Cyber Resilience Act: New obligations for manufacturers and impact on Sophos Firewall
The Cyber Resilience Act will change the rules for manufacturers of digital products from 2027. Security updates must be provided free of charge, support periods must be clearly defined, and security must already be demonstrated during design. For IT administrators, this brings more transparency; for providers such as Sophos, it means adjustments to their update strategy.
Brief overview
- EU regulation applies from December 11, 2027
- At least five years of free security updates required
- Obligations for secure design, documentation and reporting processes
- Sophos must adapt its update policy
- IT administrators gain more planning certainty
Why the topic is relevant now
The Cyber Resilience Act has been in force since the end of 2024. Manufacturers and customers have until December 2027 to adapt their processes. For IT security in Europe, this means a binding standard: products without security updates and unclear lifecycle information should disappear from the market.
What is changing or new
- Free security updates: Manufacturers may no longer put critical patches behind a paywall.
- Transparent support periods: At least five years of updates, or an explicit statement of shorter support periods.
- CE marking: From 2027, the CE mark will also confirm cybersecurity conformity.
- Reporting obligations: Security incidents must be reported to authorities within 24 hours. More precisely: an early warning within 24 hours and a further notification within 72 hours; recipients are the designated CSIRT coordinator and ENISA via the central platform.
- High penalties: Up to 15 million euros or 2.5% of revenue for violations.
Technical overview
The Cyber Resilience Act targets all “products with digital elements”. These include classic enterprise systems such as firewalls, routers and operating systems, but also consumer IoT devices and security-critical software. In practice, the requirements affect almost the entire ecosystem of connected products. Under the Cyber Resilience Act, manufacturers must fulfill the following obligations:
- Demonstrate Security by Design, for example secure default settings, encryption, tested protocols and hardening against DoS attacks.
- Maintain a Software Bill of Materials (SBOM) that lists all relevant components, libraries and dependencies in detail to create transparency for updates and vulnerability management.
- Offer auto-update options, at least for security-critical fixes, and ensure that these updates can be installed without significant interruption or impairment. Professional environments must also have an option for controlled, scheduled installation.
- Keep documentation for ten years, including risk assessments, test reports and declarations of conformity, so that audits can trace how security was ensured.
- Establish a vulnerability management process and a reporting channel for security issues, so that external researchers or customers can immediately report discovered vulnerabilities.
- Implement mechanisms for secure updates, such as signing and verification, so manipulation during distribution is prevented.
These detailed requirements show that the Cyber Resilience Act does not merely set minimum standards. It demands comprehensive security management from development and operation through to the support period.
Practical guide for IT administrators
Preparation:
- Review procurement processes: in future, purchase only CRA-compliant products.
- Document lifecycle information and supplement it in asset management.
- Clarify responsibilities in the IT team and define roles for update management.
- Align internal policies with CRA requirements and add missing processes.
Implementation:
- Plan security updates regularly, even if automatic updates are available.
- Subscribe to manufacturer notifications and integrate them into internal processes.
- Use test environments to check updates before rollout on critical systems.
- Use integrations with ticketing or monitoring tools to automatically document update processes.
Validation:
- Test patches after installation.
- Check logs for anomalies after updates.
- Perform network and security scans to ensure that known vulnerabilities have been closed.
- Generate compliance reports aligned with CRA requirements.
Rollback & Monitoring:
- Maintain rollback plans for critical systems.
- Use monitoring to quickly detect outages after updates.
- Define alerts so that critical errors are immediately visible.
- Provide emergency checklists to quickly restore operations in an emergency.
Recommendations and Best Practices
| Topic | Recommendation |
|---|---|
| Product selection | Prefer CRA-compliant manufacturers |
| Support duration | Choose devices with at least 5 years of update commitments |
| Patch management | Establish central update management |
| Documentation | Include SBOM and lifecycle data in inventory |
| Communication | Automate manufacturer security notifications |
Impact on Sophos and other platforms
Sophos changed its firmware update policy in 2022: since then, updates have only been available with a valid support license. Security fixes and signature updates remained free, but regular firmware updates did not. The Cyber Resilience Act forces manufacturers such as Sophos to rethink this separation. In future, they will likely need to distinguish between “feature updates” (paid) and “security fixes” (free).
For IT administrators, this means:
- More clarity about appliance support periods.
- Reliable access to security-critical patches, even without a license.
- Greater transparency about lifecycle and End-of-Life dates.
Frequently Asked Questions
Does the Cyber Resilience Act also apply to existing products?
No, it applies to products newly placed on the market from December 11, 2027.
What happens to old devices without updates?
Devices without security support will no longer be CRA-compliant after the support period expires and will pose risks.
Must updates be installed automatically?
For many consumer devices, yes. For firewalls or critical systems, a manual option with notification is sufficient.
What penalties threaten manufacturers?
Up to 15 million euros or 2.5% of global annual revenue.
What role does Avanet play?
Avanet supports lifecycle planning, update strategies and the selection of Cyber Resilience Act-compliant products.
What data is relevant for the Cyber Resilience Act?
The regulation has been in force since December 10, 2024; most obligations apply from December 11, 2027. Reporting obligations begin as early as September 11, 2026. Sources: EUR-Lex and several specialist law firms
Conclusion
The Cyber Resilience Act creates a binding framework for IT security from 2027. For Sophos and other manufacturers, it means adjustments to update strategies and support periods. For administrators, it brings more reliability for updates and lifecycle planning. Now is the right time to align procurement processes and update strategies with CRA requirements.
Further Links
