CRA in the spotlight for many companies – including in Switzerland
Das Wichtigste in Kürze
- The EU Cyber Resilience Act has been in force since autumn 2024, with a transition period until the end of 2027: manufacturers, importers and distributors must ensure end-to-end cybersecurity throughout the entire product lifecycle
- Obligations include security by design, documentation and vulnerability reporting within 24 hours. Swiss companies are affected via the supply chain; a CE self-declaration is usually sufficient
Cybersecurity is a long-standing issue that affects not only IT departments, but almost every SME that develops or sells smart products with network or internet connectivity. The range is broad and includes smartwatches, cameras, thermostats, sensors, and much more.
The problem: Many devices have so far been poorly prepared for cyberattacks. One of the most obvious weaknesses has been the use of default passwords like 1234 set at the factory. Users have long had better options, such as passkeys. All the more alarming and dangerous, then, are weak default passwords at the hardware level that cannot be changed. That’s now set to change — thanks to the EU’s Cyber Resilience Act. In effect since autumn 2024, the regulation includes a transition period until the end of 2027.
The EU wants to make life harder for hackers
The CRA is a new legal framework that applies to all EU countries and aims to raise the level of cybersecurity for all devices with digital elements. Under the CRA, manufacturers, importers, and distributors must now ensure comprehensive cybersecurity throughout the entire product lifecycle. This includes «security by design», obligations to provide information, transparency, and user education, as well as mandatory reporting of IT vulnerabilities and cyberattacks within 24 hours. Penalties for violations can be severe, depending on the country and the seriousness of the breach.
From 2027 onward, secure products will be marked in the EU with the familiar CE label — and only those products will be allowed to be sold.
An inquiry to the Swiss Federal Office for Cybersecurity (BACS) shows that the CRA is also welcomed in Switzerland. For Swiss companies, the primary focus is on increased documentation requirements. The classification of a product into a specific category or class is key to determining which forms of evidence must be provided.
One relief: for most products, a CE self-declaration is sufficient.
IT departments are also responsible for reviewing the requirements for the devices they use and ensuring alignment with the CRA.
Start preparing today
Most Swiss companies are affected by the CRA, as it targets the entire supply and distribution chain. That’s why it’s essential to clarify and implement the necessary measures now. In an increasingly digital economy, «cybersecurity» can be the difference between success and failure.
Sources and further reading
