Cyber Resilience Act Articles 13 and 14: Why an ISMS Is Not Enough
The CRA requires Security by Design, vulnerability reporting within 24 hours, SBOMs, and CE marking. An ISMS supports governance, but not product-level compliance.
Cyber Resilience Act Articles 13 and 14: Why an ISMS Is Not Enough for Products with Digital Elements
The Cyber Resilience Act obligates manufacturers of hardware and software to implement Security by Design, continuous vulnerability management, and reporting obligations for actively exploited vulnerabilities. What many organizations underestimate: These obligations extend throughout the entire product lifecycle — and require evidence that an ISMS alone cannot provide.
An ISMS structures internal governance. The CRA additionally requires product-specific cybersecurity requirements from the design phase, reporting of actively exploited vulnerabilities within 24 hours (Article 14), Software Bills of Materials (SBOM), CE marking, and ongoing security updates throughout the entire support period (Article 13).
Jump to:
- Article 14: Reporting Obligations for Manufacturers
- Article 13: Obligations of Manufacturers
- Supply Chain: Obligations for Importers and Distributors
Why an ISMS Is No Longer Sufficient Under the Cyber Resilience Act
Regulation (EU) 2024/2847 — the Cyber Resilience Act (CRA) — entered into force on December 10, 2024, and will become fully applicable from December 11, 2027. The reporting obligations under Article 14 already apply from September 11, 2026.
The CRA is the first EU-wide regulation establishing mandatory minimum cybersecurity requirements for products with digital elements — regardless of whether they are low-cost consumer products or high-value B2B software.
The crucial difference from NIS2, DORA, or GDPR: The CRA is product-centric, not organization-centric. While an ISMS structures an organization's security, the CRA demands security at the product level — from design through development to the entire product lifetime.
Where an ISMS Contributes to CRA Compliance — Organizational Foundation
A good ISMS provides the structural basis for many CRA requirements:
- Risk management processes for assessing cybersecurity risks
- Documented processes for vulnerability management
- Incident response procedures as a foundation for reporting obligations
- Configuration management and change control processes
Annex I of the CRA requires that products be "designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks." This sounds like ISMS territory — and an ISMS can indeed serve as a foundation here.
However, the CRA goes further at critical points: It requires product-specific evidence, reporting obligations with very short deadlines, and CE marking confirming conformity with cybersecurity requirements.
Where the CRA Goes Beyond an ISMS
Article 14: Reporting Obligations for Manufacturers
The CRA introduces a three-tier reporting regime for actively exploited vulnerabilities and severe security incidents.
Early Warning (24 Hours)
The manufacturer must report any actively exploited vulnerability it becomes aware of to the relevant CSIRT and ENISA without undue delay and in any event within 24 hours.
Reporting is done via the Single Reporting Platform (SRP) operated by ENISA to the CSIRT of the Member State where the manufacturer has its main establishment.
Content of the early warning under Article 14(2)(a):
| Element | Description |
|---|---|
| Timing | Without undue delay, in any event within 24 hours of becoming aware |
| Affected Member States | Indication of Member States where the product has been made available |
| Nature of the vulnerability | Initial classification of the security flaw |
Full Notification (72 Hours)
Within 72 hours of becoming aware, a complete vulnerability notification must be submitted, unless the information was already included in the early warning.
Content of the full notification under Article 14(2)(b):
| Element | Description |
|---|---|
| General information | Nature of the vulnerability and affected products |
| Technical details | Description of the vulnerability and its impact |
| Severity | Assessment of criticality |
| Measures taken | Countermeasures already implemented |
| User recommendations | Possible risk mitigation measures |
Final Report
| Situation | Deadline |
|---|---|
| Actively exploited vulnerability | No later than 14 days after a corrective measure becomes available |
| Severe security incident | No later than 1 month after the 72-hour notification |
The final report must include a root cause analysis, corrective measures taken, and preventive measures.
User Notification
Under Article 14(8), after becoming aware of an actively exploited vulnerability or severe incident, the manufacturer must inform affected users — about the vulnerability, the incident, and where applicable, risk mitigation measures.
If the manufacturer fails to inform users in a timely manner, the relevant CSIRT may publish this information itself.
Article 13: Obligations of Manufacturers
The CRA establishes comprehensive obligations for manufacturers throughout the entire product lifecycle.
