Sten Eikrem - Information Security & Risk Management

Your EU supply chain just changed - what manufacturing leaders need to know about the Cyber Resilience Act (CRA)

10 min read

How new EU regulations reshape supplier relationships and procurement strategy, even if you don’t manufacture digital products

If you run manufacturing operations in Europe, your supply chain is about to change.

The EU Cyber Resilience Act doesn’t just affect companies that build and sell digital products. It reshapes the market for every piece of IT infrastructure and operational technology you procure, from PLCs and SCADA systems to enterprise software and network gear.

The regulation entered force in December 2024. The first supplier obligations begin in September 2026, eight months from now. Yet many manufacturing operations leaders remain unaware of the cascading impact on procurement cycles, maintenance contracts, and production environments.

Here’s what you need to know.

Who this is for (and who it isn’t)

This post addresses manufacturing organisations that buy and use IT/OT equipment for European operations. If you’re procuring industrial control systems, network infrastructure, or enterprise software, this affects your supply chain.

If you manufacture and sell products with digital elements, industrial equipment, embedded systems, control systems, you’re directly subject to CRA compliance obligations. For implementation guidance in that scenario, I recommend following Sarah Fluchs, whose detailed technical articles cover support periods, harmonised standards, and risk assessment methodologies for product manufacturers.

But if you’re a buyer, not a seller? Your suppliers face the compliance burden, and you face the operational consequences.

September 2026: vulnerability notifications start flowing

The first deadline hits on 11 September 2026.

From that date, manufacturers must report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours. This isn’t about future products. It applies to equipment already installed in your plant, including legacy systems deployed years ago.

What this means in practice:

You’re going to receive vulnerability notifications for equipment currently running in production. Your industrial control system supplier will notify you of security issues they’ve discovered. Your network infrastructure supplier will disclose vulnerabilities in routers installed three years ago. Your enterprise software provider will flag problems in systems underpinning your manufacturing execution platform.

Some notifications will arrive with patches ready to deploy. Others will come with workarounds or mitigation advice. Some may simply inform you of risk with no immediate remedy available.

The operational challenge isn’t the notifications themselves. It’s the response requirement.

Questions you need answers to:

  • How do you assess impact when a critical vulnerability announcement arrives at 4 PM on a Friday
  • Who owns the decision to patch or accept risk, IT, OT, plant management, or risk?
  • How do you schedule emergency maintenance windows in environments running continuous processes or tight production schedules?
  • Do we focus rather on compensating measures and allow vulnerabilities to exist for some time or permanently depending on your context?

What needs to be in place before September:

The reality is that vulnerability disclosure today is already a patchwork, security threat intelligence feeds, supplier advisories, global programmes, regional initiatives, local responses. The CRA will significantly increase notification volume from suppliers, putting substantial burden on organisations without holistic vulnerability management processes.

This isn’t just about receiving notifications. You need:

  • Asset visibility. You can’t assess impact if you don’t know what you’re running. This becomes even more critical when supplier notifications start flowing.
  • Decision authority. When a supplier reports an actively exploited vulnerability affecting production systems, someone needs the authority to decide on response. Unclear ownership creates delays.
  • Process integration. Your existing change management, risk acceptance, and incident response processes need to accommodate security notifications that arrive on supplier timelines, not your planned maintenance schedule.
  • Principles and ways of working. Organisations need agreed approaches for triaging notifications, assessing risk, and making intervention decisions, especially in OT environments with limited change windows.

If you don’t have these capabilities already, establishing them takes time and effort. Starting that work now, rather than in September when notifications begin, provides runway to develop processes, build consensus, and test approaches.

December 2027: procurement options narrow dramatically

The second deadline, the more disruptive one, arrives on 11 December 2027.

From that date, only CRA-compliant products can be sold in the EU market. Non-compliant suppliers don’t just face fines. They lose market access entirely. Their products cannot legally be placed on the EU market, regardless of price, features, or your existing relationship.

