Skip to main content
NormaGrid

Cyber Resilience Act (CRA)

In force Cybersecurity Regulation Adopted: 23 October 2024 · Applies from: 11 December 2027

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

The Cyber Resilience Act (CRA) lays down horizontal cybersecurity requirements for products with digital elements (hardware and software) made available on the EU market, covering the full product lifecycle. It requires manufacturers to design, develop and produce products with appropriate cybersecurity, to handle vulnerabilities and provide security updates, and to carry out conformity assessment and affix CE marking. It also introduces obligations for importers and distributors and establishes rules for reporting actively exploited vulnerabilities and severe incidents to ENISA.

Who is affected?

Manufacturers of products with digital elements, as well as importers and distributors placing such products on the EU market. It affects a wide range of economic operators across consumer and industrial sectors (e.g., IoT devices, operating systems, network equipment, and industrial control systems).

Scope

Applies to products with digital elements made available on the EU market, setting essential cybersecurity requirements and related conformity assessment, documentation, vulnerability handling and reporting obligations across the supply chain.

Key Points

  • Essential cybersecurity requirements for products with digital elements, including security-by-design/default and protection against known exploitable vulnerabilities
  • Vulnerability handling obligations, including coordinated vulnerability disclosure processes and provision of security updates during the support period
  • Conformity assessment and technical documentation requirements; CE marking used to demonstrate compliance
  • Risk-based categorisation (including “important” products) with stricter conformity assessment routes for higher-risk categories
  • Obligations for importers and distributors to verify compliance before making products available on the market
  • Phased application, with earlier application of vulnerability reporting obligations and later full application of the main requirements

Key Deadlines

  • — Application of reporting obligations for actively exploited vulnerabilities and severe incidents to ENISA
  • — Full application of the Cyber Resilience Act requirements

Related Regulations

Frequently Asked Questions

Who must comply with the Cyber Resilience Act (CRA)?

Manufacturers, importers, and distributors of products with digital elements (hardware and software) made available on the EU market must comply with the CRA. This includes both consumer and industrial products, such as IoT devices, operating systems, and network equipment.

What types of products are covered by the CRA?

The CRA applies to all products with digital elements, meaning hardware or software that can be connected directly or indirectly to another device or network. This includes a wide range of products, from smart home devices to industrial control systems.

What are the key cybersecurity obligations under the CRA?

Manufacturers must ensure products are designed, developed, and produced with appropriate cybersecurity measures, including security-by-design and protection against known vulnerabilities. They must also handle vulnerabilities, provide security updates, and maintain coordinated vulnerability disclosure processes.

What are the obligations for importers and distributors?

Importers and distributors must verify that products comply with the CRA’s requirements before placing them on the EU market. They are also responsible for ensuring that the manufacturer has carried out the required conformity assessment and affixed the CE marking.

What is the conformity assessment process under the CRA?

Manufacturers must carry out a conformity assessment to demonstrate that their products meet the essential cybersecurity requirements. This includes preparing technical documentation and, for higher-risk products, may involve third-party assessment bodies.

How does the CRA address vulnerability handling and reporting?

Manufacturers must establish processes for coordinated vulnerability disclosure and provide security updates during the product’s support period. They are also required to report actively exploited vulnerabilities and severe incidents to ENISA within set timelines.

What are the penalties for non-compliance with the CRA?

Non-compliance can result in significant administrative fines, product recalls, or withdrawal from the EU market. The exact penalties depend on the nature and severity of the infringement as determined by national authorities.

When do the CRA requirements apply?

The CRA introduces a phased application: vulnerability reporting obligations apply earlier, while the main cybersecurity requirements and conformity assessment obligations apply at a later date, as specified in the regulation’s transitional provisions.

How does the CRA interact with other EU cybersecurity regulations?

The CRA complements existing EU cybersecurity legislation, such as the NIS2 Directive and the Radio Equipment Directive, by introducing horizontal requirements for products with digital elements. Overlaps are addressed to avoid duplication and ensure consistency across the regulatory framework.

What practical steps should manufacturers take to comply with the CRA?

Manufacturers should implement security-by-design processes, conduct risk assessments, establish vulnerability handling procedures, prepare technical documentation, and ensure conformity assessment and CE marking. They should also train staff and coordinate with supply chain partners to meet CRA obligations.

Key Terms

Product with Digital Elements
Any hardware or software product that can be connected directly or indirectly to a device or network, subject to CRA requirements.
Security-by-Design
A principle requiring products to be designed and developed with cybersecurity features integrated from the outset.
Vulnerability Handling
Processes for identifying, managing, and mitigating security vulnerabilities throughout a product’s lifecycle.
Coordinated Vulnerability Disclosure
A structured process for reporting and addressing security vulnerabilities, involving cooperation between manufacturers, researchers, and authorities.
Conformity Assessment
The process by which manufacturers demonstrate that their products meet the CRA’s essential cybersecurity requirements, including technical documentation and, for some products, third-party evaluation.
CE Marking
A marking affixed to products to indicate conformity with EU requirements, including those under the CRA.
Support Period
The timeframe during which a manufacturer is obligated to provide security updates and vulnerability handling for a product.
ENISA
The European Union Agency for Cybersecurity, responsible for receiving reports of actively exploited vulnerabilities and severe incidents under the CRA.
Important Product
A category of products with digital elements identified as higher risk, subject to stricter conformity assessment procedures under the CRA.
Technical Documentation
Comprehensive information prepared by manufacturers to demonstrate compliance with the CRA, including design, risk assessment, and cybersecurity measures.