Security by Design and Default (Article 13(1))
Manufacturers must ensure that products with digital elements are designed, developed, and produced in accordance with the essential cybersecurity requirements in Annex I Part I:
| Requirement | Description |
|---|---|
| Appropriate level of protection | Products must ensure a level of cybersecurity appropriate to the risks |
| No known vulnerabilities | Products must not be placed on the market with known exploitable vulnerabilities |
| Secure default configuration | Products must be delivered with secure default settings |
| Protection against unauthorized access | Authentication, identity, and access control mechanisms |
| Protection of confidentiality | Encryption of data at rest and in transit |
| Protection of integrity | Protection against unauthorized manipulation of data and functions |
| Protection of availability | Resilience against denial-of-service attacks |
| Minimization of attack surface | Reduction of external interfaces to what is necessary |
Software Bill of Materials (SBOM)
Annex I Part II requires manufacturers to identify and document vulnerabilities and components of their products — including a Software Bill of Materials (SBOM) in a commonly used and machine-readable format covering at least the top-level dependencies.
The SBOM does not need to be published but must be made available to market surveillance authorities upon request.
Why SBOM obligations effectively apply from September 2026:
The SBOM requirement formally becomes enforceable only on December 11, 2027. However, the reporting obligations already apply from September 11, 2026. Without an SBOM and vulnerability monitoring, a manufacturer cannot know whether a newly disclosed vulnerability affects their product — and the 24-hour deadline passes.
Support Period and Security Updates (Article 13(8))
Manufacturers must determine a support period during which they provide security updates. This period must:
- Be at least 5 years (or shorter if the expected product lifetime is shorter)
- Be communicated to users before purchase
- Include free security updates
Technical Documentation (Article 13 and Annex VII)
Manufacturers must prepare technical documentation and retain it for 10 years after placing on the market or during the support period (whichever is longer):
| Document | Description |
|---|---|
| Product description | Conception, design, and development |
| Cybersecurity risk assessment | Assessment of risks under Article 13(2) |
| SBOM | Software Bill of Materials of components |
| Conformity assessment | Evidence of compliance with requirements |
| EU Declaration of Conformity | Manufacturer's declaration |
Why Due Diligence Is Not a One-Off Exercise
Due Diligence for Third-Party Components (Article 13(5))
When integrating third-party components — including open-source software — manufacturers must exercise due diligence to ensure that these components do not compromise the cybersecurity of the product.
Reporting Vulnerabilities in Components (Article 13(6))
If a manufacturer identifies a vulnerability in a component, they must report it to the manufacturer or maintainer of that component and remediate the vulnerability in accordance with the requirements.
Substantial Modifications (Article 3(31))
A substantial modification is any change to a product after placing on the market that:
- May affect compliance with cybersecurity requirements, or
- Constitutes a change in the intended purpose
Upon a substantial modification, the modifier becomes the manufacturer for the affected product or part — with all obligations under Articles 13 and 14.
Supply Chain: Obligations for Importers and Distributors
The CRA establishes a chain of responsibility throughout the entire supply chain.
Obligations of Importers (Article 19)
Importers may only place products on the market that comply with cybersecurity requirements. Before placing on the market, they must ensure:
| Verification duty | Description |
|---|---|
| Conformity assessment | The manufacturer has carried out the required procedures |
| Technical documentation | The manufacturer has prepared the documentation |
| CE marking | The product bears the CE marking |
| EU Declaration of Conformity | The declaration accompanies the product |
| User information | Instructions and information are provided in an understandable language |
Importers must retain the EU Declaration of Conformity and technical documentation for 10 years and make them available to market surveillance authorities upon request.
Obligations of Distributors (Article 20)
Before making a product available on the market, distributors must verify:
- The product bears the CE marking
- The manufacturer and importer have fulfilled their obligations
- All required documents are provided
If an importer or distributor becomes a manufacturer themselves (by marketing under their own name or making a substantial modification), all obligations under Articles 13 and 14 apply to them.
Vulnerability Reporting by Importers and Distributors
Importers and distributors who become aware of a vulnerability must inform the manufacturer without delay. If there are indications of non-compliance, they may not (continue to) make the product available on the market.
