EuroComply
Sign up
Manufacturing (connected products)Spain

Cyber Resilience Act for Manufacturing (connected products) in Spain

A practical country and industry compliance guide — obligations, evidence, and next steps.

Direct answer

Manufacturing (connected products) manufacturers in Spain must classify their products by CRA category, apply Annex I essential cybersecurity requirements, establish a vulnerability handling process, prepare technical documentation and CE marking, and report actively exploited vulnerabilities to ENISA. Full obligations apply from 11 December 2027; vulnerability reporting starts 11 September 2027.

What are the CRA obligations for Manufacturing (connected products) in Spain?

Manufacturing (connected products) manufacturers in Spain must classify their products by CRA category, apply Annex I essential cybersecurity requirements, establish a vulnerability handling process, prepare technical documentation and CE marking, and report actively exploited vulnerabilities to ENISA. Full obligations apply from 11 December 2027; vulnerability reporting starts 11 September 2027.

  • Audit which products have network connectivity (Ethernet, Wi-Fi, Bluetooth, industrial fieldbus)
  • Classify each connected product as Default, Important Class I/II, or Critical
  • Implement firmware update mechanism and document it in technical file
  • Establish vulnerability disclosure contact (email/form) on the company website
  • Define minimum 5-year security support commitment per product
CountrySpain
IndustryManufacturing (connected products)
RegulationRegulation (EU) 2024/2847
SupervisionINCIBE is expected to be the primary Spanish CRA market-surveillance and guidance authority for consumer and SME products
Cyber Resilience Act for product manufacturers and software developersRegulation (EU) 2024/2847, Articles 3, 6, 13, 14 and Annex I

The CRA applies to manufacturers and importers of products with digital elements (hardware and software) sold or made available in the EU market. It requires essential cybersecurity requirements, CE marking, vulnerability handling throughout the product lifetime, and incident reporting to ENISA. Critical and important product categories face conformity assessment by notified bodies.

2027-12-11Full CRA obligations for all products

All essential cybersecurity requirements, secure-by-design obligations, CE marking, and vulnerability management obligations apply from 11 December 2027.

Source: Regulation (EU) 2024/2847, Articles 3, 6, 13, 14 and Annex I

Manufacturing (connected products) CRA checklist

Action checklist
Classify your product by CRA category

Determine whether your product is Default (most products), Important Class I (e.g. browsers, password managers, VPNs, network monitoring tools), Important Class II (firewalls, IDS/IPS, microprocessors), or Critical (HSMs, smart cards). Category determines conformity assessment route.

Articles 6, 7, Annex III, Annex IV

Apply Annex I essential cybersecurity requirements

Implement secure-by-default and secure-by-design: minimal attack surface, no default passwords, access control, encrypted communications, data minimisation, integrity protection, vulnerability remediation capability, and security update mechanism.

Article 13, Annex I Part I

Establish a vulnerability handling process

Document a coordinated vulnerability disclosure policy, a process to receive and assess security reports, a remediation and update release workflow, and a communication channel for security researchers.

Article 13, Annex I Part II

Prepare technical documentation and Declaration of Conformity

Compile technical documentation covering product design, risk assessment, essential requirements compliance evidence, test results, and instructions for users. Issue an EU Declaration of Conformity before affixing the CE mark.

Articles 26, 28, 32

Report actively exploited vulnerabilities and severe incidents

Notify ENISA (via national CSIRT) within 24 hours of becoming aware of an actively exploited vulnerability or severe incident. Provide early warning, followed by a full notification within 72 hours and a final report within 14 days.

Article 14

Plan security support lifecycle

Commit to a support period during which security updates will be released — minimum 5 years or the expected product lifetime, whichever is longer. Communicate the end-of-support date to users.

Articles 13(8), 13(9)

What is specific to Spain

INCIBE is expected to be the primary Spanish CRA market-surveillance and guidance authority for consumer and SME products. CCN-CERT handles public sector and critical infrastructure product oversight. Spanish manufacturers should publish vulnerability disclosure policies in Spanish and English and align technical documentation with EN-series standards adopted by UNE (Spanish standards body).

Priority actions for Manufacturing (connected products)

  • Audit which products have network connectivity (Ethernet, Wi-Fi, Bluetooth, industrial fieldbus)
  • Classify each connected product as Default, Important Class I/II, or Critical
  • Implement firmware update mechanism and document it in technical file
  • Establish vulnerability disclosure contact (email/form) on the company website
  • Define minimum 5-year security support commitment per product

Turn this guide into a real assessment

Use EuroComply's free tools to check your specific scope, estimate fine exposure, and build an evidence file.

Key CRA Compliance Questions

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the European Union's first regulation that directly addresses the cybersecurity of products with digital elements. Before CRA, EU cybersecurity law (NIS2, GDPR) focused on operators and data controllers — not the products themselves. CRA shifts responsibility upstream to manufacturers: any company that designs, develops, or places a product with digital elements on the EU market must ensure that product is secure by design and by default, supported for vulnerabilities throughout its lifecycle, and transparent about known security issues. CRA entered into force on December 10, 2024, with most obligations applying from December 11, 2027. It represents a fundamental change in how software and hardware vendors must approach product security — moving from voluntary best practices to mandatory, auditable requirements backed by significant penalties.

Who must comply with the Cyber Resilience Act?

CRA applies to any manufacturer, importer, or distributor that places a "product with digital elements" on the EU market, regardless of where they are headquartered. This includes: (1) Software vendors: enterprise software, operating systems, browsers, productivity tools, and mobile applications. (2) Hardware manufacturers: IoT devices, routers, smart home products, industrial control systems, network equipment. (3) Embedded software developers: firmware for medical devices (once excluded categories are clarified), industrial automation, connected vehicles in non-EASA/automotive-specific scopes. (4) Importers and distributors: companies that import products from non-EU manufacturers bear CRA obligations if the manufacturer has not designated an EU representative. Open source software used commercially may also fall within scope unless it meets the "free and open source" exemption criteria. If you sell any connected product — physical or software — into the EU market after December 11, 2027, CRA compliance is mandatory.

What is a "product with digital elements" under CRA?

Article 3 of CRA defines a product with digital elements as "any software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately." This encompasses a broad range of products: (1) Consumer IoT: smart speakers, home security cameras, connected thermostats, fitness trackers. (2) Industrial/Enterprise: SCADA systems, network switches, routers, firewalls, industrial sensors. (3) Software products: operating systems, security software, virtualization platforms, database software, communication tools. (4) Mobile applications that communicate with a backend service. (5) Cloud-connected devices: any hardware or software that communicates with EU users' data or infrastructure. Excluded from CRA scope: medical devices (covered under MDR/IVDR), motor vehicles (UN Regulation No. 155), aviation equipment (EASA regulation), and national security/defense equipment. CRA distinguishes between default-class, important-class (Category I), and critical-class (Category II) products — the latter requiring mandatory third-party conformity assessment.

Explore CRA Compliance

Informational only. This page is not legal advice — consult qualified counsel for your specific situation. Last reviewed: .