What Is the Cyber Resilience Act? A Guide for Product Manufacturers
What Is the Cyber Resilience Act? A Guide for Product Manufacturers?
The CRA (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU. Reporting obligations apply from September 2026; full enforcement from December 2027.
The Cyber Resilience Act (Regulation 2024/2847) entered into force on 10 December 2024. It introduces mandatory cybersecurity requirements for all products with digital elements placed on the EU market — whether hardware with embedded software, standalone software, or connected devices.
For the first time, manufacturers and software vendors must demonstrate cybersecurity compliance as a condition of CE marking. The CRA closes a significant gap in EU law: while GDPR protects data and NIS2 protects critical infrastructure operators, neither directly regulated the security of the products themselves.
Reporting Timeline
- 11 September 2026: Vulnerability and incident reporting obligations apply
- 11 December 2027: All remaining CRA obligations apply (essential requirements, conformity assessments, CE marking)
Scope: What Products Does the CRA Cover?
The CRA applies to any product with digital elements — defined as any software or hardware product and its remote data processing solutions, where the product is intended for direct or indirect logical or physical data connections to a device or network.
This is intentionally broad. It covers:
- Consumer IoT devices (smart speakers, connected appliances, wearables)
- Industrial IoT and operational technology components
- Network equipment (routers, switches, firewalls)
- Operating systems, desktop and mobile applications
- Software-as-a-service components that process data locally
- Microcontrollers and microprocessors with network connectivity
Exclusions — products already covered by sector-specific EU cybersecurity regulation are excluded to avoid duplication:
- Medical devices (MDR/IVDR)
- Motor vehicles (type-approval regulation)
- Aviation equipment (EASA regulations)
- Military and national security products
Product Classification
The CRA uses a four-class system based on criticality. Class determines the conformity assessment route required.
| Class | Examples | Conformity Assessment | |-------|---------|----------------------| | Default (most products) | Consumer electronics, generic apps, smart home devices | Self-assessment against Annex I | | Important — Class I | Password managers, VPNs, browsers, network management tools, microcontrollers, firewalls | Self-assessment (if harmonised standard applied) or third-party | | Important — Class II | OS for servers/desktops/mobile, industrial automation systems, smart meters, routers for industrial use | Mandatory third-party assessment | | Critical (hardware security components) | Hardware security modules (HSMs), smart card ICs, secure elements, TPMs | Mandatory third-party assessment + EU type-examination |
Manufacturers are responsible for correctly classifying their products. Incorrect classification resulting in under-assessment is a CRA violation.
Essential Cybersecurity Requirements (Annex I)
All products with digital elements must meet Part I requirements throughout their lifecycle, from design through end of support:
- Secure by default — shipped with security-enhancing configuration enabled; no unnecessary ports open, no generic credentials
- No known exploitable vulnerabilities at the time of placing on the market
- Minimal attack surface — only necessary components, functions, and interfaces active
- Access control — mechanisms to protect against unauthorised access
- Data protection — confidentiality and integrity of personal and sensitive data in transit and at rest
- Integrity — mechanisms to verify software/firmware integrity and protect against tampering
- Resilience — ability to function despite denial-of-service events
- Availability — critical functions maintained or gracefully degraded during disruption
- Incident logging — sufficient logging to enable post-incident investigation
- Minimisation — data collected limited to what is necessary for intended functionality
Part II of Annex I covers vulnerability handling obligations: manufacturers must establish a coordinated disclosure policy, act on disclosed vulnerabilities, distribute security updates, and communicate end-of-support dates.
Vulnerability Handling and Reporting
From 11 September 2026, manufacturers must:
- Report actively exploited vulnerabilities to ENISA and the relevant national CSIRT within 24 hours of becoming aware
- Report severe security incidents with impact on the security of the product within 24 hours to ENISA/CSIRT
- Provide a preliminary report within 72 hours
- Provide a final report no later than 14 days after awareness of the vulnerability
ENISA will operate a single reporting platform. Manufacturers outside the EU must designate an EU-based authorised representative responsible for compliance obligations.
Security updates must be made available free of charge for the support period. The minimum support period for most products is 5 years (or the expected product lifetime if shorter). Manufacturers must clearly communicate end-of-support dates.
Conformity Assessment and CE Marking
CRA compliance is a prerequisite for the CE marking required to place products on the EU market.
The conformity assessment route depends on product class:
- Default products: Self-assessment. Manufacturer draws up an EU Declaration of Conformity and affixes CE marking.
- Class I Important: Self-assessment where a harmonised standard is applied in full; otherwise, third-party assessment by a notified body.
- Class II Important: Mandatory third-party conformity assessment by a notified body (EU-type examination or quality management assessment).
- Critical: EU-type examination by a notified body, plus ongoing production quality assessment.
Technical documentation must be maintained for 10 years after placement on the market and made available to market surveillance authorities on request.
Fines
Market surveillance authorities can impose administrative penalties:
| Violation | Maximum Fine | |-----------|-------------| | Non-compliance with essential cybersecurity requirements (Annex I) | €15M or 2.5% of global annual turnover | | Non-compliance with other CRA obligations | €10M or 2% of global annual turnover | | Providing incorrect/incomplete information to authorities | €5M or 1% of global annual turnover |
The higher of the two figures applies. For large technology companies, the turnover-based cap is the binding constraint.
Practical Four-Step Checklist for Manufacturers and Software Vendors
- Classify your products — work through the Annex III and Annex IV lists to determine whether any of your products qualify as Important Class I/II or Critical; document your classification rationale
- Audit against Annex I — for each product, map current security features against the essential requirements; identify gaps and assign remediation owners
- Establish vulnerability handling processes — build a coordinated vulnerability disclosure policy, a process for triaging reported vulnerabilities, a pipeline for distributing security updates, and a 24-hour reporting workflow for actively exploited vulnerabilities (required from September 2026)
- Plan conformity assessment — if you have Class I or higher products, identify notified bodies and initiate assessment early; CE marking must be in place by December 2027
Last updated: April 2026. For informational purposes only — not legal advice.
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.