The EU Cyber Resilience Act alters how organizations handle digital product security throughout their lifecycle. Though effective from December 2024, its impact peaks in 2026, especially for those involved in IT asset reuse and decommissioning. At that stage, expectations will shift from policy preparation to demonstrable risk reduction, highlighting the importance of effective data erasure.
What Is the EU Cyber Resilience Act
The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements that are placed on the European market. This includes hardware and software products that connect directly or indirectly to other devices or networks. According to the European Commission, the regulation applies to manufacturers, importers, and distributors and covers the full product lifecycle, from design to end of life.
The timeline is critical:
- The Act entered into force on 10 December 2024
- Incident and vulnerability reporting obligations apply from 11 September 2026
- Main product cybersecurity requirements apply from 11 December 2027
This makes 2026 a key transition year, when organizations are expected to be operationally prepared for reporting and risk-management obligations.
Why 2026 Matters More Than It Seems
From September 2026, manufacturers are legally required to report actively exploited vulnerabilities and severe security incidents affecting products with digital elements.
This shifts regulatory focus from written policies to real-world outcomes. Security issues that qualify as severe incidents or involve actively exploited vulnerabilities may become reportable under the Cyber Resilience Act.
In practice, weaknesses that result in data exposure on digital products can increase the likelihood of reportable incidents, particularly when devices are reused, refurbished, returned, or retired without adequate safeguards.
Lifecycle Security Extends to End of Use
A key principle of the Cyber Resilience Act is that cybersecurity does not stop at deployment. While the Cyber Resilience Act focuses on product security rather than data protection law, residual data on devices can still contribute to security incidents and reporting obligations.
This has direct implications for organizations that
• reuse devices internally
• refurbish IT equipment
• resell or return hardware
• process end-of-life assets
Residual data on devices represents a potential security vulnerability. If personal data, credentials, or corporate information remain accessible, the organization placing that product back into circulation may increase its exposure to cybersecurity and compliance risks.
The European Commission explicitly links insecure products to an increased risk of cyber incidents and data breaches, which the Act aims to reduce across the EU.
Why Data Erasure Becomes a Compliance Control in 2026
Although the main CRA product requirements apply in 2027, organizations are expected to actively reduce security risks ahead of full enforcement. By 2026, organizations should already be able to demonstrate that:
- Data erasure emerges in practice as a commonly adopted control
- Security incidents linked to asset handling are reduced
- Lifecycle security controls are embedded and documented
While the Cyber Resilience Act does not prescribe specific technical measures, certified and auditable data erasure emerges in practice as a key control to support these objectives and reduce the likelihood of reportable incidents.
How Certus Supports Cyber Resilience Compliance
Certus helps organizations operationalize data erasure as part of their cybersecurity and lifecycle management strategy.
With Certus, organizations can:
• Permanently and verifiably erase data from devices
• Generate standardized erasure reports for audits and regulators
• Integrate data erasure into refurbishment, resale, and end-of-life workflows
This makes data erasure not just a technical step, but a documented security control that aligns with the expectations of the EU Cyber Resilience Act.