Euro Security logo white
TeleTrusT criticises draft CRA implementing legislation

April 12, 2026

Politics

Context: What the Cyber Resilience Act actually changes in the EU

The Cyber Resilience Act (CRA) establishes, for the first time, a uniform EU-wide framework that sets out mandatory cybersecurity requirements for hardware and software (‘products with digital elements’) throughout their entire lifecycle. The aim is to enforce a minimum level of product security and to address the often inadequate update and vulnerability management practices of many digital products to date. (1)

Key points from the perspective of manufacturers and supply chain partners:

  • Security by Design & Lifecycle Obligations: The CRA requires manufacturers to consistently implement cybersecurity from the planning, design, development and maintenance stages onwards and to address vulnerabilities throughout the product lifecycle.(2)
  • CE Marking + Market Surveillance: Products are to be identified as compliant via the CE marking system; enforcement is carried out by national market surveillance authorities.(2)
  • Conformity assessment becomes ‘strict’ for some product classes: The Commission states that self-assessment by manufacturers is possible for most products, but certain ‘important’ and ‘critical’ categories (e.g. routers/firewalls or secure elements/smart meter gateways) may require a notified body in some cases.(3)
  • Early reporting obligations: The reporting obligation is particularly relevant for 2026: from 11 September 2026, manufacturers must report actively exploited vulnerabilities and serious security incidents.(4)

The reporting obligation must not simply be fulfilled “at some point”, but is organised on a time-critical basis:

  • Advance warning within 24 hours (from the time of discovery),
  • full report within 72 hours,
  • final report: no later than 14 days after a remedy becomes available (for actively exploited vulnerabilities) or within one month (for serious incidents). (5)

Technically and organisationally, this is consolidated across the EU via a Single Reporting Platform (SRP) established by ENISA. (7)

Support mechanisms are also provided for small and medium-sized enterprises (SMEs/MSMEs) – including training, awareness-raising, information/communication, testing opportunities, support for third-party audits and regulatory sandboxes at Member State level. (8)

Why a German implementing law is necessary

Although the CRA, as an EU regulation, is in principle directly applicable, its practical effectiveness depends on national enforcement structures.

The European Commission describes the role of Member States as an ex-post enforcement model: manufacturers place products on the market under their own responsibility; Member States carry out strategic reviews and inspections and may order corrective or restrictive measures along the supply chain.

Furthermore, Member States are responsible for the ‘management’ level of conformity assessment bodies (designation/supervision) and must designate Notifying Authorities for this purpose.(9)

It is precisely within this area of tension that the statement by the Bundesverband IT-Sicherheit e.V.(10) (TeleTrusT) comes into play: the association emphasises that national measures must, in particular, underpin the enforcement architecture (market surveillance, notification, SME support, framework for sanctions/fines). At the same time, TeleTrusT warns against ‘overly formal’ enforcement without robust practical implementation. (11)

Time pressure is further exacerbated by the phased implementation dates

The first CRA elements will take effect in 2026; TeleTrusT therefore calls for national regulations to be in place in good time – by the June 2026 deadline at the latest – to avoid legal uncertainty and practical enforcement problems. (12)

What the BMI draft bill specifically provides for

The draft bill (as of 12 March 2026) essentially regulates the implementation of the CRA in Germany through amendments to the BSIG, relying on a central regulatory role for the Federal Office for Information Security(13) (BSI). (14)

Centralisation at the BSI: market surveillance, notification, CSIRT function

The draft explicitly assigns tasks to the BSI as

  • the competent market surveillance authority and
  • the competent notifying authority. (15)

In addition, it is clarified that, in the CRA context, the BSI also assumes CSIRT tasks, i.e. in particular receives and assesses reports on actively exploited vulnerabilities and serious security incidents. (16)

In the enforcement section (§ 65 BSIG-E), the draft also provides for a complaints office and stipulates that appeals and legal actions have no suspensive effect (immediate enforceability of supervisory decisions). (17)

Accreditation/Notification: DAkkS principle, ‘public interest’ exception

A two-tier system is modelled for conformity assessment bodies:

  • Principle: Assessment/monitoring of bodies is carried out by the national accreditation body (in Germany, in practice, the German Accreditation Body18 – DAkkS). (19)
  • Exception: In certain cases, the BSI may carry out the assessment itself if the notification is “in the public interest”. (20)

