What is the EU Cyber Resilience Act and which marketing obligations enter force in May 2026?

The EU Cyber Resilience Act — Regulation (EU) 2024/2847 — is the horizontal cybersecurity framework for products with digital elements placed on the EU market. The Act covers a broad scope of connected products including IoT consumer devices, network equipment, smart home hardware, industrial control systems, and software products including SaaS where the SaaS includes a meaningful product component. The Act was adopted in October 2024 and entered force in November 2024 with a phased implementation that runs through 2027 for the full set of obligations. The May 2026 phase brings several substantive marketing and ad-compliance obligations into force. The first is the security update lifetime declaration. Manufacturers placing connected products on the EU market must declare the period during which security updates will be provided and must communicate the declaration in product marketing materials, including ads. The declaration must appear in any ad that promotes the product as part of a sale or pre-order channel. The second obligation is the conformity declaration framing. Connected products covered by the Act must carry the CE marking and a conformity declaration that confirms compliance with the Act's essential cybersecurity requirements. Marketing materials including ads cannot make security claims that conflict with the conformity declaration or that imply security properties beyond the conformity scope. The third obligation is the vulnerability disclosure pathway. Manufacturers must maintain a coordinated vulnerability disclosure pathway and must communicate the pathway in product documentation. While the pathway itself is not an ad disclosure, advertising claims about product security must align with the manufacturer's actual vulnerability handling capability. The fourth obligation operates at the EU surveillance authority level. Member state market surveillance authorities can issue corrective notices on misleading security claims in product marketing, and the corrective notices have direct effect on ads served on EU surfaces. Advertisers running campaigns for connected products covered by the Act must build the security update declaration, the conformity declaration alignment, and the vulnerability disclosure pathway into their marketing operations. The May 2026 phase is the first substantive enforcement window for these marketing obligations. For the broader EU regulatory frame, see EU DSA Compliance . Track in-flight regulatory updates through the Policy Tracker .

Which products fall within the Cyber Resilience Act scope and trigger the May 2026 marketing obligations?

The Cyber Resilience Act applies to products with digital elements placed on the EU market, with several specific exclusions and a tiered classification structure that affects the marketing obligations applicable to each product. The Act's product scope is broad — it covers any product that has at least one digital element, where the digital element processes data, includes connectivity, or enables remote interaction. Practically this captures the vast majority of connected consumer and B2B technology products. Several categories are explicitly excluded from the Act because they are governed by sector-specific frameworks. Medical devices governed by the Medical Devices Regulation are excluded. Aviation products governed by EASA frameworks are excluded. Automotive products governed by UNECE WP.29 frameworks are excluded. Defence products are excluded. Open-source software developed and supplied outside commercial activity is excluded though this exclusion has been narrowed through implementing regulations. The Act applies a three-tier classification structure for products in scope. The Default class covers most connected products and triggers the standard set of essential cybersecurity requirements and conformity assessment obligations. The Important products class covers products with elevated cybersecurity criticality including network management software, virtual private network software, password managers, identity management systems, and several other categories. Important products face stricter conformity assessment obligations and additional marketing disclosure requirements. The Critical products class covers products at the highest cybersecurity criticality including hardware security modules, smart card systems, smart meters, and several other categories. Critical products require third-party conformity assessment and face the strictest marketing disclosure requirements. From the marketing perspective the classification determines which disclosure obligations apply to ads and which security claims can be made. Default class products require the security update lifetime declaration in marketing materials and prohibit security claims beyond the conformity scope. Important products additionally require disclosure of the conformity assessment route used and the identity of the notified body where one was used. Critical products require disclosure of the third-party assessment certification and prohibit any security claim not directly substantiated by the certification. SaaS products are partially in scope — SaaS where the service is the entire product is generally outside the Act, while SaaS that includes a software component delivered to or installed on the customer's environment is in scope for that component. Advertisers running B2B SaaS campaigns should review the product architecture to determine scope and adjust marketing claims accordingly. For automated review of marketing claims against regulatory restrictions, route through AI Compliance Audit .

What are the specific advertising disclosure requirements for connected product ads in the May 2026 phase?

