Knowledge Base
CRA Compliance Resources
Everything you need to understand and implement EU Cyber Resilience Act compliance — from Annex I checklists to incident reporting workflows and SBOM requirements.
Start Free AssessmentCompliance Guides
In-depth guidance on every major CRA obligation — written for technical and compliance teams.
CRA Annex I Checklist
All 21 essential cybersecurity requirements from Part I and Part II of Annex I — annotated and actionable.
Read guide →Incident Reporting Guide
Step-by-step Article 14 reporting: early warning (24h), detailed report (72h), and final report obligations.
Read guide →SBOM Requirements
What the CRA requires for Software Bills of Materials — formats (SPDX, CycloneDX), depth, and maintenance.
Read guide →Vulnerability Disclosure
Setting up a CVD programme to meet Article 15 obligations — policies, timelines, and coordination with ENISA.
Read guide →Declaration of Conformity
Article 30 explained: what fields the EU DoC must contain, who signs it, and how to maintain it.
Read guide →CRA Glossary
30+ key terms defined: PDE, SBOM, CSAF, CVD, Notified Body, Market Surveillance Authority, and more.
Read guide →CRA Regulation Guides
Deep-dive explainers covering the regulatory framework — classification, conformity routes, exemptions, and deadlines.
Full CRA Guide
Complete overview of Regulation 2024/2847 — scope, requirements, timeline, penalties, and how to comply.
Read guide →Compliance Roadmap
Eight-step programme from applicability assessment to CE marking — with time estimates for each phase.
Read guide →Product Classification
How to determine whether your product is Default, Class I, Class II, or Critical — and what that means.
Read guide →CRA Exemptions
Medical devices, civil aviation, motor vehicles, OSS — which products are fully or partially out of scope.
Read guide →CRA for UK Companies
Post-Brexit obligations for UK manufacturers selling into the EU, including Authorised Representative requirements.
Read guide →Conformity Assessment
Module A, Module H, Notified Body, and EUCC — which certification route applies to your product class.
Read guide →Technical Documentation
Annex VII requirements for the Technical File — what to include, how long to retain it, and common mistakes.
Read guide →Timeline & Deadlines
Live countdown to the September 2026 reporting deadline and December 2027 full compliance date.
Read guide →Latest from the Blog
Deep dives into CRA regulation, compliance strategy, and technical implementation.
Common Questions
Quick answers to the questions we hear most often.
When does the Cyber Resilience Act come into full force?
The CRA (Regulation 2024/2847) entered into force on 11 December 2024. Vulnerability and incident reporting obligations under Article 14 apply from 11 September 2026. Full compliance — including essential cybersecurity requirements and CE marking — is required by 11 December 2027.
Which products are in scope for the CRA?
Any 'product with digital elements' (PDE) placed on the EU market — this includes both hardware and software with a direct or indirect logical data connection. Consumer IoT devices, industrial control systems, operating systems, routers, and connected medical devices are all in scope. Pure SaaS delivered without a physical product component is generally out of scope.
What are the penalties for non-compliance?
Fines can reach €15 million or 2.5% of global annual turnover (whichever is higher) for violations of essential cybersecurity requirements. Market surveillance authorities can also order product recalls or prohibit market access for non-compliant products.
Ready to start your CRA compliance journey?
Run our free applicability assessment to understand your product classification and conformity route — no account required.