Cyber Resilience Act (CRA)

Regulation (EU) 2024/2847, the Cyber Resilience Act, establishes mandatory cybersecurity requirements for products with digital elements sold in the European Union. It entered into force on 10 December 2024, with a phased application timeline: reporting obligations for actively exploited vulnerabilities apply from 11 September 2026, and the main product security requirements apply from 11 December 2027. The CRA covers hardware and software products ranging from consumer IoT devices and industrial controllers to operating systems, routers, and connected appliances — essentially anything with digital components that can connect to a network or another device. The regulation distinguishes between default products, important products (Class I and Class II), and critical products. Default products can be self-assessed. Important products — those that play a significant role in cybersecurity risk, such as password managers, firewalls, network management systems, and microprocessors — face stricter requirements and, for Class II, mandatory third-party assessment. The core obligations under Article 13 require manufacturers to perform a cybersecurity risk assessment, design products secure by default, minimise the attack surface, implement protection against unauthorised access, ensure data integrity and confidentiality, and keep products free of known exploitable vulnerabilities at the time of placing on the market. Manufacturers must also provide security updates for the expected product lifecycle or at minimum five years, whichever is shorter. For an EU SME that manufactures or imports connected products, the CRA creates obligations that flow through the entire product development lifecycle. You must document your risk assessment, maintain a software bill of materials (SBOM), notify ENISA and your national authority within 24 hours of becoming aware of an actively exploited vulnerability, and affix a CE mark only after completing the appropriate conformity assessment procedure. Importers and distributors also carry obligations to verify manufacturer compliance before placing products on the EU market. Penalties for non-compliance reach €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements, and €10 million or 2% for other obligations. Market surveillance authorities can order product recalls, restrict market access, and require immediate patches. See the CRA compliance guide at eurocomply.app/regulations/cra