Penalties (Article 64)
The CRA provides for a three-tier penalty system:
| Violation | Fine | Legal basis |
|---|---|---|
| Essential cybersecurity requirements (Annex I) and manufacturer obligations (Art. 13, 14) | Up to EUR 15 million or 2.5% annual turnover | Art. 64(2) |
| Other obligations (Art. 18–23, 28, 30–33, 39, 41, 47, 49, 53) | Up to EUR 10 million or 2% annual turnover | Art. 64(3) |
| False or incomplete information to authorities | Up to EUR 5 million or 1% annual turnover | Art. 64(4) |
The higher amount applies in each case.
Exceptions:
- Micro-enterprises and small enterprises are exempt from fines for non-compliance with the 24-hour deadline under Article 14
- Open-source software stewards are exempt from all fines under the CRA
Additional measures by market surveillance authorities:
In addition to fines, authorities can withdraw products from the market, order recalls, or prohibit placing on the market — EU-wide.
ISMS and Trust Center: Two Perspectives on Compliance
The CRA creates a new dimension of product liability for cybersecurity. An ISMS remains indispensable for organizational governance — but the product-related requirements of the CRA require additional structures.
The Two Directions of a Trust Center
As a Manufacturer / Seller (Outbound):
Organizations selling products with digital elements in the EU must provide customers and authorities with extensive evidence. A Trust Center consolidates this documentation in one professional location:
| Document | Purpose | CRA Reference |
|---|---|---|
| EU Declaration of Conformity | Evidence of compliance | Art. 13(20) |
| CE marking | Conformity marking | Art. 30 |
| SBOM (upon request) | Transparency about components | Annex I Part II |
| Technical documentation | Evidence of conformity | Annex VII |
| Support period and update policy | Information for users | Art. 13(8) |
| Vulnerability Disclosure Policy | Process for vulnerability reports | Annex I Part II |
| Certifications (ISO 27001, IEC 62443) | Supporting evidence | Art. 27 |
| Penetration test reports | Independent assessment | Annex I Part II |
As a Buyer / Integrator (Inbound):
Organizations integrating products with digital elements into their own products are obligated to exercise due diligence under Article 13(5). A Trust Center supports:
- Collection and maintenance of manufacturer evidence and SBOMs
- Monitoring of security updates and known vulnerabilities
- Documentation of due diligence in component selection
- Evidence of supply chain compliance for own customers
The Dual Perspective
Many B2B organizations are simultaneously buyers (integrating third-party components) and manufacturers (selling their own products). A Trust Center addresses both roles:
- Inbound: Evidence of due diligence when integrating third-party components
- Outbound: Provision of all required evidence to customers and authorities
Without a Trust Center, this documentation runs through email, individual requests, and manual processes — incompatible with the short CRA deadlines and the complexity of modern software supply chains. With a Trust Center, reactive document searches become a functioning system.
The Critical Timeline
| Date | Obligation |
|---|---|
| December 10, 2024 | CRA entered into force |
| June 11, 2026 | Notified Bodies authorized for conformity assessment |
| September 11, 2026 | Reporting obligations under Article 14 apply — including for products already on the market |
| December 11, 2027 | Full application of all CRA requirements |
The reporting obligations from September 2026 are the critical milestone: Organizations that have not implemented SBOM-based vulnerability monitoring and incident response processes by then cannot meet the 24-hour deadline.
Organizations that connect governance and communication are well-positioned: An ISMS for internal governance, a Trust Center for external communication — in both directions of the supply chain. This transforms compliance effort into a functioning system and documentation into true cyber resilience.
Sources
- Regulation (EU) 2024/2847 (Cyber Resilience Act) – Full Text – Official Journal of the European Union. The complete text of the Cyber Resilience Act.
- European Commission – Cyber Resilience Act Summary – Summary of key provisions.
- European Commission – CRA Reporting Obligations – Details on reporting obligations and the Single Reporting Platform.
- BSI – Cyber Resilience Act – Information and guidance from BSI.
- european-cyber-resilience-act.com – Article 13 – Obligations of manufacturers.
- european-cyber-resilience-act.com – Article 14 – Reporting obligations.
- european-cyber-resilience-act.com – Article 64 – Penalties.
- ENISA – CRA Requirements Standards Mapping – Mapping of CRA requirements to existing standards.