The Cyber Resilience Act marketing obligations translate into several specific advertising disclosure requirements that advertisers must build into ad creative for connected products. The disclosure requirements operate at the ad surface level rather than at the campaign level, which means each individual ad must satisfy the disclosure independent of the broader campaign context. The first specific requirement is the security update lifetime statement. Ads promoting a connected product for sale or pre-order must include or link to a clear statement of the period during which security updates will be provided. The statement should specify either an absolute end date or a duration measured from the placing-on-market date. Ads cannot claim indefinite or perpetual security updates unless the manufacturer is committed to such by the conformity declaration. Ads using vague language such as long-term support or regular updates without specifying a period are non-compliant. The second specific requirement is conformity statement alignment. Ads can include the CE marking and can reference the conformity declaration but cannot make security claims that exceed the conformity scope. Ads that claim military-grade encryption, unhackable security, complete privacy, or similar absolute claims are non-compliant unless the conformity declaration directly substantiates the claim. Conservative formulations such as encrypted communication consistent with the conformity declaration are compliant. The third specific requirement is vulnerability disclosure pathway reference. Ads do not need to include the vulnerability disclosure pathway directly but must not make claims that contradict the manufacturer's actual vulnerability handling. Ads claiming zero known vulnerabilities, no past security incidents, or similar absolute claims are non-compliant unless directly verifiable. The fourth specific requirement is software bill of materials reference for products that include open-source components. Ads do not need to include the software bill of materials but must not make claims about proprietary technology or developed-in-house components that contradict the documented bill of materials. Important products and Critical products face additional disclosure requirements including the conformity assessment route and notified body identity. The additional requirements apply to ads promoting these specific product classes and require specific creative templates for compliant disclosure. Advertisers running multi-product campaigns should configure creative templates per product class to ensure the appropriate disclosures appear with each product. For automated audit of ad creative against regulatory restrictions, run AI Compliance Audit and reference the cross-platform regulatory frame through EU DSA Compliance .

How does the Cyber Resilience Act affect B2B SaaS advertising and marketing in 2026?

The Cyber Resilience Act treats B2B SaaS in a partially-in-scope manner that depends on the architecture of the SaaS service. Pure cloud-only SaaS where the customer interacts with the service entirely through cloud-hosted endpoints is generally outside the Act. SaaS that includes a software component delivered to or installed on the customer's environment — such as a desktop client, browser extension, mobile app, on-premise agent, or downloadable SDK — is in scope for that component. The distinction matters for B2B SaaS marketing because the in-scope component carries marketing disclosure obligations while the cloud-only component does not. Several specific SaaS architectures are clearly in scope. SaaS with a desktop or mobile client app is in scope for the app component. SaaS with a downloadable SDK or library that customers integrate is in scope for the SDK. SaaS with on-premise agents or connectors is in scope for the agent. SaaS that distributes browser extensions is in scope for the extension. SaaS distributing IoT firmware or embedded software is in scope for that firmware. Several common B2B SaaS marketing claims face new compliance constraints under the Act. Claims about end-to-end encryption must be substantiated by the conformity declaration if the in-scope component implements the encryption. Claims about zero trust architecture must align with the conformity declaration scope and cannot exceed it. Claims about compliance with industry frameworks such as SOC 2, ISO 27001 or NIST CSF must accurately reflect the certification scope and must not imply CRA conformity unless conformity has been declared. Claims about vulnerability response time, patch deployment cadence, or security update frequency must align with the manufacturer's actual capability and must be supportable by the vulnerability disclosure pathway documentation. The marketing channel matters operationally. Pure brand-awareness ads that do not promote a specific product for sale carry lighter disclosure obligations than direct-response ads that promote a specific product for purchase or trial signup. Lead generation ads that include an SDK download or trial software install fall within the in-scope category. Webinar promotion ads, gated content ads, and similar top-of-funnel ads are generally lower-risk. Cross-border B2B SaaS marketing should standardise on the strict EU CRA disclosure baseline rather than maintain region-specific creative because the operational complexity of region-specific SaaS marketing exceeds the cost of the strict baseline. For B2B SaaS marketing audit, see SaaS & Tech Compliance and run AI Compliance Audit .

How does the Cyber Resilience Act interact with GDPR, NIS2 and the broader EU tech regulatory stack?

