Cleo
CompanyPricing
Request a Demo
Anaelle GuezNaomie Halioua
Request a Demo
Cleo

AI-powered regulatory intelligence.

contact@cleolabs.co

Solutions

  • Due Diligence
  • Product Compliance

Company

  • About
  • Research
  • Blog

Jurisdictions

  • 🇪🇺 European Union
  • 🇫🇷 France
  • 🇩🇪 Germany
  • 🇬🇧 United Kingdom
  • 🇺🇸 United States

Legal

  • Privacy
  • Terms
  • Security

Events

  • VivaTech ParisJun 11–14, 2026

© 2026 Cleo Labs. All rights reserved.

GDPREU Data
Blog/Compliance
Compliance2026-02-05·7 min read
Alexandre Bloch

Alexandre Bloch

Co-founder & CTO, Engineering

CE Marking for Digital Products: What Changes in 2026

CE Marking for Digital Products: What Changes in 2026

The Cyber Resilience Act extends the CE marking framework to software and connected devices for the first time. For tech companies, this means a fundamentally new product compliance requirement.

What the Cyber Resilience Act changes

Traditionally, CE marking applied to physical products: machinery, medical devices, electronics. The CRA extends this to "products with digital elements", a broad category that includes standalone software, IoT devices, connected hardware, and SaaS products that interact with end-user devices. Manufacturers must demonstrate compliance with essential cybersecurity requirements through a conformity assessment process.

1

Secure by default: products must ship with secure configurations out of the box

2

Vulnerability handling: documented processes for identifying, reporting, and patching vulnerabilities

3

Security updates: free updates for the expected product lifetime (minimum 5 years)

4

Conformity assessment: self-assessment for most products, third-party for critical ones

Timeline and preparation

The CRA was adopted in 2024, with a transition period giving manufacturers until 2027 to fully comply. However, preparation must start now: vulnerability handling processes, SBOM (Software Bill of Materials) generation, and secure development lifecycle practices take months to implement. Cleo helps by mapping the CRA requirements to your specific product portfolio and tracking evolving implementation guidance from ENISA and market surveillance authorities.

Frequently asked questions

Does CE marking apply to software in 2026?

Yes. The Cyber Resilience Act (CRA) extends CE marking requirements to products with digital elements, including standalone software, connected devices, and IoT products. Manufacturers must demonstrate compliance with cybersecurity requirements through conformity assessment, implement vulnerability handling processes, and provide security updates throughout the product lifecycle.

Related resources

Solutions

Product Compliance Solution

Compliance · 2026-03-06

Product Compliance in the EU: The Complete Guide for Tech Companies

Compliance · 2026-03-11

Multi-Market Product Compliance for Retail & Consumer Goods: The Definitive Guide

Try Cleo: free regulatory risk scan

See your regulatory landscape mapped in minutes. No signup, no credit card.

Scan for free
Book a Call
Anaelle GuezNaomie Halioua
Request a Demo