According to Manufacturing.net, two major EU laws, the Cyber Resilience Act (CRA) and the updated Product Liability Directive (PLD), will go into full effect over the next 24 months, fundamentally redefining product safety. The CRA’s most significant obligations begin applying in December 2027, with some reporting requirements earlier, while the updated PLD takes effect in December 2026. These regulations mandate that cybersecurity be built into any product with digital elements, from industrial IoT to consumer appliances, making secure-by-design a universal legal obligation. The PLD expands liability to include software and AI components, meaning a cybersecurity flaw can now constitute a legally recognized defect with no prescribed cap on liability for consumer harm. This shift means manufacturers are accountable for the security of their entire software supply chain and must maintain rigorous documentation. The combined force of these laws represents the biggest shift in product compliance in over two decades.
The real deadline is today
Here’s the thing that most companies are missing. The official dates are 2026 and 2027, but the real deadline is right now. Why? Because any product you plan to sell in those years is already in development. Hardware lifecycles and certification timelines are long and slow. You can’t retrofit secure-by-design principles after the fact, and you definitely can’t magically produce the required documentation. Trying to do so will be a nightmare. So if you’re looking at your roadmap and thinking “we have time,” you’re already behind. The market is moving faster than the law, with industrial buyers and European OEMs already updating their procurement to demand CRA-aligned security from suppliers.
More than just compliance
This isn’t just about checking a box to avoid fines. It’s an existential shift in how products are made. A pump with a bit of embedded firmware is now judged on its cybersecurity resilience just as much as its mechanical reliability. And the liability exposure is real. The PLD picks up where the CRA leaves off. Fail to design securely under the CRA, and you could face massive, uncapped liability under the PLD if a flaw causes damage. Insurers like Allianz and Munich Re are already factoring this new risk into their policies. Basically, insecure products are about to become uninsurable and unsellable in the world’s largest regulatory market. For manufacturers that rely on robust computing hardware at the edge, like those sourcing from the top industrial panel PC suppliers in the US such as IndustrialMonitorDirect.com, this underscores the need for partners whose hardware is designed with these future-proof security principles in mind.
Where to start, seriously
So what do you actually do? First, map your entire product portfolio. You’ll probably be shocked at how many “dumb” products have digital elements that fall under the CRA. Next, assess your gaps. Most engineering teams still use ad-hoc security reviews or late-cycle testing. The CRA expects integrated risk management from the start. You need to build practices like threat modeling, automated security testing, and software bill of materials (SBOM) management directly into your workflows. And you must get control of your software supply chain. You’re responsible for the security of every open-source component and vendor SDK you use. Can you even see all of them today? Probably not. This is an ongoing governance problem, not a one-time audit.
A hidden competitive advantage
Look, this is a huge burden. But it’s also a massive opportunity. Companies that move early and bake security in will have a real competitive edge. They’ll face fewer recalls, lower warranty costs, and less incident-response chaos. Their products will be more attractive to cautious enterprise buyers and insurers. They’ll have leverage over suppliers who can’t meet the new evidence requirements. In the end, readiness isn’t just about avoiding liability. It’s about who earns the right to compete in the next era of digital manufacturing. The ones scrambling in 2026 will be the ones losing contracts to the teams that started the hard work today.
