--- url: https://eurocomply.app/regulations/cra canonical: https://eurocomply.app/regulations/cra title: Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act) — EuroComply shortName: CRA alternateNames: [Cyber Resilience Act] regulationNumber: (EU) 2024/2847 celex: 32024R2847 instrumentType: regulation status: phased inForceDate: 2024-12-10 applicationDate: 2027-12-11 extraterritorialReach: true sourceUrl: https://eur-lex.europa.eu/eli/reg/2024/2847/oj officialJournalRef: OJ L, 20.11.2024 lastReviewed: 2026-05-12 author: EuroComply Team license: CC-BY-4.0 --- # Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act) The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU's horizontal cybersecurity law for products with digital elements. It introduces mandatory cybersecurity requirements covering design, development, vulnerability handling, and the security of the product across its supported lifetime. Most software and hardware products with a digital component placed on the EU market are in scope. ## Who does CRA apply to? The CRA applies to any 'product with digital elements' — hardware or software — placed on the EU market whose intended or reasonably foreseeable use includes a direct or indirect data connection to another device or network. A small set of products is excluded (e.g. medical devices already covered by MDR/IVDR, motor vehicles, aviation, military equipment). - Hardware products with digital elements (e.g. connected appliances, industrial controllers) - Standalone and embedded software products placed on the EU market - Two heightened risk categories — 'important' and 'critical' — with stricter conformity-assessment routes - Excluded: products already covered by equivalent sectoral rules (MDR, IVDR, type-approval for vehicles, civil aviation, defence, national security) *Source: CRA Article 2 (Scope).* ## What are the penalties for CRA non-compliance? The CRA's penalty tiers track the nature of the breach. The highest tier targets failure to comply with the essential cybersecurity requirements; a middle tier covers other obligations; a lower tier covers incorrect or misleading information. **Maximum fine:** Up to €15 million or 2.5% of global annual turnover, whichever is higher *Source: CRA Article 64 (Administrative fines).* **Tier detail:** - Essential cybersecurity requirements (Annex I) and obligations of manufacturers (Articles 13, 14): €15M or 2.5% of global turnover (max) — Article 64(2) - Other obligations under the Regulation: €10M or 2% of global turnover (max) — Article 64(3) - Supplying incorrect/misleading information to notified bodies and market surveillance authorities: €5M or 1% of global turnover (max) — Article 64(4) ## When does CRA apply? The CRA entered into force on 10 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026. The main body of substantive obligations applies from 11 December 2027. *Source: CRA Article 71 (Entry into force and application).* **Key dates:** - 2024-12-10 — Entry into force (Article 71) - 2026-09-11 — Vulnerability and incident reporting obligations apply (Article 14) - 2027-12-11 — Main body of substantive obligations applies (Article 71) ## Key statistic **5 years (or product lifetime)** — Minimum support period during which manufacturers must provide security updates for a product with digital elements, taking into account the expected lifetime of the product. *Source: Regulation (EU) 2024/2847, Annex I, Part II.* ## Supervising authorities - National market surveillance authorities *(member-state)* - ENISA — European Union Agency for Cybersecurity *(EU)* — [https://www.enisa.europa.eu/](https://www.enisa.europa.eu/) - Notified bodies (for conformity assessment of important and critical classes) *(designated)* ## Sector applicability - all sectors with hardware or software products with digital connectivity — including consumer IoT, industrial control, application software, operating systems ## Primary articles - **scope:** Article 2 - **manufacturerObligations:** Article 13 - **vulnerabilityReporting:** Article 14 - **essentialRequirements:** Annex I - **importantProducts:** Annex III - **criticalProducts:** Annex IV - **conformityAssessment:** Articles 32 and 33 - **penalties:** Article 64 - **entryIntoForce:** Article 71 ## Related EuroComply resources - Hub: [/regulations/cra](https://eurocomply.app/regulations/cra) - Penalties: [/regulations/cra/penalties](https://eurocomply.app/regulations/cra/penalties) - Timeline: [/regulations/cra/timeline](https://eurocomply.app/regulations/cra/timeline) - SME guide: [/regulations/cra/persona/saas-product](https://eurocomply.app/regulations/cra/persona/saas-product) - Decision trees: [/decide/cra/in-scope](https://eurocomply.app/decide/cra/in-scope) ## Source Authoritative text: [(EU) 2024/2847 — EUR-Lex](https://eur-lex.europa.eu/eli/reg/2024/2847/oj) (OJ L, 20.11.2024). --- Informational only. Not legal advice — consult qualified legal counsel for your specific situation. Last reviewed: 2026-05-12 by the EuroComply Team. License: CC-BY-4.0.