The most important requirements of the CRA are placed on the products that are placed on the market. But there are also requirements for the processes that manufacturers have set up to develop, design, manufacture and maintain their products.
In order to prevent security issues, the manufacturer of a product must determine the functionality and intended operation of the product. The manufacturer carries out a risk analysis, which must form the basis for the safe design of the product. It is important that all vulnerabilities and real risks are eliminated. In the event of serious incidents or actively exploited vulnerabilities, the manufacturer will be obliged from 11 September 2026 to report to the national CSIRT (in the Netherlands the NCSC) and to inform and advise the affected users. The law also requires the manufacturer to set up a process to respond to vulnerabilities and to be able to address them immediately, for example by providing a security update. These obligations apply for the entire expected useful life of the product, but for a minimum period of five years.