Cybersecurity in the Supply Chain: Components and Spare Parts under the Cyber Resilience Act – what Economic Operators need to consider until 11 December 2027

As of 11 December 2027, the Cyber Resilience Act (Regulation (EU) 2024/2847 of 23 October 2024, “CRA”), which introduces binding cybersecurity requirements will be in force throughout the European Union for products with digital elements (“PDE”) made available on the European market in order to respond to increasing cyberattacks on connected hardware and software products and the resulting growing potential for economic damage.

In principle, all economic operators in the supply chain that place PDE on the Union market – both in the form of PDE as final products and as standalone components with the purpose to be integrated into other products which are placed on the market separately – will fall within the scope of the CRA as manufacturers, importers or distributors. Regarding the temporal scope of the CRA, generally only PDE will only be subject to the product requirements of the CRA if they are made available on the Union market after the 11 December 2027 as the date of application (“Cut‑off Date”).

If a PDE in the form of a final product or in form of a component placed on the market separately does not comply with the formal or material product requirements of the CRA, this will as a consequence generally result in a prohibition to make available and distribute such non‑compliant PDE on the Union market after the Cut‑off Date. In addition, depending on the specific violation of the product requirements, administrative measures by the market surveillance authorities, in particular fines and ultimately product recall orders, may be imposed on the economic operators.

Components integrated in final products – regardless of whether they are placed on the market separately as standalone products – must be considered when assessing the cybersecurity risk of the superordinate PDE and its CRA compliance. Deficiencies of components integrated in such superordinate PDE thereby infect these PDE and thereby lead to the non‑compliance and the prohibition to further distribute the superordinate PDE. This is, in particular, the case when cybersecurity risks associated with integrated components affect the final products, resulting in their non-compliance with the cybersecurity requirements set out in Annex I Part I CRA or the inability to implement the required vulnerability management in accordance with Annex I, Part II of the CRA

If, for instance, security‑relevant updates of a component cease to be implemented or if the component’s manufacturer no longer provides support to remediate any vulnerabilities, the risk will continuously increase over time that security deficiencies of an integrated component will directly affect the cybersecurity level of a superordinate PDE and endanger its compliance with the CRA and other applicable product security regulation. This will particularly affect products with embedded software outside an active lifecycle, for which no security maintenance is foreseen after the end of support and for which newly discovered vulnerabilities are therefore no longer addressed.

The only exception to this rule applies if a component – marketed separately –falls under the exemption for spare parts pursuant to Article 2 (6) of the CRA. Pursuant to this exemption from the material scope of the CRA, the CRA shall not apply to spare parts made available on the market to replace identical components in PDE and that are manufactured to the same specifications as the components they are intended to replace. However, Recital 29 CRA clarifies that the exemption only covers both spare parts that have the purpose of repairing legacy products made available before the Cut-off Date or spare parts that have already undergone a conformity assessment procedure pursuant to the CRA.

The Cut‑off Date is therefore of decisive relevance not only for the legality of the continued placing on the market of PDE in the form of final superordinate products, but also equally significant for components and spare parts throughout the supply chain with the purpose to be integrated into these final products. Specifically, the integration of components that are no longer maintained by their manufacturer poses material risks for manufacturers of superordinate PDE, since cybersecurity deficiencies of components – particularly through the occurrence of non‑remediable vulnerabilities – directly infects superordinate PDE and threatens their marketability.

If, in this event, the product requirements of the CRA applicable to a PDE also cannot be ensured by means of compensatory measures, the economic operator will likely be left with no other choice but to replace the component at considerable cost or to undertake an equally costly redesign of the PDE.

The Cut‑off Date regime of the CRA has therefore material operational and economic implications for its manufacturer and its supply chain. Due to these circumstances, timely action is essential: economic operators should contractually obligate their supply chain to ensure that components and spare parts used in their PDE are subject to security maintenance throughout the intended lifespan of a PDE and should agree on express provisions on security updates, vulnerability management and mandatory support periods. In parallel, it is recommended to develop contingency and replacement plans to reduce dependencies on components that will no longer be maintained, in particular inventory of component and spare parts procured before the Cut‑off Date, and to liquidate remaining inventory before the Cut-Off Date.

Economic operators are therefore well-advised to review their supply chains, to contractually ensure the availability and maintainability of any components and spare parts for their products, and to economically utilize still existing inventory of non‑maintainable components and spare parts before the Cut‑off Date. With the CRA, Cybersecurity will become a material quality requirement in the supply chain. Those who set the course and plan accordingly have the advantage.

The legal issues raised in this Insight are also examined in the legal journal article “Ersatzteile und Komponenten im Fokus des Cyber Resilience Act” (“Spare Parts and Components in the Focus of the Cyber Resilience Act”) of the Author, which has been published in the German legal journal ZfPC 2/2026, pages 79-85.