By Renaldo Fibiger, Field Application Engineer, Altron Arrow

Johannesburg, 12 November 2025 – South African companies exporting IoT devices to the European Union face a significant regulatory shift with the EU's Cyber Resilience Act becoming mandatory in December 2027.

Understanding the EU Cyber Resilience Act for South African exporters

Manufacturers with products already in the European market need to act now, according to Renaldo Fibiger, Field Application Engineer at Altron Arrow. "While the South African market remains largely unaffected, customers active in the EU, particularly those with products already in the field, may face significant recall obligations if compliance issues arise," he explains.

This is why we're reminding manufacturers that sell products in the EU to assess the risks now and determine their exposure before the regulation takes effect. "The more critical the device is, the more stringent the compliance requirements will be," Fibiger notes. "These are EU regulations, but it remains to be seen whether similar legislation will affect South Africa more broadly."

The urgency cannot be overstated. With less than three years until full compliance becomes mandatory, manufacturers need to begin their preparation immediately. The process of auditing existing products, implementing necessary security measures and obtaining required certifications can take considerable time, particularly for companies managing extensive product portfolios across multiple markets.

What South African manufacturers need to know about CRA compliance

The EU's Cyber Resilience Act requires hardware and software products sold in the EU to meet cybersecurity standards throughout their entire lifecycle. Critically, the act applies retroactively to existing products. While the act came into force in late 2024, with reporting required from 2026, full compliance becomes mandatory from December 2027.

This retroactive application means that products already on European shelves and in customers' homes fall under the new requirements. Manufacturers cannot simply wait until they develop new products to address compliance. Instead, they must evaluate their current product lines and determine what updates, patches or modifications are necessary to meet the new standards.

Scope and coverage of the Cyber Resilience Act

The act's reach is extensive. Any product that runs code falls within its scope, including laptops, gate controllers, routers, home automation devices, medical devices and some software applications. While full size motor vehicles are exempted from the act, automotive components in the supply chain must comply.

This broad definition catches many manufacturers by surprise. Even seemingly simple devices that contain embedded software or firmware fall under the CRA's jurisdiction. For South African manufacturers, this means carefully reviewing every product in their catalogue that's sold in the EU market, regardless of how minor the software component might seem.

The inclusion of automotive components is particularly significant for South African suppliers in the automotive sector. While complete vehicles are exempt, individual components such as electronic control units, infotainment systems and safety devices must all meet CRA requirements if they're destined for the European market.

Manufacturer responsibilities under the CRA

Manufacturers are responsible for the entire lifespan of the product, typically ten years (or fifteen in the case of products developed for military applications). This includes notifying the market of any vulnerabilities within 24 hours, providing security updates to address vulnerabilities and informing users about the support period for updates.

The financial stakes are significant. Non-compliance could result in fines of up to 5% of total yearly revenue.

These ongoing responsibilities represent a fundamental shift in how manufacturers must approach product lifecycle management. The 24 hour notification requirement means establishing robust vulnerability monitoring systems and rapid response protocols. Companies must also develop infrastructure for delivering security patches and updates throughout the product's lifetime, which may require significant investment in back-end systems and customer communication channels.

For many South African manufacturers accustomed to a more traditional approach where products are sold and then largely forgotten, this represents a substantial operational change. The requirement to support products for up to ten years means maintaining technical teams, documentation and update capabilities long after a product line may have been superseded by newer models.

The three tiers of cybersecurity requirements

The CRA assesses cybersecurity requirements based on the level of risk associated with a product, creating three classes of security.

Default classification

This is the lowest risk category and encompasses most devices, including printers and smart home automation products. Companies can typically assess compliance, provided they align with EU standards.

For many manufacturers, the default classification offers a more accessible entry point to CRA compliance. Self-assessment means companies can evaluate their products against the published standards without necessarily engaging expensive third-party auditors for every device. However, self-assessment still requires thorough documentation and genuine compliance with security requirements. Manufacturers cannot simply tick boxes without implementing real security measures.

Important products classification

Important products require external third-party assessments for CE certification. This classification tier is split into two classes.

Class I covers less sensitive products like routers, home security devices, password managers, browsers and antivirus software.

Class II encompasses higher risk products including hypervisors, firewalls and tamper resistant microcontrollers and microprocessors.

The important products classification introduces additional complexity and cost. Third-party assessments require engaging notified bodies or certification authorities, which adds both time and expense to the compliance process. For Class II products in particular, the assessment process can be extensive, involving detailed security audits, penetration testing and comprehensive documentation reviews.

South African manufacturers in these categories should begin identifying suitable certification bodies now and understanding their requirements and timelines. Some notified bodies may have lengthy waiting lists as the December 2027 deadline approaches, making early engagement crucial.

Critical products classification

Critical products already fall under the European Common Criteria based cybersecurity certification scheme. These include smartcards, hardware devices with security boxes and smart meter gateways.

Products in the critical classification face the most stringent requirements. However, manufacturers of these products are likely already familiar with rigorous security standards and certification processes through existing Common Criteria requirements. For these companies, CRA compliance may represent an evolution of existing practices rather than an entirely new burden.

Cost implications of CRA non-compliance for manufacturers

The cost implications for a South African manufacturer found in breach of the CRA are substantial. "While we support the regulation's objectives, we understand manufacturers' concerns regarding potential product recalls," says Fibiger.

