Cyber Resilience Act (CRA) — Complete Guide | CS Compliance

What is the Cyber Resilience Act?

The Cyber Resilience Act (Regulation (EU) 2024/2847) is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements placed on the EU market. Published on 20 November 2024 and entered into force on 10 December 2024, the CRA covers the entire product lifecycle — from design and development through end of support.

This is the first EU-wide horizontal cybersecurity regulation for products. It complements existing frameworks like the NIS-2 Directive, which focuses on the cybersecurity of essential and important entities, while the CRA targets the products themselves. Together, they form a comprehensive cybersecurity regulatory landscape covering both organizations and the products they develop or use.

Who is Affected?

The CRA applies to three categories of economic operators involved in bringing products with digital elements to the EU market:

Manufacturers — Companies that design, develop, or produce products with digital elements (hardware and software), whether or not the manufacturing is outsourced.
Importers — Entities that place products from third-country manufacturers onto the EU market. They must ensure the manufacturer has carried out the conformity assessment.
Distributors — Companies that make products available on the EU market without affecting the product's properties. They must verify CE marking and documentation.

Products covered include standalone software, firmware, IoT devices, network equipment, industrial control systems, and any hardware with embedded software.

Exclusions: Open-source software developed non-commercially, medical devices (covered by the MDR), aviation products (covered by EASA regulations), and motor vehicles (covered by type-approval regulations).

Product Categories

The CRA classifies products with digital elements into four categories, each with different conformity assessment requirements:

Category	Assessment	Examples
Default	Self-assessment (Module A)	Smart home devices, toys, consumer electronics
Important Class IAnnex III	Harmonized standard self-assessment or EU-type examination	Browsers, password managers, VPNs, routers, operating systems
Important Class IIAnnex IV	EU-type examination required	Hypervisors, industrial firewalls, IACS, tamper-resistant microprocessors
CriticalArticle 8	European cybersecurity certification (EUCC)	Hardware security modules, smart cards, smart meter gateways

Key Requirements (Annex I)

Part I — Security Requirements

Security by design and by default
No known exploitable vulnerabilities at the time of placing on the market
Secure default configuration
Protection against unauthorized access
Confidentiality and integrity of data (stored, transmitted, and processed)
Availability and resilience of essential functions
Minimal data collection (data minimization)
Secure update mechanisms, including automatic security updates

Part II — Vulnerability Handling Requirements

Identification and documentation of vulnerabilities, including through third-party component tracking
Remediation without undue delay via free security updates
Coordinated vulnerability disclosure (CVD) policy with a public contact point
SBOM (Software Bill of Materials) creation and maintenance
Regular vulnerability testing, including fuzz testing and code review

SBOM Requirements

A Software Bill of Materials (SBOM) is a structured inventory of all software components, libraries, and dependencies included in a product. Think of it as a detailed "ingredient list" for software.

The CRA requires manufacturers to create and maintain an SBOM that documents, at minimum, the top-level dependencies of the product. The SBOM must be in a machine-readable format to enable automated vulnerability tracking and supply chain transparency.

Key benefits of SBOM compliance:

Vulnerability tracking — Quickly identify which products are affected when a new CVE is published for a dependency
Supply chain transparency — Full visibility into third-party components and their licensing
Faster incident response — Reduce time to remediation by knowing exactly which components are deployed where

Common machine-readable SBOM formats include CycloneDX and SPDX, both of which are widely adopted and supported by major tooling ecosystems.

Timeline & Key Dates

10 December 2024

CRA enters into force. The regulation is officially published and the transition periods begin.

11 June 2026

Conformity assessment bodies (notified bodies) can begin applying. Member states must have notified their designated bodies to the Commission.

11 September 2026

Vulnerability reporting obligations apply. Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours, including incident notifications and follow-up reports.

11 December 2027

Full enforcement. All essential requirements and conformity assessment obligations apply. Products must bear CE marking indicating CRA compliance before being placed on the market.

Conformity Assessment

The conformity assessment path depends on the product category. The following options are available:

Self-Assessment (Module A)

For default products. The manufacturer assesses conformity internally, prepares technical documentation, and issues the EU declaration of conformity.

Self-Assessment with Harmonized Standards (Module A+)

For Important Class I products, if relevant harmonized standards are fully applied. The manufacturer can perform self-assessment without a notified body.

EU-Type Examination (Module B+C)

For Important Class I (when harmonized standards are not fully applied) and Important Class II products. A notified body examines the technical design and issues an EU-type examination certificate.

European Cybersecurity Certification (EUCC)

For critical products. Certification under the EU cybersecurity certification framework established by the Cybersecurity Act (Regulation (EU) 2019/881).

Penalties for Non-Compliance

The CRA establishes significant penalties for non-compliance, enforced by member state market surveillance authorities:

Essential requirement violations

Up to €15 million or 2.5% of worldwide annual turnover

Whichever is higher

Other obligation violations

Up to €10 million or 2% of worldwide annual turnover

Whichever is higher

Incorrect or incomplete information

Up to €5 million or 1% of worldwide annual turnover

Whichever is higher — applies to information provided to market surveillance authorities

How to Prepare

Classify your products

Determine whether each product falls under the Default, Important Class I, Important Class II, or Critical category. This determines your conformity assessment path and the level of scrutiny required.

Conduct a gap analysis

Compare your current cybersecurity practices against the Annex I essential requirements. Identify areas where your product design, development processes, or vulnerability handling fall short.

Create your SBOM

Document all software components and dependencies in a machine-readable format (CycloneDX or SPDX). Establish processes to keep the SBOM up to date as components change.

Implement vulnerability handling

Set up processes for vulnerability identification, reporting (including the 24-hour ENISA notification), coordinated disclosure, and timely patching with free security updates.

Prepare technical documentation

Document your conformity assessment evidence, test reports, risk assessments, and design decisions. This documentation must be maintained for 10 years after the product is placed on the market.

Start Your CRA Compliance Assessment

CS Compliance helps you classify products, track requirements, manage SBOMs, and prepare for conformity assessment — all in one platform.

Start Free Assessment →

→ Read NIS-2 Directive GuideLast updated: February 2026