What this means for procurement:

Any IT or OT equipment you procure for European operations after December 2027 must demonstrate CRA compliance. Your RFPs need to verify CE marking, EU Declaration of Conformity, technical documentation, and minimum 5-year security update commitments from suppliers.

Vendors unable or unwilling to comply will exit the EU market.

Some will achieve compliance for current product lines. Others will discontinue products rather than bear certification costs. Some may offer CRA-compliant versions with changed functionality, different licensing models, or higher pricing that breaks compatibility with your existing environment.

The OT supply chain risk:

IT infrastructure markets offer reasonable supplier diversity. If your preferred network switch manufacturer exits, alternatives exist. Competition drives compliance.

OT markets are different.

Industrial control systems, safety-instrumented systems, and plant automation often involve single-supplier dependencies for proprietary protocols or legacy integration. Equipment lifecycles run 15-30 years versus 3-5 year IT refresh cycles. Safety certifications and regulatory approvals constrain replacement options. Vendor competition in specialised industrial segments is limited.

If your primary PLC supplier can’t achieve CRA compliance, identifying and qualifying an alternative may require 12-18 months of engineering work, safety revalidation, and operator training.

Starting that assessment in late 2027 when the supplier announces discontinuation leaves you with emergency procurement timelines and constrained choices.

What organisations need to address:

  • Vendor readiness assessment. Understanding which suppliers can achieve compliance, which products will be discontinued, and what timeline and cost implications exist is foundational to managing supply chain risk.
  • Alternative sourcing strategy. For suppliers with uncertain CRA readiness, or for single-source critical components, organisations need decisions about qualification of secondary suppliers, ideally whilst negotiating leverage still exists.
  • Procurement process evolution. CRA compliance needs to be integrated into sourcing specifications, supplier qualification, and contract terms. This isn’t just adding a checkbox. It requires understanding what to verify and how to validate compliance claims.
  • Budget and timeline planning. Certification costs will be passed through to buyers. Integration testing of new compliant versions takes time. Organisations need financial and schedule provisions for both planned transitions and potential emergency replacements.

The specifics of how organisations implement these capabilities will vary based on existing procurement maturity, supplier relationships, and operational constraints. The key is recognising that December 2027 procurement restrictions require preparation that begins now.

Why OT faces distinct challenges

Manufacturing organisations often approach CRA as an IT procurement issue, another compliance checkbox for the enterprise infrastructure team.

This misses the distinct challenges in operational technology environments.

You’re not required to replace working equipment:

Let’s be clear: Installed OT systems can keep running. The CRA doesn’t force replacement of functional equipment. Many operators run legacy systems until they fail. A legitimate strategy when equipment is reliable and spare parts available.

The real disruption is procurement restriction:

After December 2027, you can only procure CRA-compliant products. New capacity expansions, additional production lines, replacement parts, all from a constrained market.

Lifecycle economics:

IT infrastructure operates on 3-5 year refresh cycles. Most IT organisations replace equipment within normal technology evolution timeframes. CRA compliance becomes part of routine refresh planning.

OT equipment operates on 15-30 year lifecycles. PLCs installed in 2010 remain in production. SCADA systems deployed in 2005 still monitor critical processes. Procurement decisions made today lock in supplier relationships and system economics for decades.

Market constraint impact:

IT markets are commodity-based with multiple competing suppliers. Network switches, servers, enterprise software, all have reasonable vendor diversity. Some suppliers will exit EU rather than comply, but alternatives exist. Prices will increase from compliance costs, but competition limits how much.

OT markets are different. Industrial control systems often involve single-supplier dependencies for proprietary protocols. When a PLC supplier exits EU or discontinues a product line, alternatives may not exist for your specific application. System integrators who face their own CRA compliance costs will pass those through. Your negotiating leverage disappears when supplier choice narrows.