Product recalls represent perhaps the most serious financial risk. Beyond the direct costs of retrieving, repairing or replacing products, manufacturers face reputational damage, lost sales and potential legal liability from customers affected by security vulnerabilities. For smaller manufacturers, a significant recall could threaten business viability.

The 5% revenue fine ceiling also represents a substantial deterrent. For a company generating R100 million in annual revenue, a maximum fine could reach R5 million. For larger manufacturers, the potential penalties scale proportionately, creating significant financial exposure.

At this stage, he does not anticipate South Africa adopting these kinds of regulations in the immediate future but notes that the landscape could change. "Should similar legislation be introduced locally, businesses will need to adapt quickly."

However, manufacturers should consider that investing in CRA compliance now may provide competitive advantages if South Africa or other markets introduce similar requirements. Companies that develop robust cybersecurity practices and lifecycle management capabilities will be better positioned regardless of future regulatory developments.

How Altron Arrow supports IoT manufacturers with CRA compliance

Fortunately, South African exporters in the IoT space aren't without support in managing this transition. "At Altron Arrow, we work across both electronic components and cybersecurity, enabling us to guide manufacturers through the compliance process," Fibiger says. "With proper preparation, the transition should be manageable."

Our approach combines technical expertise in electronic components with deep knowledge of cybersecurity requirements. This dual perspective allows us to help manufacturers identify potential compliance issues early in the product development process and select components that support security requirements from the ground up.

We also assist manufacturers in understanding the certification landscape, connecting them with appropriate testing facilities and notified bodies, and developing the documentation and processes necessary for ongoing compliance. Our goal is to make CRA compliance as straightforward as possible, minimising disruption to existing business operations while ensuring products meet all necessary requirements.

Take action now on EU Cyber Resilience Act compliance

For South African manufacturers selling into the EU market, December 2027 will arrive sooner than expected. The question isn't whether to comply, but whether you've started preparing.

We recommend manufacturers take the following immediate steps. First, conduct a comprehensive audit of all products currently sold or planned for the EU market to determine which fall under CRA requirements. Second, classify each product according to the three-tier system to understand certification requirements. Third, assess current cybersecurity measures against CRA standards to identify gaps. Fourth, develop a timeline and budget for addressing compliance requirements across your product portfolio. Finally, engage with compliance experts and potential certification bodies to understand processes and timelines.

The manufacturers who begin this process now will find themselves well positioned when the mandatory compliance date arrives. Those who delay risk facing compressed timelines, limited access to certification resources and potential market disruption as the deadline approaches.

Frequently asked questions about the EU Cyber Resilience Act

Does the Cyber Resilience Act apply to products already sold in the EU?

Yes, the CRA applies retroactively to existing products already in the European market. This means manufacturers must assess products currently on shelves and in use to determine compliance requirements. Products that don't meet the standards may need security updates, patches or in severe cases, recall and replacement.

When do South African manufacturers need to comply with the CRA?

Full compliance becomes mandatory in December 2027. However, reporting requirements begin in 2026, and the act came into force in late 2024. We recommend beginning compliance preparations immediately to allow sufficient time for product assessments, necessary modifications and certification processes.

How much does CRA compliance cost?

Costs vary significantly depending on product classification and current security measures. Default classification products that can be self-assessed will incur lower costs, primarily involving internal audit time and any necessary security improvements. Important and critical products requiring third-party certification will face higher costs, potentially ranging from several thousand to tens of thousands of euros per product, depending on complexity.

What happens if we don't comply with the Cyber Resilience Act?

Non-compliance can result in fines of up to 5% of total yearly revenue. Additionally, non-compliant products cannot be sold in the EU market, and existing products may be subject to recall. Beyond direct penalties, manufacturers risk reputational damage and potential legal liability if security vulnerabilities in non-compliant products cause harm.

Are software products included in the CRA requirements?

Yes, software products sold in the EU fall under CRA requirements if they meet the definition of products with digital elements. This includes standalone software applications, firmware and embedded software in hardware products. Software manufacturers face the same classification system and must demonstrate appropriate security measures throughout the product lifecycle.

How long must manufacturers support products under the CRA?

Manufacturers are responsible for products throughout their entire lifespan, typically ten years for commercial products. For products developed for military applications, the support period extends to fifteen years. This includes providing security updates, notifying users of vulnerabilities and maintaining communication about the support period.

Can South African manufacturers self-certify for CRA compliance?

Only products in the default classification (lowest risk category) can be self-assessed. Products classified as important (Class I and Class II) require external third-party assessments from notified bodies. Critical products must meet European Common Criteria based cybersecurity certification scheme requirements.

Does the CRA affect South African domestic market sales?

Currently, the CRA only applies to products sold in the European Union market. South African domestic sales are not affected by these regulations. However, manufacturers should monitor developments as similar legislation could be introduced locally in future, and building security capabilities now may provide competitive advantages.

What is the 24-hour vulnerability notification requirement?

Manufacturers must notify the market of any security vulnerabilities discovered within 24 hours of becoming aware of them. This requires establishing monitoring systems to detect vulnerabilities and rapid response protocols to communicate with customers, regulatory authorities and the broader market quickly and effectively.

Which automotive products need CRA compliance?

While complete motor vehicles are exempted from the CRA, automotive components in the supply chain must comply. This includes electronic control units, infotainment systems, security devices and other components containing software or firmware that are sold as separate products to vehicle manufacturers or the aftermarket.