The explanatory memorandum to the draft defines ‘public interest’ specifically as a response to an impending bottleneck: if the accreditation system fails to provide sufficient notified bodies in good time, this could hinder market access for ‘important’ or ‘critical’ product categories – with potential safety implications. (21)

Resources and costs: major tasks – but subject to budgetary approval

The draft quantifies the scale of the new tasks with unusual specificity:

  • Additional staffing requirements at the BSI: 141 permanent posts by 2029. (22)
  • One-off material costs: €10 million, in particular for a “real-world laboratory”. (23)
  • Ongoing annual material costs: including €8.1 million for external service providers in the context of market surveillance. (24)
  • For the support of affected economic operators (training/awareness-raising), the administrative cost calculation indicates an ongoing expenditure of around €1.281 million per year. (25)

At the same time, the draft contains a crucial caveat: The additional requirements for material and personnel resources “are subject to future budgetary procedures” – i.e. not yet bindingly secured. (24)

Entry into force follows CRA schedule

Regarding the phasing, the draft explicitly aligns with the CRA roadmap:

  • Notification requirements from 11 June 2026,
  • reporting obligations from 11 September 2026,
  • “other” regulations from 11 December 2027. (26)

TeleTrusT’s criticism in detail: Where the association calls for tightening – and why

TeleTrusT does acknowledge that the draft fundamentally addresses the necessary building blocks. However, the criticism focuses on practical feasibility. (27)

Point of criticism: Consolidation of tasks at the BSI without reliably secured resources

TeleTrusT considers centralisation at the BSI to be fundamentally sensible, as it pools expertise and prevents fragmented enforcement practices – but only if the BSI is actually capable, in terms of personnel, technology and organisation, of fulfilling the CRA tasks to the necessary extent. (11)

The association criticises the fact that, whilst the draft quantifies enforcement costs, it effectively leaves the funding unresolved and does not replace the budgetary reservation with binding commitments. (28)

This concern is made tangible by the scale of the burdens assumed in the draft: For the CRA notification and processing procedures alone, for example, the draft estimates an average volume of 2,000 notifications per year. (29)

Point of criticism: Notification without accreditation – ‘public interest’ too broad

TeleTrusT identifies Section 66(3) of the BSIG-E as one of the most critical points: The exception allowing conformity assessment bodies to be notified without accreditation is “too broad” and risks – if a mere shortage of bodies is already deemed to be in the public interest – becoming a tool purely for securing capacity and market access. (30)

The draft itself justifies the exception precisely on the grounds of a potential bottleneck: If there are not enough notified bodies, this could hinder market access for important/critical products. (21)

TeleTrusT counters this: quality standards must not be ‘regulated away’ to compensate for capacity problems. Instead, the DAkkS in particular must be provided with the necessary resources in good time to ensure that a sufficient number of accredited bodies are available; otherwise accreditation-based quality assurance would be undermined. (31)

Precisely because the Commission itself emphasises that for certain product classes the involvement of a notified body is effectively mandatory, a bottleneck would not merely be a ‘procedural problem’ but a genuine market access bottleneck. (3)

Point of criticism: Support services for businesses are too vague – and underfunded

TeleTrusT considers Section 67 of the BSIG-E to be significantly under-resourced: whilst the provision formally adopts CRA support ideas, it leaves open the question of the form, depth and practical benefit with which training and awareness-raising services are actually to be provided. (30)

Facts from the draft:

  • Section 67 essentially provides for two measures in the text of the bill: training/awareness-raising and the establishment/operation of a real-world laboratory. (32)
  • The administrative estimate puts the cost of these support services (training/awareness-raising) at around €1.281 million per year. (33)

TeleTrusT argues that, given the organisational, technical and personnel changes required by the CRA, this budget is ‘clearly too tight’ – particularly for SMEs. (27)

In addition, TeleTrusT points out that two support components mentioned in Article 33(1) of the CRA do not appear explicitly in Section 67 of the BSIG-E: a dedicated communication channel for micro and small enterprises, and support for testing and conformity assessment activities. (34)

A second objection, which is not only financial but also structural: TeleTrusT sees a risk of a conflict of interest if the same authority (BSI) provides support on the one hand, whilst imposing sanctions as a market surveillance authority on the other. The association proposes, as an alternative, external, independent support bodies to increase acceptance and effectiveness. (27)

Point of criticism: ‘Real-world lab’ risks becoming tokenism

TeleTrusT welcomes the idea of a real-world lab in principle, as a controlled testing environment can help SMEs in particular to understand requirements at an early stage and clarify implementation issues before market entry. (35)