Change window constraints:

IT environments typically accommodate weekly or monthly maintenance windows. Patching, upgrades, and configuration changes happen with regular cadence.

OT environments operate continuous processes or high-utilisation production schedules with limited change windows. Quarterly shutdowns. Twice-yearly turnarounds. Some processes can’t be interrupted outside annual maintenance periods without significant production and revenue impact.

When CRA drives more frequent security patching or requires urgent response to vulnerability notifications, OT organisations must balance security risk against production availability. That trade-off doesn’t exist in most IT contexts.

Safety system interaction:

IT security changes rarely interact with life safety systems. Hardening a web application or patching an enterprise database carries operational risk but not safety risk.

OT security changes may affect safety-instrumented systems, emergency shutdown systems, or equipment operating under Machinery Regulation requirements. CRA-compliant versions of industrial control systems with enhanced security configurations may require reassessment under safety regulations before deployment.

This isn’t theoretical. The CRA and Machinery Regulation interact, and suppliers modifying equipment for CRA security requirements may trigger safety recertification obligations that IT procurement teams don’t anticipate.

The competitive advantage of early action

Organisations beginning CRA supply chain assessment now in 2026 gain strategic advantages over those waiting until late 2027.

  • Supplier leverage and pricing. Early engagement lets you negotiate contract terms, pricing, and support commitments whilst suppliers still need customer validation and competition exists. Lock in current pricing before reduced competition drives costs up. Late engagement means accepting whatever terms remain available in a constrained market.
  • Alternative sourcing. If you identify supplier gaps now, you have 18 months to qualify secondary suppliers. If your current PLC supplier won’t achieve compliance, finding and qualifying an alternative requires engineering work, safety revalidation, and operator training. Starting now provides runway. Discovering gaps in late 2027 forces emergency decisions with limited alternatives.
  • Operational experience. Procuring CRA-compliant equipment now, even for non-urgent capacity additions, builds operational understanding of how security-hardened configurations affect your environment. System integrators working on your installation develop CRA compliance expertise on your budget, not during your next critical expansion under deadline pressure.
  • Budget planning. Early cost visibility, understanding supplier exit risk, integrator cost pass-through, enables multi-year budget provision. Discover price increases and constrained options in late 2027? Emergency requests competing with planned capital programmes, at worse negotiating positions.

Strategic priorities for manufacturing leaders

Organisations need to address CRA supply chain impacts across several dimensions:

Immediate focus:

  • Vendor supply chain assessment (compliance readiness, product roadmaps, discontinuation risks)
  • High-risk dependency identification (single source, long lifecycle, proprietary equipment)
  • Gap analysis between current vulnerability management capabilities and CRA notification requirements

Near-term development:

  • Vulnerability management process evolution to handle increased notification volume
  • Procurement process integration of CRA compliance verification
  • Budget provision for cost increases, integration testing, and contingency replacements
  • Vendor relationship management regarding compliance obligations and contract terms

Pre-enforcement preparation:

  • Response capability testing as supplier notifications begin (September 2026)
  • Alternative sourcing qualification where supplier readiness remains uncertain
  • Strategic decisions on spare parts inventory for critical equipment before December 2027 restrictions

The specific implementation approaches will vary based on your organisation’s current maturity, supplier landscape, operational constraints, and risk tolerance. There’s no one-size-fits-all playbook, but there are ways for navigating this transition thoughtfully.

The bottom line

The CRA’s compliance burden falls on suppliers. The operational impact falls on you as a buyer. Treating this as an IT procurement checkbox misses the OT-specific implications: long equipment lifecycles, limited change windows, safety system interactions, and constrained supplier competition in industrial control markets.

Two deadlines matter. September 2026 for vulnerability management capabilities. December 2027 for supply chain and procurement strategy. Both require preparation that starts well before enforcement.

Related Resources:

Connect: Follow for more insights on security governance and risk management on LinkedInMastodonBluesky

Graph View

Backlinks