSC).

For whom?

  • manufacturers of products with a digital component and software
  • authorised representatives appointed by the manufacturers to carry out obligations on their behalf
  • importers bringing such products to the EU market
  • distributors selling products with a digital component

What do you have to do?

The Cyber Resilience Act sets rules for manufacturers. Importers and distributors must also keep to these rules. They must make sure that products with digital components meet specific requirements, and ensure this remains the case. They must also be able to demonstrate the products meet these requirements. They do so with documentation and reports. 

You can find the most important information on the new rules in the Dutch-language Cyber Resilience Act Guide (pdf). 

When?

From 11 September 2026 companies must report serious security issues and actively exploited vulnerabilities. The other obligations from the Cyber Resilience Act will enter into effect on 11 December 2027.

This article is related to:

How would you rate this page?(question 1 of max 3)
We are sorry to hear that. How can we improve?(question 2 of 3)

Questions relating to this article?

Please contact the Netherlands Enterprise Agency, RVO