The criticism is directed at two points:

  • The draft leaves the specific design open; it is unclear when use is “in the public interest” and according to which criteria companies are granted access. (35)
  • The draft expressly emphasises that there is no entitlement to individual advice – which may further limit its practical usefulness for companies. (36)

TeleTrusT also highlights that the CRA stipulates requirements for open, fair and transparent access to real-world labs and calls for these to be refined to suit SMEs. (34)

Practical implications: What manufacturers and operators should prepare now

Even though TeleTrusT focuses on implementation and structure, the interplay between CRA obligations and national implementation already identifies clear areas of action for companies in Germany37 and across the European Union (38).

  • Firstly: Reporting processes must be in place by September 2026 at the latest. This is not a “minor compliance issue”, but a 24/7 operational matter (triage, reproducibility, exploit assessment, coordination with PSIRT/CSIRT, robust communication chains). The CRA mechanism operates via the SRP and addresses CSIRTs in the country of the main establishment. (7)
  • Secondly: For certain product classes, the availability of notified bodies will be crucial. The Commission expects self-assessment for many products, but for “important” and “critical” categories, a notified body may become mandatory. (3)
    > This means that TeleTrust’s warning about bottlenecks is not abstract: anyone with a product portfolio in these categories should check at an early stage whether third-party verification obligations are likely to apply – and whether capacities can be secured on the market in good time.
  • Thirdly: Companies should plan for the German enforcement architecture as a “single point of contact”. The draft consolidates market surveillance, notification, complaints handling and CSIRT functions within the BSI. (16)
    > In practical terms, this means that documentation, evidence and communication will – at least at national level – have to be closely aligned with the expectations and process maturity of this single authority.
  • Fourthly: Anyone hoping for state support should remain realistic and set up their own implementation programmes in parallel. Although the draft provides for support services, it limits these normatively to training/awareness-raising and real-world laboratory operations, and excludes any entitlement to individual consultancy. 20 At the same time, the draft’s cost estimates show that the planned budgets for support measures are limited. (33)
  • Fifthly: The topic of “CRA implementation” is not just about technology, but market dynamics. The Commission explicitly states that Member States may strategically review products and, where necessary, require corrective or restrictive measures along the supply chain. (39)
    > This makes CRA compliance a factor in product approvals, supply chain commitments, tenders and (for platform products) partner ecosystems.

TeleTrust’s key message can be summarised as follows: The draft legislation sets out the right ‘framework’ (BSI remit, accreditation/notification, support services), but without clear guarantees regarding resources and quality, there is a risk of enforcement that exists in form but falls short of the CRA’s requirements in practice. (40)

[ML]

Footnotes

[1] [2] [4] [38] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

[3] https://digital-strategy.ec.europa.eu/en/policies/cra-conformity-assessment

https://digital-strategy.ec.europa.eu/en/policies/cra-conformity-assessment

[5] [7] https://digital-strategy.ec.europa.eu/en/policies/cra-reporting

https://digital-strategy.ec.europa.eu/en/policies/cra-reporting

[6] [10] [14] [15] [16] [17] [19] [20] [21] [22] [23] [24] [25] [26] [29] [32] [33] [36] https://bundestagszusammenfasser.de/wp-content/uploads/rewp21/1183_vo-entwurf-cyberresilienz.pdf

https://bundestagszusammenfasser.de/wp-content/uploads/rewp21/1183_vo-entwurf-cyberresilienz.pdf

[8] https://digital-strategy.ec.europa.eu/en/policies/cra-msmes

https://digital-strategy.ec.europa.eu/en/policies/cra-msmes

[9] [39] https://digital-strategy.ec.europa.eu/en/policies/cra-member-states

https://digital-strategy.ec.europa.eu/en/policies/cra-member-states

[11] [12] [13] [18] [27] [28] [30] [31] [34] [35] [37] [40] https://www.teletrust.de/publikationen/stellungnahmen/2026

https://www.teletrust.de/publikationen/stellungnahmen/2026

Related Articles

All news in 2026

All news in 2026

Apr 9, 2026

10.04.2026 TeleTrusT criticises draft CRA implementing legislation 09.04.2026 Ratiodata enhances physical security with eCLIQ from ASSA ABLOY 09.04.2026 FREQUENTIS: Strong growth in revenue, earnings and jobs 08.04.2026 Constitutional Limits on the Displacement of...

Share This