The Cyber Resilience Act sits within a broader EU tech regulatory stack and interacts with several adjacent frameworks that produce overlapping marketing and compliance obligations. Advertisers running campaigns for connected products in the EU should treat the stack as a layered compliance matrix rather than as a sequence of independent regulations. The first adjacent framework is GDPR. GDPR applies to processing of personal data through any product including connected products. CRA conformity does not satisfy GDPR obligations and vice versa. Marketing claims about privacy must satisfy GDPR principles regardless of CRA conformity status. Claims about anonymisation, pseudonymisation, or differential privacy must be technically accurate and substantiable. The second adjacent framework is NIS2 — the Network and Information Security Directive. NIS2 applies to operators of essential and important services rather than to product manufacturers, but the operator obligations cascade to the products operators procure. Marketing to NIS2-covered customers should reference the customer's NIS2 obligations in pre-sales documentation and should align product capability with NIS2 risk management requirements. The third adjacent framework is the AI Act. AI components within connected products are subject to the AI Act conformity assessment. Marketing claims about AI capability must align with the AI Act risk classification and must not exceed the assessment scope. Marketing for high-risk AI systems faces additional disclosure obligations on the system's purpose, performance metrics, and known limitations. The fourth adjacent framework is the Product Liability Directive. The recently revised Product Liability Directive extends product liability to software including SaaS, and creates strict liability for damages caused by software defects. Marketing claims must align with the documented capability of the product to manage liability exposure. The fifth adjacent framework is sector-specific regulation. Medical devices, automotive products, aviation products and defence products are excluded from CRA and governed by sector frameworks. Marketing for sector-specific products must satisfy the sector framework rather than CRA. The combined regulatory stack means that marketing claims for connected products in the EU must satisfy multiple frameworks simultaneously. The compliance burden is operationally significant and most B2B and consumer connected-product advertisers should treat marketing claims as a multi-stakeholder review process involving product, legal, security, and marketing functions. Marketing claims that pass internal review against one framework but conflict with another framework produce regulatory risk that surfaces in practice through enforcement actions and consumer protection investigations. For consolidated EU regulatory framework, see EU DSA Compliance .

EU Cyber Resilience Act May 2026: Marketing & Ad Compliance

EU Cyber Resilience Act May 2026: Connected Product Marketing Disclosure, IoT Device Ad Compliance & B2B SaaS Implications

Inside This Compliance Report

1CRA & May 2026 Marketing Phase
2Product Scope & Classification
3Ad Disclosure Requirements
4B2B SaaS Implications
5GDPR, NIS2 & AI Act Interaction
6Connected Product Ad Compliance Checklist
7Frequently Asked Questions

CRA & May 2026 Marketing Phase

The EU Cyber Resilience Act — Regulation (EU) 2024/2847 — is the horizontal cybersecurity framework for products with digital elements placed on the EU market. The Act covers a broad scope of connected products including IoT consumer devices, network equipment, smart home hardware, industrial control systems, and software products including SaaS where the SaaS includes a meaningful product component. Adopted October 2024, entered force November 2024, with a phased implementation through 2027.

The May 2026 phase brings four substantive marketing obligations into force. The security update lifetime declaration must appear in any ad that promotes the product for sale or pre-order. The conformity declaration framing means marketing cannot make security claims that conflict with the declaration or imply security properties beyond the conformity scope. The vulnerability disclosure pathway must align with manufacturer documentation. Member state market surveillance authorities can issue corrective notices on misleading security claims with direct effect on EU-served ads.

From the advertiser perspective the May 2026 phase is the first substantive enforcement window for marketing obligations. Advertisers running campaigns for connected products covered by the Act must build the security update declaration, conformity declaration alignment, and vulnerability disclosure pathway into their marketing operations.

"Security claims in connected-product ads are no longer a creative decision — they are a conformity declaration. Marketing copy that exceeds the declaration scope produces enforcement risk."
— AuditSocials CRA marketing brief, May 2026

For the broader EU regulatory frame, see EU DSA Compliance. Track in-flight CRA guidance through the Policy Tracker.

Product Scope & Classification

The Act applies to products with digital elements placed on the EU market — any product that has at least one digital element processing data, including connectivity, or enabling remote interaction. Practically captures most connected consumer and B2B technology products.

Three-Tier Classification

Class	Examples	Marketing Obligation
Default	Most connected consumer products	Security update lifetime + conformity scope alignment
Important	VPN software, password managers, identity systems, network management	+ Conformity assessment route + notified body identity
Critical	Hardware security modules, smart cards, smart meters	+ Third-party assessment certification disclosure

Sector Exclusions

Medical devices: MDR/IVDR governed
Automotive: UNECE WP.29 governed
Aviation: EASA governed
Defence: Excluded
Open-source non-commercial: Excluded (narrowed through implementing acts)

For automated review of marketing claims against regulatory restrictions, route through AI Compliance Audit.

Ad Disclosure Requirements

The CRA marketing obligations translate into specific advertising disclosure requirements that operate at the ad surface level — each individual ad must satisfy the disclosure independent of broader campaign context.

Required Elements

Security update lifetime statement: Absolute end date or duration from placing-on-market; no vague language ("long-term", "regular updates")
Conformity scope alignment: No "military-grade", "unhackable", "complete privacy" unless declaration substantiates
Vulnerability disclosure pathway: Marketing claims cannot contradict manufacturer's actual handling capability
Software bill of materials reference: No proprietary or in-house claims that contradict documented BOM

Non-Compliant Phrasing Examples

Non-compliant	Compliant alternative
"Long-term security support"	"Security updates through December 2031"
"Military-grade encryption"	"Encrypted communication consistent with conformity declaration"
"Unhackable by design"	"Designed to CRA Important product cybersecurity requirements"
"Zero known vulnerabilities"	"Coordinated vulnerability disclosure available at..."

