The CRA implementation act designates the BSI as the market surveillance and notifying authority for the Cyber Resilience Regulation in Germany.
Exactly this point is often overlooked: according to the draft, the administrative burden for businesses and citizens arising from the implementation act itself is zero. The obligations for secure product development, vulnerability management, CE marking and reporting apply anyway because the regulation is directly applicable. The law only answers the question of which German authority manufacturers, notified bodies and consumers will turn to in future.
Which roles does the BSI take on?
With Article 1 the draft assigns four functions to the BSI under the CRA:
- Market surveillance authority: monitors the conformity of products with digital elements, in particular compliance with the basic cybersecurity requirements in Annex I of the regulation (Regulation (EU) 2024/2847).
- Notifying authority: assesses and notifies conformity assessment bodies. The actual assessment is generally carried out by the national accreditation body (DAkkS) under Regulation (EC) No 765/2008.
- CSIRT coordinator and reporting office: receives reports of actively exploited vulnerabilities and serious security incidents that manufacturers must report under Article 14 of the regulation. The draft anticipates around 2,000 reports per year.
- Support for economic operators: awareness-raising and training offers as well as the operation of a real-world lab for cyber resilience in which manufacturers can test innovative products before placing them on the market in a controlled test environment.
One restriction is relevant in practice: if a product falls under both the CRA and as a high-risk AI system under the AI Act or the AI regulation (EU) 2024/1689 (https://eur-lex.europa.eu/eli/reg/2024/1689/oj?locale=de), Article 52(14) CRA provides that the market surveillance authority designated for AI oversight is responsible, in Germany likely the Federal Network Agency. In such cases, market surveillance therefore does not lie with the BSI.
Which deadlines apply?
The draft staggers entry into force in three stages that follow the regulation:
- 11 June 2026: provisions on notification enter into force so that notified bodies can be accredited in time.
- 11 September 2026: the BSI becomes the CSIRT and reporting office for vulnerabilities and security incidents.
- 11 December 2027: the rest of the law enters into force, at the same time as the full applicability of the material CRA requirements.
For manufacturers the middle deadline is particularly tangible: from 11 September 2026 actively exploited vulnerabilities and serious security incidents must be reported to the BSI. This is the first CRA obligation with immediate organizational consequences because it requires functioning internal processes for detection, assessment and timely reporting.
What does this mean concretely for manufacturers?
If, for example, you place a networked machine controller with remote maintenance access on the market, the implementation act now provides clear points of contact: the BSI is the contact point for market surveillance, for vulnerability reports and for support offers. Does this change the actual requirements? No. The obligation to demonstrate a secure product development process, to manage vulnerabilities during the support period and to document conformity exists independently of the national law. The implementation act only makes clear to whom these obligations will be enforced and reported in Germany.
Two points deserve closer attention:
- Reporting process: those who have not established a reliable internal chain from vulnerability detection to BSI reporting by September 2026 risk missing deadlines in the event of an actively exploited incident.
- Conformity assessment: the National Regulatory Control Council welcomes the consolidation at the BSI but explicitly points out that success depends on sufficient personnel capacities at conformity assessment bodies. For important and critical products under Annexes III and IV that require third-party assessment, a bottleneck in notified bodies can become a market access risk. Anyone reliant on an external assessment should plan for the availability of notified bodies early.
After the first reading the draft will be referred to committees, with the interior committee taking the lead. Changes in the further process are possible, but the basic authority architecture is unlikely to change much. The question of competent authority is largely settled by the draft, but the operational preparation for reporting obligations and conformity assessment remains the responsibility of manufacturers. If you would like to clarify which CRA obligations affect your products from when and how a reliable reporting process to the BSI could look, this can be discussed in a non-binding conversation. Contentpdf
