The EU Cyber Resilience Act (CRA) is not coming in 2027. For Taiwan manufacturers, the critical deadline is September 2026 — and most have never heard of it.
What Is the CRA?
The Cyber Resilience Act is EU legislation that requires any product with digital components sold in the EU to meet mandatory cybersecurity requirements. This includes industrial PCs, PLCs, HMIs, VFDs, EV chargers, and any connected device.
Non-compliance means your products cannot enter the EU market. This is not a fine — it is a shipment block.
The September 2026 Deadline Nobody Is Talking About
Most industry coverage focuses on the December 2027 full enforcement date. But Article 14 of the CRA requires manufacturers to have a Vulnerability Disclosure Policy (VDP) in place by September 2026 — 15 months earlier.
If you do not have a VDP by September 2026, you are already non-compliant.
What Taiwan Manufacturers Need to Do Now
- Gap assessment — understand where your products stand against CRA requirements
- VDP policy — establish a formal process for receiving and handling vulnerability reports
- SBOM preparation — document every software component in your products
- EU Authorized Representative — designate an EU-based contact for regulatory purposes
Why IEC 62443 Is Not Enough
Many Taiwan manufacturers have invested in IEC 62443 certification. This is a strong foundation — but it does not fully satisfy CRA requirements. The CRA adds legal obligations that IEC 62443 does not cover, including VDP, SBOM, and post-market surveillance.
The Bottom Line
The September 2026 Article 14 deadline is 15 months away. For manufacturers without any CRA preparation, that is not much time.
If you are unsure where your products stand, a gap assessment is the right first step.
Wesley Lin is the founder of Wesley AI Inc., a CRA compliance advisory based in Taoyuan, Taiwan. He has 20+ years of industrial automation experience spanning Delta Electronics, ABB, and Schneider Electric.