The Cyber Resilience Act (CRA) establishes comprehensive requirements for manufacturers of digital products. This article provides a structured overview of all essential obligations – organized into product requirements, process requirements, and documentation duties. Use it as a starting point and checklist for your CRA implementation.
Product Security Requirements (Annex I, Part I)
The essential security requirements define what a product must technically fulfill before being distributed on the EU market. They apply to all products within the CRA scope.
Risk-based approach. All security measures must be based on a risk assessment that considers the product, its intended use, and the foreseeable usage environment. The risk assessment must be documented and updated upon substantial changes.
No known exploitable vulnerabilities. Products must not ship with known, exploitable vulnerabilities. While this sounds obvious, in practice it means manufacturers must conduct systematic vulnerability scans before every release and remediate identified vulnerabilities.
Secure default configuration. Products must be securely configured out of the box. This includes the prohibition of identical default passwords – every device must have a unique initial password or prompt the user to set one during first setup. Unnecessary interfaces and services must be disabled by default.
Protection against unauthorized access. Products must have appropriate access control mechanisms. Authentication, authorization, and identity management must meet the state of the art.
Confidentiality and integrity. Stored, transmitted, and processed data must be protected against unauthorized access and manipulation. The CRA requires appropriate encryption for communication and secure storage of cryptographic keys.
Data minimization. Products may only collect and process data necessary for their intended use. Many are already familiar with this principle from the GDPR – the CRA now anchors it as a product requirement.
Availability and resilience. Products must be designed so that essential functions can be maintained or restored even during a cyberattack or disruption. Denial-of-service attacks must be mitigable.
Minimizing negative impact. Products must be designed so that, in case of compromise, they have minimal impact on other devices and networks. The attack surface must be minimized.
Update Requirements
Secure update mechanisms. Every product must have a mechanism enabling security updates. Updates must be transmitted encrypted and signed to prevent tampering. After an update, the current SBOM must be retrievable.
Automatic updates. Where technically feasible, updates should be applied automatically. Users must have the ability to configure automatic updates and must be informed about available security updates.
Free security updates. Security updates must be provided free of charge throughout the entire support period. The support period must be at least five years or match the expected product lifetime – whichever is shorter.
Detailed requirements for update mechanisms, particularly for embedded systems and IoT devices, can be found in our industry-specific articles.
Vulnerability Management Obligations (Annex I, Part II)
The CRA requires manufacturers to maintain systematic vulnerability management throughout the entire support period.
Identification and documentation. Manufacturers must systematically identify and document vulnerabilities in their products. This requires an up-to-date SBOM and automated monitoring against vulnerability databases.
Timely remediation. Identified vulnerabilities must be addressed without undue delay. Security updates must be provided promptly.
Reporting obligation from September 2026. Actively exploited vulnerabilities must be reported to ENISA within 24 hours. A detailed report must follow within 72 hours.
Coordinated disclosure. Manufacturers must publish a coordinated vulnerability disclosure policy and provide a contact channel for security researchers.
Regular testing. Products must be regularly tested for security – including third-party software components.
Documentation Obligations
Technical documentation is a central component of CRA compliance and must be available for inspection by market surveillance authorities.
Technical documentation. This encompasses a general product description, the security architecture, the risk assessment, applied harmonized standards, test results, and evidence that essential requirements are met.
SBOM (Software Bill of Materials). A complete, machine-readable inventory of all software components in the product. The SBOM must be updated with each product version. Details on creation can be found in our SBOM guide.
EU declaration of conformity. A formal document confirming conformity with the CRA. It must contain the manufacturer name, product identification, and applied standards. More in our article on conformity assessment.
User information. Manufacturers must provide users with clear information: the manufacturer name and contact details, the support period and the date when security updates end, instructions for secure installation and use, and information about known vulnerabilities and available updates.
Supply Chain Obligations
The CRA addresses not only manufacturers but the entire supply chain.
Importers must verify before import that the product meets CRA requirements, that technical documentation is available, and that CE marking has been affixed. They must provide their contact details on the product or packaging.
Distributors must verify that CE marking and required accompanying documents are present. They must ensure storage conditions do not affect conformity.
For Swiss manufacturers and other third-country manufacturers, the additional obligation to appoint an EU authorized representative applies.
Timelines and Prioritization
Not all requirements take effect simultaneously. The vulnerability reporting obligation applies from September 2026 – this should be your first priority. Full product conformity is required from December 2027.
For prioritization, we recommend: Start with risk assessment and SBOM creation, build vulnerability management in parallel, then work on technical documentation and conformity assessment.
Our free CRA readiness assessment gives you a quick overview of which requirements you already meet and where the largest gaps exist. In just a few minutes, you will have a concrete roadmap for your CRA implementation.