The Cyber Resilience Act: What Swiss SMEs need to know

The Cyber Resilience Act introduces new cybersecurity requirements for products with digital elements. Swiss SMEs may also be affected if they offer software, hardware or digital components in the EU, or if they are part of corresponding supply chains. For companies that want to be prepared, one thing is essential: clarity around risks, responsibilities, measures and evidence.

For many Swiss SMEs, the first question around the Cyber Resilience Act, or CRA for short, is simple: does this apply to us?

The short answer: it depends.

What matters is not whether a company is based in the EU, but whether an affected product with digital elements is made available on the EU market. Companies that supply software, hardware or digital components to the EU, sell them there or are part of a relevant supply chain should therefore assess the CRA early.

What is the Cyber Resilience Act?

The CRA is an EU regulation that introduces binding cybersecurity requirements for products with digital elements. This includes, for example, software, hardware, connected devices, digital components or certain cloud-based functions that are necessary for a product to operate.

The aim of the CRA is to embed cybersecurity across the entire product lifecycle: from development and market availability through to security updates and vulnerability management. Security should not only become a topic once vulnerabilities are discovered or attacks become known.

Does the CRA also affect Swiss SMEs?

Yes, the CRA can also affect Swiss SMEs.

What matters is whether an affected product with digital elements is made available on the EU market. Swiss companies that supply software, hardware or digital components to the EU, or sell them there, should therefore check whether their products fall under the CRA.

This may be relevant, for example, for:

• Swiss software providers with customers in the EU
• manufacturers of IoT devices, machines or control components
• providers of digital components for other manufacturers
• SMEs that sell products in the EU through partners or distributors, or that are part of a digital supply chain as suppliers

Even if an SME is not directly considered a manufacturer under the CRA, the regulation may still become indirectly relevant. Customers, partners or larger clients may increasingly request evidence of secure development processes, vulnerability management, risk assessments or documented security measures.

The CRA therefore also becomes relevant for companies that are indirectly part of a supply chain.

What do affected Swiss SMEs need to do?

For many SMEs, the first step is to clarify their own product and supply chain exposure: which products with digital elements are offered, which components are used, which markets are served, and who has which role under the CRA?

For affected companies, the main task is to embed cybersecurity as a structured management process across the product lifecycle. Five topics are particularly important:

Security by Design and Security by Default. Cybersecurity must be considered from the start. Products should be delivered with secure configurations, for example without weak default passwords and with appropriate default settings.

Risk analysis before market access. Companies must analyse cyber risks related to their product, define suitable measures and document them.

Security updates across the entire lifecycle. Known vulnerabilities must be addressed and security updates must be provided. This requires clear processes, responsibilities and deadlines.

Transparency over components. Companies must be able to understand which software components, dependencies and third-party libraries are used in their products. This is particularly important in the context of supply chain risks.

Reporting obligations from September 2026. Actively exploited vulnerabilities and severe security incidents must be reported within tight deadlines. Companies should therefore clarify early how such cases are identified, assessed, escalated and documented.

The reporting deadlines are strict: an early warning within 24 hours, a notification within 72 hours and a final report. For actively exploited vulnerabilities, the final report is due no later than 14 days after a corrective or mitigating measure becomes available. For severe security incidents, it is due within one month.

Companies that do not yet have clear processes for risk assessment, vulnerability management, responsibilities and evidence should start building these foundations early.

Important deadlines

• Decemmber 2024: The CRA entered into force.
• September 11, 2026: Reporting obligations for actively exploited vulnerabilities and severe security incidents apply.
• December 11, 2027: The main CRA obligations apply, including conformity assessment and CE marking.

For certain product categories, an external conformity assessment by a notified body may be required. The corresponding structures are being built in the EU from 2026 onwards.

How fortControl can support

The CRA does not only introduce technical requirements. It also requires structured processes, clear responsibilities, documented risk assessments and a traceable approach to vulnerabilities. This is exactly where a well-designed ISMS comes in.

fortControl supports Swiss SMEs in building these structures efficiently and managing them in day-to-day operations. The platform addresses the areas where CRA requirements become manageable within the organisation: risks, measures, responsibilities and evidence. This gives companies a structured foundation for the legal, technical and product-specific implementation of the CRA.

This includes in particular:

Risk management: Risks are recorded, assessed, prioritised and documented in a structured way.

Measures management: Security measures can be assigned to responsible owners, scheduled and tracked.

Documentation and evidence: Assessments, decisions and measures remain traceable and auditable.

Controls and frameworks: Requirements from standards such as ISO 27001, NIST CSF or the ICT Minimum Standard can be mapped in a structured way and linked to internal measures.

Incident response and vulnerability management: Processes, responsibilities and escalation paths are documented so that, in an incident, it is clear who needs to do what.

Why an ISMS makes sense even independently of the CRA

The CRA shows where cybersecurity requirements are heading: away from isolated measures and towards a systematic, holistic approach. Risks must be assessed in a structured way, measures must be implemented transparently, and evidence must be easy to provide.

This development also affects companies that do not fall directly under the CRA. Customers, partners, insurers and industry-specific requirements increasingly demand transparency around how companies manage information security.

An ISMS helps companies manage these requirements efficiently. It creates clarity around existing risks, responsibilities, implemented measures and remaining gaps.

Companies that build an ISMS with fortControl today create a solid foundation for addressing future requirements more efficiently, more systematically and with less duplication of effort.

Structure creates security

The Cyber Resilience Act is also relevant for Swiss SMEs if they offer products with digital elements on the EU market or are part of corresponding supply chains. Companies that may be affected should assess early which requirements apply and which processes, responsibilities and evidence are needed.

The broader development is clear: cybersecurity is becoming more regulated, more closely scrutinised and more evidence-based. Companies that manage their risks, measures and responsibilities in a structured way are significantly better prepared.

With fortControl, SMEs create the foundation for a practical ISMS that makes risks, measures and evidence structured and manageable, while preparing the organisation for future requirements.