Cyber Resilience Act 2027: The AV Products You’re Speccing Today That Won’t Survive It

Pick any project currently on your desk. The AV-over-IP encoder you’re about to specify, the room processor going into the board suite, the signage players across eight sites — they will all be in service well past December 2027.

By then, the Cyber Resilience Act's main obligations will be in force. Any manufacturer still selling that product on the EU market after 11 December 2027 must be CRA-compliant. If they are not, that product line gets pulled. No further EU sales. No new stock for spares. And depending on your contracts, no easy path to a replacement.

That is the part of CRA that hasn’t landed yet in Pro AV. The deadline reads as a manufacturer’s problem. It is, but it becomes yours when the product you’ve specified stops being available, or when your client’s IT team asks questions you’re not prepared to answer. Reporting obligations start even earlier — manufacturers face mandatory vulnerability notification requirements from 11 September 2026. The product decisions you make today determine whether that date causes problems or passes without incident.

Regulation EU 2024/2847 entered into force on 10 December 2024. Its main obligations apply from 11 December 2027. An earlier milestone lands on 11 September 2026, when manufacturers of in-scope products must begin actively reporting exploited vulnerabilities and severe incidents to the relevant CSIRT and to ENISA, the EU Cybersecurity Agency, within 24 hours of becoming aware. That reporting infrastructure has to exist and work before it’s tested.

CRA covers any “product with digital elements” placed on the EU market — hardware or software designed to connect directly or indirectly to a device or network. That definition reaches AV-over-IP encoders and decoders, network-connected displays and signage players, room processors, DSP units with web interfaces, control system software, and cloud management platforms. If it has firmware and connects to a network, it is in scope.

The obligations on manufacturers are specific and non-negotiable from December 2027. Products must ship securely by default: no universal default credentials, no unnecessary open ports, no services enabled that the user cannot reasonably need. Manufacturers must publish a vulnerability disclosure policy. They must provide security updates for a defined support period — with a minimum of five years from the date of placing the product on the market. They must maintain a Software Bill of Materials, a structured inventory of every software component inside the product. And they must have a reporting infrastructure capable of handling the 24-hour notification window to CSIRT and ENISA when an actively exploited vulnerability surfaces.

The transitional rule is sometimes misread as protection. Products placed on the EU market before 11 December 2027 are not subject to the full CRA requirements simply because they remain in use afterward. But that exemption attaches to each unit, not to a product line. A manufacturer continuing to sell units of the same model after December 2027 must make those units CRA-compliant. If they cannot, they stop selling in the EU. That is the supply chain exposure that integrators have not yet fully priced.

CRA is a manufacturer's obligation, but importers and distributors who place products on the EU market carry a due diligence duty: they must verify that products meet CRA’s essential requirements and carry the required CE marking before they go on site. If you import directly, or if you resell hardware from a manufacturer with no EU legal entity to answer for it, the compliance obligation does not disappear. It moves to you.

AVIXA’s Recommended Practices for Security in Networked Audiovisual Systems already identifies security as a shared responsibility across manufacturer, integrator, consultant, and end user. CRA gives that shared responsibility a legal structure. What was once good practice is now a compliance floor, and the floor has a penalty ceiling of €15 million or 2.5% of global annual turnover for manufacturers who breach it.

Integrators are not the primary target of CRA enforcement. But specifying a product from a manufacturer who cannot meet CRA requirements creates three connected problems: the product may disappear from the EU market mid-deployment, spare parts and firmware support may evaporate, and your client’s IT team will eventually ask the questions the regulation requires someone to answer. If the manufacturer cannot answer them, you will be next in line.

High-end manufacturers from major European and US brands are broadly moving toward CRA readiness. The gap sits elsewhere, in two concentrated areas.

First, the long tail of AV-over-IP and digital signage hardware from Asia-Pacific manufacturers. Common on cost-driven tenders, many have limited EU presence, inconsistent firmware update cadences, and no published vulnerability policy. The CRA’s importer obligations mean that bringing this hardware into the EU market without due diligence carries the compliance obligation directly. Under the new Product Liability Directive — covered in AVIXA Europe’s EU liability analysis — it can also make you the defendant of last resort if a device causes damage and the manufacturer has no EU entity to answer for it.

