Irish manufacturers are bracing for widespread disruption as new EU cyber regulations begin operational roll out from June.
Under the Cyber Resilience Act (CRA), businesses will be responsible for the cybersecurity of their products across their entire lifecycle – from design through to post-sale.
New research from Atradius – a global trade credit insurer based in Ireland – reveals nine in ten (91%) Irish manufacturers are expecting the new rules to cost them €61k on average over the next 2 years and delay production or product launches by up to three months.
The study, which surveyed manufacturers across Ireland and Northern Ireland, reveals a growing gap between the scale of the challenge posed by the CRA and the level of readiness within the sector at a time of already extreme volatility due to events in the Middle East.
Underestimated financial exposure
One in four (26%) Irish manufacturers are not prepared, according to the research, with smaller businesses more likely to not have taken any significant action.
With an average of 45% of revenue tied to affected products or markets, the research points to significantly underestimated financial exposure. Only a quarter (25%) of businesses have assessed the financial impact or allocated budget (27%) for compliance, while just one in six (17%) businesses have involved finance or risk teams, suggesting financial exposure may be an oversight for many.
The warning comes as Atradius data shows trade credit insurance claims – where businesses claim after customers fail to pay for goods or services – increased by 16% across the Irish businesses between March and April 2026, underlining the growing pressure on cashflow and customer reliability.2
This reflects a broader issue, with only 16% of organisations globally measuring the financial impact of cyber risks to a significant extent.3
Implementation gap emerging
The research also highlights a clear disconnect within organisations which could cause unforeseen challenges and disruption. While 92% of directors believe their business is prepared for the new rules, just 58% of managers on the ground agree. Similarly, nearly two-thirds (64%) of directors say they fully understand the CRA but only 22% of senior managers responsible for delivering compliance say the same.
This gap suggests that many businesses may be underestimating the practical challenges involved in implementation – increasing the risk of delays and disruption as deadlines approach.
Pressure on operational decision making
The next key milestone comes in June 2026, when the regulatory framework becomes operational, marking a significant step towards full enforcement in December 2027.
While this does not yet impose full obligations on manufacturers, it signals a shift from preparation to implementation – and a narrowing window for businesses to get ready.
Early signs suggest this shift is already impacting operational decision-making. Almost 70% (69%) think that suppliers’ failure to comply will cause a two-three month delay, with one in five (22%) expecting the act to lead to a change in suppliers. One in four expect longer development timelines (28%) and increased compliance or delay costs (25%).
This is particularly significant given supply chain exposure remains one of the weakest areas of cyber readiness globally, with organisations reporting limited capability in managing third-party cyber risks.2
Sheena Bohan, Head of Commercial at Atradius said:“Like most regulation, the Cyber Resilience Act risks being seen as a compliance issue – our research shows the commercial impact is being under-estimated by some firms.
“In complex supply chains, even small delays can ripple through production, exports and payments if businesses aren’t prepared – and that risk is only heightened by ongoing global disruption in Iran.
“Crucially, leadership teams need to ensure their organisations fully understand and are prepared for the incoming regulation – that disconnect is where delays and disruption start.
“Our report gives manufacturers a practical framework to assess exposure, stress-test supply chains, spot early warning signs and protect production, contracts and cashflow – with readiness embedded across the business, not siloed.”