In 2011, a 24-year-old Austrian law student named Max Schrems sat in a lecture at Santa Clara University and listened to a Facebook lawyer explain how the company handled European user data. What he heard did not add up. When he returned to Vienna, he filed a complaint with the Irish Data Protection Commissioner, the authority responsible for Facebook’s European operations. That complaint eventually reached the Court of Justice of the European Union twice, and the resulting rulings dismantled two successive transatlantic data transfer frameworks that US companies had relied on for years.
Schrems did not set out to reshape global business. He wanted a straight answer from a corporation about what it did with personal data. The consequences of that question are still unfolding.
Why the Schrems story matters beyond privacy
The GDPR, whose enforcement Schrems spent years pushing regulators to take seriously, established a pattern that every American manufacturer selling in Europe now lives with: the EU writes rules that apply to any company accessing its market, regardless of where that company is headquartered, and it builds enforcement mechanisms with real financial consequences.
GDPR fines can reach 4% of global annual turnover. The precedent matters because the EU applied the same logic to product regulation.
The same logic, applied to connected products
The Cyber Resilience Act follows the same architecture as GDPR. It sets mandatory requirements, applies them to any company placing products on the EU market, and attaches fines of up to EUR 15 million or 2.5% of global turnover for non-compliance. A US manufacturer of connected hardware or software that sells into Europe carries the full weight of those obligations, with no EU headquarters to absorb part of the burden.
The first deadline arrives in September 2026, when vulnerability reporting obligations take effect for products already on the market. Full product compliance is required by December 2027.
Where GDPR ends and the CRA begins
GDPR governs how organizations handle personal data. The CRA governs the security of products themselves. A company that achieved GDPR compliance years ago and assumed that covered its European cybersecurity exposure has a gap. The two regulations address different things, and compliance with one does not satisfy the other.
The distinction becomes sharper when you consider that the CRA also overlaps with other EU rules. The NIS2 Directive and the Cyber Resilience Act are frequently confused, and the difference between them has direct consequences for how a company prioritizes its compliance work: NIS2 applies to organizations operating critical infrastructure; the CRA applies to the products those organizations, and millions of others, put on the market.
What Schrems demonstrated
The lesson of the Schrems cases is that the EU enforces its rules against foreign companies when given the tools and the political will to do so. GDPR gave it both. The CRA gives it both again, in a domain that affects a far broader range of industries than data privacy ever did.
Any US company with a connected product in the EU market, whether it manufactures IoT devices, industrial sensors, routers, or software with a network interface, is already in scope. The clock is running, and September 2026 is closer than most compliance timelines allow for.
Photo source: https://commons.wikimedia.org/wiki/File:Max_Schrems_2016_b.jpg
Get your story featured on Betterauds.com! You can submit your article here