From NIS2 to the Cyber Resilience Act: The "Product" Side of Governance

From NIS2 to the Cyber Resilience Act: The “Product” Side of Governance

By Rene Millman • 5 May 2026 • 6 min read

Organisations have spent years focusing on securing themselves. But as the Cyber Resilience Act (CRA) looms, the spotlight is shifting to the products they rely on, and the supply chains behind them.

Over the last year, the implementation of the NIS2 Directive dominated boardrooms across Europe. Organisations scrambled to assess risk exposure, tighten their access controls, and ensure their internal operational resilience was up to code.

But securing your organisation is only half the battle when the third-party tools operating inside it may introduce vulnerabilities of their own.

Now, the regulatory focus is expanding from the buyers of technology to the builders of it. With the EU Cyber Resilience Act (CRA) having entered into force in late 2024, the era of the “secure organisation” is rapidly evolving into the era of the “secure product.”

For security leaders, this means supply chain governance is about to get significantly tighter. The days of relying on blind trust and static vendor questionnaires are over. Here is why the CRA is changing the rules of engagement, and why the September 2026 milestone is the wake-up call the industry needs.

The September 2026 Milestone Prompts a 24-hour Reality Check

While the full weight of the CRA’s comprehensive “secure by design” and CE marking requirements does not take effect until December 11, 2027, the first major operational shift arrives much sooner.

By September 11, 2026, Article 14 of the CRA introduces mandatory, event-triggered vulnerability reporting. Manufacturers of products with digital elements, spanning both hardware and software, must report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) and their national Computer Security Incident Response Team (CSIRT).

The timeline is tight, requiring early notification without undue delay (often interpreted as within 24 hours), followed by more detailed reporting as investigations progress.

As Eclypsium’s Chase Snyder notes in a recent analysis, “The CRA also contains numerous clauses requiring ‘timely’ notification, disclosure and remediation around vulnerabilities,” with enforcement ramping up by September 2026

Crucially, this obligation applies to products already on the EU market that are still supported or maintained, not just net-new software releases.

For enterprise buyers, this creates a significant ripple effect in supply chain risk. If your vendors are relying on end-of-life (EOL) open-source components and lack the internal governance to track them, their compliance failure quickly becomes your operational vulnerability.

Bridging the Gap as NIS2 Meets the CRA

To understand the future of supply chain governance, you have to look at how NIS2 and the CRA fit together. They are not competing frameworks; they are complementary dimensions of the same holistic resilience model.

NIS2 is organisation-centric. It requires that essential and important entities manage risks across their operations, including deep-tier third-party dependencies. It asks, “Are your operations resilient to disruption, including supplier failure?

CRA is product-centric. It regulates the actual hardware and software flowing through that supply chain. It mandates security-by-design, continuous lifecycle updates, and rigorous vulnerability handling. It asks, “Are the tools you are deploying fundamentally safe?” As Meticulous Research highlights in their OT/ICS market analysis, “CRA’s SBOM requirement… creates a structural driver for vulnerability management tooling” across NIS2 and CRA scopes.

Asset owners under NIS2 are not passive participants in this shift. They remain responsible for assessing and managing supplier risk but will increasingly rely on the CRA compliance of their vendors as part of that assurance model.

The End of “Static” Trust

Historically, supply chain governance relied on static documentation. A vendor filled out an annual security questionnaire, handed over an SOC 2 report, and trust was established, at least on paper.

Under the CRA, static trust is no longer sufficient.

The regulation introduces continuous lifecycle management. When a vendor is forced to maintain a dynamic Software Bill of Materials (SBOM) and actively report flaws within a set timeline, the buyer must have the mechanisms in place to receive, process, and act on that data in real-time.

“CRA extends responsibility deep into supply chains,” explains Joe Hughes, Vice President of Supply Chain Risk Management, Fortress Information Security. “Contracts now need to clearly outline supplier obligations, including SBOMs”.

Furthermore, the commercial stakes have never been higher. If a critical software vendor fails to comply with the CRA’s product security requirements by the December 2027 deadline, their product will be stripped of its CE marking. Without a CE mark, it cannot be legally sold or used in the EU market.

For procurement teams, this elevates CRA compliance from a technical nicety to a fundamental commercial requirement. If your supplier isn’t compliant, you may be legally forced to rip and replace their software, leading to operational challenges.

Building an Active Supply Chain Strategy

This regulatory shift represents a major opportunity for forward-thinking CISOs to move from defensive, tick-box compliance to active, revenue-protecting governance. To prepare for the 2026 and 2027 CRA deadlines alongside ongoing NIS2 obligations, leaders must act now:

Demand Transparency Early: Do not wait for September 2026 to ask your vendors how they plan to handle the ENISA reporting requirements. Embed CRA-readiness into your procurement contracts and vendor evaluations today.

Map the “Invisible” Dependencies: Use the legislative push for SBOMs to gain true visibility into fourth- and fifth-party risks. Understand what open-source frameworks are buried inside the commercial off-the-shelf (COTS) products you rely on.

Unify Your Risk View: Managing vendor risk across NIS2, DORA, and the CRA using fragmented spreadsheets is a recipe for missed deadlines and blind spots. Transition to dynamic, unified governance platforms that link vendor profiles, incident logs, and compliance statuses directly to your central risk register.

“Leaders can treat CRA as a catalyst to build stronger, more transparent and more resilient supply chains,” per OPSWAT’s roadmap on software compliance.

Resilience is No Longer an Isolated Exercise

The regulatory landscape is sending a clear message: resilience is no longer an isolated internal exercise. As the focus shifts from secure organisations to secure products, supply chain governance is becoming the ultimate verification layer for business stability.

By embracing this shift now, you aren’t just preparing for a regulatory deadline. You are building a verified, hardened supply chain that protects your operational uptime and accelerates your growth in an increasingly volatile digital world.