Cyber Resilience Act: New obligations for manufacturers and implications for Sophos Firewall
The Cyber Resilience Act will change the rules for manufacturers of digital products from 2027. Security updates must be provided free of charge, support periods must be clearly defined and security must be proven at the design stage. This means more transparency for IT administrators and adjustments to the update strategy for providers such as Sophos.
Brief overview
- EU regulation applies from 11.12.2027
- At least five years of free security updates required
- Obligation for safe design, documentation and reporting processes
- Sophos must adapt its update policy
- IT administrators gain more planning security
Topics
Why the topic is relevant now
The Cyber Resilience Act has been in force since the end of 2024. Manufacturers and customers have until December 2027 to change their processes. For IT security in Europe, this means a binding standard: products without security updates and unclear lifecycle information should disappear.
What is changing or what is new
- Security updates free of charge: Manufacturers are no longer allowed to put critical patches behind a paywall.
- Transparent support periods: At least five years of updates or explicit specification of shorter terms.
- CE marking: From 2027, the CE mark will also confirm cybersecurity conformity.
- Reporting obligations: Security incidents must be reported to authorities within 24 hours. To be precise: Early warning within 24 hours, further notification within 72 hours; addressees are the designated CSIRT (coordinator) and ENISA via the central platform.
- High penalties: Up to 15 million euros or 2.5% turnover for violations.
Technical overview
The Cyber Resilience Act is aimed at all “products with digital elements”. This includes traditional enterprise systems such as firewalls, routers and operating systems, but also IoT devices in the consumer sector and security-critical software. The requirements therefore affect practically the entire ecosystem of networked products. Manufacturers must fulfill the following obligations under the Cyber Resilience Act:
- Prove security by design (e.g. secure default settings, encryption, tested protocols, hardening against DoS attacks).
- Maintain a software bill of materials (SBOM) that lists all relevant components, libraries and dependencies in detail in order to create transparency for updates and vulnerability management.
- Offer auto-update options, at least for security-critical fixes, and ensure that these updates can be installed without significant interruption or disruption. For professional environments, there must also be an option for controlled, time-controlled installation.
- Maintain documentation for ten years, including risk assessments, test reports and declarations of conformity, so that it can be traced at any time during an inspection how safety was ensured.
- Establish a vulnerability management process and security issue reporting center so that external researchers or customers can immediately report any vulnerabilities discovered.
- Implement mechanisms for secure updates (e.g. signing, verification) to prevent manipulation during distribution.
These detailed requirements make it clear that the Cyber Resilience Act not only sets minimum standards, but also requires comprehensive security management from development through operation to the support period.
Practical guide for IT administrators
Preparation:
- Review procurement processes: only purchase CRA-compliant products in future.
- Document lifecycle information and supplement it in asset management.
- Clarify responsibilities in the IT team and define roles for update management.
- Compare internal guidelines with CRA requirements and complete missing processes.
Implementation:
- Schedule security updates regularly, even if automatic updates are available.
- Subscribe to manufacturer notifications and integrate them into internal processes.
- Use test environments to check updates before rollout on critical systems.
- Use interfaces to ticketing or monitoring tools to automatically document update processes.
Validation:
- Test patches after installation.
- Check logs for anomalies after update.
- Perform network and security scans to ensure that known vulnerabilities have been closed.
- Generate compliance reports that meet CRA requirements.
Rollback & Monitoring:
- Maintain rollback plans for critical systems.
- Use monitoring to quickly detect failures after updates.
- Define alerts so that critical errors are immediately visible.
- Provide emergency checklists so that operations can be restored quickly in the event of an emergency.
Recommendations and best practices
| Topic | Recommendation |
|---|---|
| Product selection | Give preference to CRA-compliant manufacturers |
| Support duration | Select devices with at least 5 years of update commitments |
| Patch management | Establish central update management |
| Documentation | Include SBOM and lifecycle data in the inventory |
| Communication | Automate manufacturer safety messages |
Impact on Sophos and other platforms
Sophos changed its firmware update policy in 2022: Since then, updates have only been available with a valid support license. Security fixes and signature updates remained free of charge, but regular firmware did not. The Cyber Resilience Act is forcing manufacturers such as Sophos to rethink this separation. In future, a distinction will probably have to be made between “feature updates” (for a fee) and “security fixes” (free of charge).
For IT administrators, this means
- More clarity about appliance support periods.
- Reliable access to security-critical patches, even without a license.
- Greater transparency of lifecycle and End-of-Life data.
Frequently asked questions
Does the Cyber Resilience Act also apply to existing products?
No, it applies to products that are placed on the market for the first time from 11.12.2027.
What happens to old devices without updates?
Devices without security support will no longer be CRA-compliant after the end of the support period and pose risks.
Do updates have to be installed automatically?
Yes for many consumer devices. For firewalls or critical systems, a manual option with notification is sufficient.
What penalties do manufacturers face?
Up to EUR 15 million or 2.5% of annual global turnover.
What role does Avanet play?
Avanet provides support with lifecycle planning, update strategies and the selection of Cyber Resilience Act-compliant products.
What data is relevant for the Cyber Resilience Act?
The regulation has been in force since 10.12.2024; most obligations apply from 11.12.2027. Reporting obligations already begin on 11.09.2026.” Sources: EUR-Lex and several specialist law firms
Conclusion
The Cyber Resilience Act will create a binding framework for IT security from 2027. For Sophos and other manufacturers, it means adjustments to update strategies and support periods. For administrators, it means more reliability in updates and lifecycle planning. Now is the right time to align procurement processes and update strategies with CRA requirements.
Further links