For automated ad creative audit, run AI Compliance Audit.

B2B SaaS Implications

CRA treats B2B SaaS partially in scope based on architecture. Pure cloud-only SaaS where the customer interacts entirely through cloud-hosted endpoints is generally outside the Act. SaaS that includes a software component delivered to or installed on the customer's environment is in scope for that component.

SaaS Architecture Mapping

Desktop/mobile client app: In scope for the app component
Downloadable SDK/library: In scope for the SDK
On-premise agents/connectors: In scope for the agent
Browser extensions: In scope for the extension
IoT firmware/embedded software: In scope for the firmware
Pure cloud-only SaaS: Outside the Act

Common B2B SaaS marketing claims facing new constraints: end-to-end encryption claims, zero trust architecture claims, framework certifications (SOC 2, ISO 27001), vulnerability response timing claims. Cross-border B2B SaaS marketing should standardise on the strict EU CRA baseline. For B2B SaaS marketing audit, see SaaS & Tech Compliance.

GDPR, NIS2 & AI Act Interaction

The CRA sits within a broader EU tech regulatory stack. Advertisers running campaigns for connected products should treat the stack as a layered compliance matrix.

Adjacent Framework Mapping

Framework	Applies to	Marketing implication
GDPR	Personal data processing	Privacy claims (anonymisation, pseudonymisation) must be technically accurate
NIS2	Operators of essential/important services	Reference customer's NIS2 obligations in pre-sales
AI Act	AI components within products	AI capability claims must align with risk classification
Product Liability Directive	Software including SaaS	Marketing claims align with documented capability
MDR/IVDR/UNECE/EASA	Sector-specific products	Replaces CRA for those sectors

For the consolidated regulatory frame, see EU DSA Compliance.

Connected Product Ad Compliance Checklist

[ ] Map product portfolio against CRA scope and classification (Default / Important / Critical)
[ ] Document security update lifetime per product (absolute date or duration)
[ ] Build creative templates per product class with required disclosures
[ ] Audit existing ad copy for non-compliant phrasing ("military-grade", "unhackable")
[ ] Align security claims with conformity declaration scope
[ ] Document vulnerability disclosure pathway and ensure ads do not contradict
[ ] Map SaaS architecture to identify in-scope components
[ ] Pre-clear regulated B2B SaaS claims through legal + security review
[ ] Standardise cross-border SaaS marketing on EU CRA strict baseline
[ ] Configure multi-stakeholder review (product, legal, security, marketing)
[ ] Pre-clear AI capability claims against AI Act risk classification
[ ] Track in-flight CRA implementing acts through the Policy Tracker

Don't miss the next policy change.

Subscribe to the Policy Tracker — get weekly digests or instant Pro alerts across all 8 platforms. Or try our free Keyword Risk Checker first.

Subscribe Free

Report Keywords — Run AI Compliance Audit

#Cyber Resilience Act#CRA#EU Regulation#IoT#Connected Products#B2B SaaS#Disclosure Rules#GDPR#2026 Policy#Advertisers#Compliance Guide 2026#Tech

Share This Report

Tweet Share

EDPB Pay-or-Consent Cookie Walls May 2026: Updated Guidance, Consent Validity & Advertiser Web Tracking Workflow

The EDPB published refreshed pay-or-consent guidance in May 2026 that materially restricts the binary cookie wall pattern and tightens consent validity criteria across the EU. Here is the advertiser-side workflow.

EU DSA Second-Wave VLOP Designations April 2026 — 12+ New Platforms Under Article 33, Cross-Product User Counts & 2027 Audit Timeline

The European Commission's second-wave DSA designations effective April 2026 add 12+ platforms to the Very Large Online Platform list under tighter user-count methodology. The January 2027 compliance review will be the first formal audit of the second-wave cohort with fines up to 6% of global revenue.

EU DSA Second Wave Enforcement April 2026 — New VLOP Designations, Expanded Advertising Transparency Obligations & 6 Percent Turnover Fines

The EU activated its DSA second enforcement wave in April 2026, designating additional platforms as VLOPs and extending advertising transparency obligations. The €120M X fine set the penalty ceiling at 6 percent of global turnover — advertisers on newly designated platforms face new creative, targeting, and reporting constraints.

EU Cyber Resilience Act May 2026: Connected Product Marketing Disclosure, IoT Device Ad Compliance & B2B SaaS Implications