A PYMNTS Company

Europe’s Cybersecurity Clock Is Ticking. Here’s What Companies Need to Know

By  |  March 16, 2026

A sweeping European Union law is about to reshape how tech companies, from Silicon Valley giants to small software startups, build and sell their products. And the clock is already running.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The EU’s Cyber Resilience Act, known as the CRA, is one of the most ambitious digital security laws ever passed. It requires that virtually any product containing software or connected technology be built with security in mind from the start, and that it stay secure for its entire lifespan. That includes everything from smart home devices to enterprise software. Now, with key deadlines approaching, companies are scrambling to figure out what they need to do and when.

    On March 3, the European Commission published draft guidance intended to help businesses navigate the law’s more complicated requirements. The guidance is open for public comment until March 31, according to an analysis by the international law firm Steptoe.

    The guidance couldn’t come at a better time. According to Steptoe, the first major compliance deadline hits in less than six months. Starting September 11, 2026, manufacturers must begin reporting certain cybersecurity incidents to EU authorities — specifically, any actively exploited vulnerability in their products, or any serious security incident that affects users. Those reports must go to national computer security teams and to ENISA, the EU’s cybersecurity agency. Affected users must also be notified.

    After that, companies face a broader and more demanding deadline. By December 11, 2027, virtually all other CRA requirements kick in. That means manufacturers will need to meet baseline cybersecurity standards, conduct formal risk assessments, maintain detailed technical documentation, and handle vulnerabilities throughout a product’s entire life. They will also need to follow secure-by-design processes, meaning security has to be baked in from the drawing board, not bolted on later.

    Read more: White House Cybersecurity Plan Calls on Private Sector to Partner on US Operations

    One aspect of this law that catches many companies off guard, per Steptoe, is it applies far beyond Europe’s borders. The CRA “has an extraterritorial effect and it applies to any company that manufactures, imports, or distributes on the EU market products with digital elements, irrespective of its location or establishment,” the firm writes. In plain terms, if you sell a connected product in Europe, this law applies no matter where your headquarters are.

    The Commission’s draft guidance also takes on some genuinely tricky questions. How should a company decide how long it needs to support a product with security updates? What counts as a significant enough change to a product that a company must go through a new security review? How does the CRA interact with other EU laws like the GDPR and the NIS 2 cybersecurity directive? The draft guidance tries to answer all of these.

    Businesses, industry groups, and technical experts have until March 31 to submit feedback on the draft through an official EU form. Steptoe calls it a meaningful opportunity to help shape the final version of the guidance. Companies that see gaps, ambiguities, or practical problems with the current draft should make their voices heard now. Once the final guidance is published, the rules of the road will be set. And for any company selling digital products in Europe, the time to start preparing is not December 2027. It’s now.