Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is the EU regulation that sets horizontal cybersecurity requirements for all products with digital elements. The regulation obliges manufacturers, importers and distributors to ensure that products are designed, developed and maintained with cybersecurity as an integral part of the entire lifecycle.

Back to Dictionary

Background and purpose

Products with digital elements have historically been regulated unevenly across the EU. Software has in many cases not been subject to security requirements at all, and consumers have had difficulty assessing whether a product was secure. The CRA fundamentally changes this.

The regulation was proposed by the European Commission in September 2022 and adopted in 2024. The objective is clear: to reduce the number of vulnerabilities in products with digital elements and ensure that manufacturers take responsibility for cybersecurity throughout the product's lifetime.

CRA is a regulation, not a directive. This means the rules apply directly in all EU countries without national implementation. For you as a manufacturer, importer or distributor, there is one unified set of rules to comply with.

Essential requirements in CRA

CRA is built on two pillars of requirements, defined in Annex I of the regulation:

Security requirements for the product: Products must be designed and developed with security by design. This entails encryption of data, minimisation of attack surfaces, secure default configuration and protection against unauthorised access. The product must be delivered without known, exploitable vulnerabilities.

Vulnerability handling requirements: The manufacturer must establish a process for identifying, documenting and remediating vulnerabilities. Security updates must be provided free of charge throughout the support period, and actively exploited vulnerabilities must be reported to ENISA within 24 hours.

The manufacturer must prepare a Software Bill of Materials (SBOM) and maintain technical documentation for at least ten years. Products must be CE marked as evidence that the requirements have been met.

Who is covered?

CRA has a broad scope. All economic operators in the supply chain have obligations:

Manufacturers bear the primary responsibility. They must ensure the product complies with all essential requirements, carry out the conformity assessment and provide security updates.
Importers must verify that the manufacturer has fulfilled its obligations and that the product bears CE marking.
Distributors must check that the product has the necessary marking and documentation.

Certain products are exempt, including medical devices (regulated under MDR), motor vehicles and products used exclusively for national security purposes. Open-source software developed outside a commercial context is also exempt.

Timelines and phased introduction

CRA is phased in over three stages:

June 2026: The rules for notified bodies apply.
September 2026: The reporting obligation for actively exploited vulnerabilities enters into force. From this date, manufacturers must report to ENISA within 24 hours.
December 2027: All other requirements apply in full. Products must be CE marked and technical documentation must be in place.

Organisations already working with incident response and logging have a head start. But even mature organisations should begin preparations now to meet the 2027 deadline.

Interplay with other regulations

CRA does not exist in a vacuum. The regulation supplements and overlaps with several other EU regulations:

The NIS2 Directive sets requirements for organisations' cybersecurity, whilst CRA regulates products. The two frameworks complement each other: an organisation purchasing CRA-compliant products will find it easier to meet NIS2 supply chain requirements.

DORA regulates cybersecurity in the financial sector and sets requirements for ICT third-party providers. Products used in financial institutions must comply with both CRA and DORA requirements.

GDPR sets requirements for the protection of personal data. CRA's requirements for security by design and data minimisation support GDPR's principles of data protection by design.

Frequently Asked Questions about Cyber Resilience Act (CRA)

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that sets binding cybersecurity requirements for all products with digital elements. The regulation covers both hardware and software and requires manufacturers to secure their products throughout the entire lifecycle.

When does CRA enter into force?

CRA was adopted in 2024. The reporting obligation for actively exploited vulnerabilities applies from September 2026. The remaining requirements, including CE marking, apply from December 2027.

Who is covered by CRA?

CRA covers all parties placing products with digital elements on the EU market: manufacturers, importers and distributors. This applies to both EU-based organisations and those outside the EU selling to European customers.

What is the difference between CRA and NIS2?

CRA regulates products, whilst NIS2 regulates organisations. CRA sets requirements for manufacturers of digital products regarding security by design and vulnerability handling. NIS2 sets requirements for operators of essential and important services regarding their internal cybersecurity.

What fines can be imposed under CRA?

The highest fines are up to EUR 15 million or 2.5% of global annual turnover for breaching the essential security requirements. Other infringements may result in fines of up to EUR 10 million or 2% of turnover.