Cybersecurity

Your Hardware Is Now Regulated Software

The EU Cyber Resilience Act turns any connected product into a regulated item, with a 24-hour reporting clock from 2026 and fines up to 2.5 percent of turnover.

By Leon Soliman · 2026-06-28 · 3 min read

The Word Manufacturer Now Means You

The EU Cyber Resilience Act entered into force in December 2024, and its definition of a manufacturer is wider than most boards assume. It covers any product with digital elements placed on the European market: a connected machine, an industrial controller, a medical device, a consumer gadget, or a piece of standalone software. If your product talks to a network, it falls in scope, and so do the importers and distributors who put it on the market.

For a family office or a Mittelstand owner, the uncomfortable part is the reclassification. A company that has built precision machines for three generations, and never called itself a software business, is now a regulated software vendor in the eyes of EU law. The rule also reaches beyond the bloc. A manufacturer based anywhere in the world that sells into the European market carries the same duties as one based in Frankfurt.

A 24-Hour Clock You Do Not Control

The first hard deadline is close. From 11 September 2026, an actively exploited vulnerability or a severe security incident starts a fixed reporting cascade through a single European platform. An early warning is due within 24 hours, a fuller notification within 72 hours, and a final report within 14 days of issuing a fix or workaround. The clock does not wait for your legal review or your communications plan.

That timing is the operational shock. The 24-hour window opens during the worst moment of an incident, when the information is incomplete and the instinct is to say nothing until the facts are clear. The Act removes that option. An organization that cannot detect, triage, and report a flaw inside a day will miss the deadline, not because it lacks goodwill, but because it never built the machinery to move that fast.

CE Marking, and a Fine Sized to Your Turnover

The broader obligations follow on 11 December 2027. From that date, a product with digital elements needs a CE marking that certifies it was built with security by design, ships without known exploitable defects, and will receive security updates across a defined support period. Compliance is not a one-time test before launch, it is a duty that runs for the supported life of every unit you have sold.

The enforcement carries weight. National market surveillance authorities police the rules, and Germany has already issued a first draft of the law to name its competent authority. Penalties for failing the core requirements reach 15 million euros or 2.5 percent of global annual turnover, whichever is higher. For a profitable mid-sized maker, the turnover figure is the one that should focus the room.

Frequently asked questions

Does the Cyber Resilience Act apply to us if we only make physical machines?

Yes, if those machines connect to a network or run software. The Act covers products with digital elements, not just pure software, so a connected machine, controller, or device places its maker squarely in scope, including the duty to handle vulnerabilities and report incidents.

We are based outside the EU. Are we still bound by it?

Yes. The obligations follow the market, not the headquarters. Any manufacturer that places a product with digital elements on the European market carries the same duties as an EU-based one, and your EU importer or distributor can be held responsible where you are not.

The Cyber Resilience Act does not ask whether you consider yourself a software company. It decides that for you the moment your product connects to a network. The real question is whether you can name every connected product you sell, prove how it is secured, and report a live exploit within a day, or whether you will learn the answer during the incident itself.

Cyber Resilience Act Product Security CE Marking EU Regulation Mittelstand

More from the Servola Journal

Cybersecurity

Is Your Cyber Defense Ready for Machine-Speed Attacks?

2026-06-23 · 2 min read

Read the article →

Information Security

Your Encryption Has an Expiry Date

2026-06-26 · 2 min read

Read the article →

AI Security

Your AI Agents Outnumber Your Staff

2026-06-26 · 2 min read

Read the article →

Servola

Servola helps owners and Mittelstand manufacturers map which of their products fall under the Cyber Resilience Act and build the vulnerability handling and reporting they will need before the 2026 deadline.

Request a private introduction About Servola →

Servola is technology counsel for a small number of families and offices. When a decision cannot be delegated, we sit on your side of the table.

Servola Systems GmbH · Ludwigshafen, Germany · [email protected]

← All articles