Second, the problem of legacy hardware already in portfolios and on active frameworks. A panel or processor that was a sensible spec in 2022 may have no path to CRA compliance: no firmware update roadmap, no vulnerability disclosure process, and no EU-established responsible manufacturer. If that hardware is still being sold from your framework after December 2027, either it meets CRA requirements, or it disappears from the EU market. Spec it onto a multi-year deployment today, and you are building a supply chain cliff into the project.

AVIXA’s guidance on securing AV systems against network threats sets out the baseline security posture integrators should be applying at commissioning. CRA sharpens that into a supply chain test: the product either has the manufacturer's infrastructure to sustain compliance, or it does not. No amount of hardening at commissioning can compensate for a manufacturer that ships hardware with no vulnerability disclosure policy and no plan to meet an EU support obligation.

This does not require becoming a compliance lawyer. It requires the following four questions, in writing, before any significant networked AV product goes onto a multi-year deployment:

1. Does the manufacturer publish a vulnerability disclosure policy? It should be findable online, specific, and include a contact point and a response commitment. “Report issues to our support team” is not a vulnerability disclosure policy. It is a support ticket queue.

2. Does the manufacturer commit to security updates for a defined support period, and does that period appear on the product’s documentation at the point of purchase? CRA requires manufacturers to state the end date of the support period at the time of sale. If that information is absent, the manufacturer either does not know what it is or has not started their CRA compliance work. Either way, that is a risk to your deployment.

3. Will the manufacturer provide a Software Bill of Materials on request? This is already a standard ask in enterprise IT procurement in Germany and the Nordics. If the manufacturer cannot produce it, your client’s IT team will ask why you did not check. They will be right to ask.

4. Does the manufacturer have an EU-established legal entity named as the responsible manufacturer? This matters under CRA, under the Product Liability Directive, and under NIS2 supply chain obligations. If the manufacturer has no EU presence and a device causes damage, the liability cascade moves through the supply chain until it finds someone with an EU address. In many AV deployments, that is the integrator.

If any answer is vague, you have a product risk. Specifying that product now, with September 2026 reporting obligations approaching and December 2027 in plain sight, makes it a foreseeable risk. That changes both whether you specify it and how you price your exposure if you do.

Start treating CRA readiness as a supplier qualification, not a future compliance aspiration.

On new tenders, write in a requirement that all networked digital products must come with a named EU responsible manufacturer, a published vulnerability disclosure policy, a stated support period end date, and a written commitment to security updates for a defined period aligned to the deployment lifecycle. That language gives you a procurement gate and gives the client a degree of protection. When a product fails those requirements, you have grounds to substitute without a contract argument.

For enterprise clients already under NIS2 obligations — and after Germany’s national implementation entered force in December 2025, which means most significant German accounts — these supplier checks are not optional. NIS2-regulated organisations must manage supply chain risk. Your product decisions feed directly into their compliance posture. The ISE 2026 cybersecurity coverage on AVIXA Xchange made clear that regulation is reshaping who carries accountability when a networked system fails. CRA is the next move in that shift — from documenting security at commissioning to verifying it in the supply chain before hardware ships.

CRA also sits in a regulatory stack that integrators now need to read as a whole. NIS2 sets the cybersecurity obligations on your clients. The Product Liability Directive sets the defect liability exposure when systems fail. CRA sets the product security floor that the hardware itself must clear. All three instruments converge on the same point: the networked AV system on the enterprise network, and the integrator who put it there. Build your procurement language to reflect that, and you are ahead of most of the market. Ignore it, and you are one incident away from a conversation you are not prepared to have.

December 2027 is not an abstract deadline. September 2026 — when vulnerability reporting obligations begin — is only five months away. The hardware on your current spec sheets determines your exposure to both dates, because manufacturers who are not CRA-ready by December 2027 stop selling new units in the EU. If that product disappears mid-deployment, the problem lands on you. 

Run your current product portfolio against four tests: vulnerability disclosure policy, stated support period, SBOM availability, and EU legal entity. Products that fail those tests are supply chain risks you are carrying on behalf of your clients, often without knowing it, and certainly without charging for it.

Add CRA readiness language to your tender documents now. Make it a supplier qualification, not a wish-list item. If a manufacturer cannot answer those four questions clearly and in writing, treat that as the answer and spec accordingly. The integrators who move first on this will not just avoid a 2027 problem. They will have a differentiated procurement story on regulated accounts right now, while most of the market is still waiting to see how it plays out.