← Back to Blogregulation

What Is the EU Cyber Resilience Act? A Plain-English Guide for Product Teams

The EU Cyber Resilience Act mandates cybersecurity requirements for all connected products sold in the EU. Here is what every product team needs to know.

CRAReady Team·

What Is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, is landmark EU legislation that introduces mandatory cybersecurity requirements for any product with digital elements (PDE) placed on the EU market. It entered into force on 11 December 2024 and phases in obligations over three years.

The regulation was driven by a stark reality: the majority of cybersecurity incidents exploit known vulnerabilities in products that were shipped without adequate security. The EU Commission estimated that cybercrime costs the global economy over EUR 5.5 trillion annually.

Who Does It Apply To?

The CRA applies to manufacturers placing products with digital elements on the EU market: hardware manufacturers (routers, IoT sensors, smart home devices, industrial PLCs), software developers (applications, operating systems, firmware), companies selling SaaS platforms bundled with a client-side component, and foreign manufacturers selling into the EU.

What Is a Product with Digital Elements?

A PDE is any hardware or software product that has a direct or indirect data connection to another device or network. Consumer IoT devices, network infrastructure, industrial control systems, desktop and mobile applications, and operating systems are all in scope. Pure SaaS without a downloadable client is generally out of scope.

Key Compliance Dates

11 Dec 2024: CRA entered into force. 11 Sep 2026: Article 14 vulnerability and incident reporting begins. 11 Dec 2027: Full compliance required -- CE marking, technical file, DoC.

The Core Obligations

Essential Cybersecurity Requirements (Annex I): Products must be designed with no known exploitable vulnerabilities, secure defaults, access controls, encryption, and minimal attack surface.

Vulnerability Management (Annex I Part II): Generate and maintain SBOMs, operate a CVD programme, provide security updates for at least five years.

Incident Reporting (Article 14): Notify ENISA within 24 hours when a vulnerability is actively exploited, provide a detailed report within 72 hours, and a final report on resolution.

Conformity Assessment: Compile a technical file, sign an EU Declaration of Conformity, and affix CE marking.

What Should Product Teams Do Now?

  1. Determine scope and risk classification. 2. Conduct a gap analysis against Annex I requirements. 3. Generate SBOMs for each in-scope product. 4. Establish a CVD policy and reporting channel. 5. Build your Article 14 incident response process before September 2026.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker