Virtual round table — The Cyber Resilience Act: Practical Implications for Supply Chains
June 24 @ 16:00 – 17:00
CyAN is co-hosting a virtual round table on the EU Cyber Resilience Act — The Cyber Resilience Act: Practical Implications for Supply Chains — on Wednesday 24 June 2026, in collaboration with the SCCS Summit Network and 1CxO CSA. The session continues a discussion our panelists began at the SCCS Summit in Munich (22–24 April 2026).
The CRA is no longer theoretical — it’s operational. From September 2026, companies placing digital products on the EU market must report actively exploited vulnerabilities and serious incidents within 24 hours, with full conformity and CE marking following in December 2027. And it doesn’t stop at the manufacturer’s door — importers, distributors, and even open-source stewards are pulled into the compliance chain. Cyber risk now travels with the product, and with everyone who touches it.
Event details
- What: Virtual round table – The Cyber Resilience Act: Practical Implications for Supply Chains
- When: Wednesday 24 June 2026, 16:00–17:00 CEST
- Where: Online
- Format: Fireside chat between experts, followed by Q&A and open discussion
- Register: Reserve your spot via the SCCS Summit Network
Panel
- Tereza Jášková – Managing Director & Senior Legal Counsel, Alpiq
- Rolf A. Becker – Co-Chair, Cloud Security Alliance (Swiss Chapter)
- John Salomon (moderator) – Board member, Cybersecurity Advisors Network (CyAN)
A legal and enterprise perspective from a major energy group, and a cloud and ecosystem perspective drawn from years of multi-tier supplier governance — with room throughout for audience questions and discussion.
The CRA in brief
The Cyber Resilience Act — Regulation (EU) 2024/2847 — is the first EU-wide law to set baseline cybersecurity requirements for “products with digital elements,” covering nearly all hardware and software placed on the EU market. Unlike NIS2, it regulates the products themselves, across their whole lifecycle. As a regulation rather than a directive, it is directly applicable in all member states, with no national transposition.
In practice, the CRA requires manufacturers to:
- design and build products that are secure by default, with no *known exploitable* vulnerabilities at the time of release, meeting the Act’s risk-based essential requirements;
- handle vulnerabilities across the product’s lifecycle and provide free security updates for a defined support period (a minimum of five years, unless the product’s expected use is shorter);
- maintain a software bill of materials (SBOM) and apply the CE marking as proof of conformity;
- report actively exploited vulnerabilities and severe incidents to ENISA’s Single Reporting Platform.
Crucially, the obligations don’t stop at the manufacturer. Importers, distributors, and even certain open-source software stewards are pulled into the framework. Most products can be self-assessed; “important” and “critical” categories face stricter conformity assessment. Penalties run up to €15 million or 2.5% of global annual turnover, the Act applies extraterritorially, and there is targeted relief for open-source stewards and SMEs.
Why it matters for the supply chain
Accountability sits with the manufacturer, but the evidence — SBOMs, vulnerability data, control assurance — is scattered across every supplier and sub-processor.
Meeting the CRA’s tight reporting timelines (a 24-hour early warning from the moment you become aware of an actively exploited vulnerability or severe incident) depends on visibility that reaches well below your Tier-1 suppliers, into cloud services and nth-tier subcontractors. SBOMs are now a legal requirement — yet many remain static documents that fall apart the moment they are needed during a live incident.
For third-party risk teams, the CRA reshapes due diligence, contracts, and continuous monitoring, and it lands hardest on the long tail of smaller suppliers. It is, at once, a supply-chain problem, a product-design problem, and a governance problem.
Implementation timeline
| Date | Milestone |
| 10 December 2024 | CRA enters into force |
| 11 June 2026 | Provisions on conformity assessment bodies (notified bodies) apply |
| 11 September 2026 | Reporting obligations apply — manufacturers must report actively exploited vulnerabilities and severe incidents |
| 11 December 2027 | Main obligations, conformity assessment, and CE marking apply in full |
*Watch item:* the proposed Digital Omnibus (19 November 2025) would introduce a single EU entry point for incident reporting and adjust early-reporting timing. It is not yet law.
EU information resources
- CRA text — Regulation (EU) 2024/2847 (EUR-Lex): https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- European Commission — Cyber Resilience Act policy page: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
- European Commission — Summary of the legislative text: https://digital-strategy.ec.europa.eu/en/policies/cra-summary
- European Commission — Reporting obligations: https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
- ENISA — Single Reporting Platform (SRP): https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp
About the collaboration
CyAN (Cybersecurity Advisors Network) is a global, not-for-profit association of cybersecurity professionals working across policy, governance, and international cooperation. More at https://cybersecurityadvisors.network/
The SCCS Summit Network is the year-round community of the Third Party & Supply Chain Cyber Security (SCCS) Summit — a long-running EMEA forum for information security, cyber TPRM, and GRC professionals. More at https://sccybersecurity.com/sccs-summit-network/
This round table is intended as orientation and practitioner perspective on the CRA. It is not legal advice; organisations should seek qualified counsel on their specific obligations.