← Back to Blogregulation

What Is the Cyber Resilience Act? A Complete Guide

The EU Cyber Resilience Act (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU. This guide explains who it affects, what it requires, and when you need to comply.

CRAReady Team·

What Is the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA), formally known as Regulation (EU) 2024/2847, is landmark legislation that introduces mandatory cybersecurity requirements for any product with digital elements (PDE) placed on the EU market. It entered into force on 11 December 2024, with compliance obligations phased in over the following three years.

The CRA was driven by a stark reality: the majority of cybersecurity incidents exploit known vulnerabilities in products that were never designed with security in mind. The EU Commission estimated that cybercrime costs the global economy over €5.5 trillion annually, and that many of those incidents could have been prevented had manufacturers applied basic security hygiene during development.

Who Does the CRA Apply To?

The CRA applies to manufacturers — any organisation that places a product with digital elements on the EU market under their own name or trademark. This includes:

  • Hardware manufacturers (routers, IoT sensors, smart home devices, industrial PLCs)
  • Software developers (applications, operating systems, firmware)
  • Companies selling SaaS platforms bundled with client software
  • Foreign manufacturers selling into the EU

Importers and distributors also carry obligations — they must verify CE marking and refuse to place non-compliant products on the market.

What Is a "Product with Digital Elements"?

A PDE is any hardware or software product that has a direct or indirect logical or physical data connection to another device or network. This broad definition deliberately captures:

  • Consumer IoT devices (smart speakers, connected appliances, wearables)
  • Network infrastructure (routers, switches, firewalls, VPNs)
  • Industrial control systems and SCADA components
  • Desktop and mobile software applications
  • Operating systems and hypervisors

Pure SaaS delivered without a downloadable client component is generally considered out of scope, though remote processing that is essential for a PDE's function is covered.

Key Compliance Dates

DateObligation
11 Dec 2024CRA entered into force
11 Sep 2026Article 14 vulnerability and incident reporting begins
11 Dec 2027Full compliance — CE marking, technical file, DoC required

The Core Obligations

The CRA creates obligations across four main areas:

1. Essential Cybersecurity Requirements (Annex I) Products must be designed with no known exploitable vulnerabilities, secure defaults, access controls, encryption, data minimisation, and minimal attack surface. Manufacturers must maintain these standards for the product's support period.

2. Vulnerability Management (Annex I, Part II) Manufacturers must generate and maintain SBOMs, operate a coordinated vulnerability disclosure (CVD) programme, patch vulnerabilities without undue delay, and provide security updates for at least five years.

3. Incident Reporting (Article 14) When a vulnerability in a product is being actively exploited, manufacturers must notify ENISA within 24 hours, submit a detailed report within 72 hours, and file a final report once the issue is resolved.

4. Conformity Assessment and Documentation Manufacturers must conduct a conformity assessment, draw up a technical file, sign an EU Declaration of Conformity, and affix CE marking to their products before placing them on the EU market.

Product Classification

Not all products are treated equally. The CRA creates three risk categories:

  • Default products — the majority of in-scope products. Self-assessment (Module A) is sufficient.
  • Class I Important Products — higher-risk products (VPNs, password managers, network management software). Enhanced self-assessment or third-party review required.
  • Class II Important Products — highest risk (OS, industrial systems, security hardware). Mandatory third-party notified body assessment.

What Should You Do Now?

If you manufacture or distribute products with digital elements for the EU market, start by:

  1. Determining whether your products are in scope and what classification applies
  2. Conducting a gap analysis against Annex I requirements
  3. Generating an SBOM for each product
  4. Establishing a CVD policy and reporting channel
  5. Building the internal process for Article 14 incident reporting before September 2026

The December 2027 deadline sounds distant, but the conformity assessment, technical file, and DoC preparation process is time-intensive. Starting now gives you the runway to do it properly.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker