The Cyber Resilience Act (CRA) is the first EU-wide regulation establishing mandatory cybersecurity requirements for all products with digital elements. This article summarizes the essential contents of the regulation and references the original documents for manufacturers who want to dive deeper.
Background and Objectives
The EU Commission presented the CRA draft in September 2022. After negotiations between the European Parliament and Council, the final version was adopted in October 2024 and published in the Official Journal of the European Union on November 20, 2024 (Regulation (EU) 2024/2847).
The CRA pursues two central objectives: First, to ensure that products with digital elements sold on the EU market meet fundamental cybersecurity requirements. Second, to create the conditions for users to make informed purchasing decisions regarding the cybersecurity of products.
The context: Until now, there was no uniform EU regulation establishing cybersecurity as a prerequisite for placing digital products on the market. The result was products with known security vulnerabilities, missing update mechanisms, and inadequate vulnerability management. The CRA closes this gap.
Scope
The CRA applies to all products with digital elements made available on the EU market. This includes hardware with embedded software, pure software products, and remote data processing solutions required for a product's core function.
Exempt are products already covered by sector-specific EU regulations: medical devices (MDR/IVDR), vehicles (type-approval regulation), aviation, and defense. Open-source software is generally exempt unless commercially distributed.
A detailed breakdown is available in our article on the CRA scope.
Core Obligations for Manufacturers
The CRA requirements can be organized into four areas.
Security by design. Products must be designed to be secure from the ground up. This includes secure default settings, no identical default passwords, encrypted communication, access controls, and data minimization. Security measures must be based on a documented risk assessment.
SBOM obligation. Manufacturers must create and maintain a complete Software Bill of Materials (SBOM) for every product. The SBOM documents all software components and their versions and forms the basis for vulnerability management. More in our SBOM guide.
Vulnerability management. Manufacturers must identify, assess, and remediate vulnerabilities throughout the product's entire support period. Security updates must be provided free of charge. A coordinated vulnerability disclosure policy must be published. Details in our article on vulnerability management.
Conformity assessment and CE marking. Depending on the product category, manufacturers must conduct a self-assessment or involve a notified body. After successful assessment, CE marking is affixed and an EU declaration of conformity is created. The process is described in detail in our article on conformity assessment.
Product Classification
The CRA distinguishes three categories: standard products (self-assessment sufficient), important products Class I (self-assessment when harmonized standards are applied, otherwise notified body), and important products Class II plus critical products (notified body required). The product lists are defined in Annexes III and IV of the regulation.
Affected Industries
The CRA affects manufacturers across all industries – from IoT and consumer products through industrial automation and embedded systems to smart home and consumer electronics, telecommunications equipment, and software and SaaS providers. Manufacturers outside the EU, such as from Switzerland, are also affected when exporting to the EU market.
Deadlines
The CRA regulation entered into force on December 10, 2024. The following deadlines are relevant for manufacturers: From September 11, 2026, the obligation to report actively exploited vulnerabilities takes effect (24-hour deadline to ENISA). From December 11, 2027, all newly placed products must be fully CRA-compliant.
Penalties
For violations of the essential security requirements, fines of up to 15 million euros or 2.5 percent of global annual turnover apply. For other violations, fines up to 10 million euros or 2 percent apply. Additionally, market surveillance authorities can order product recalls and market bans. Details on CRA penalties can be found in our separate article.
Original Documents and Further Sources
For the complete regulation text, we refer to official sources. The final Regulation (EU) 2024/2847 is available on the EU's EUR-Lex portal at: https://eur-lex.europa.eu/eli/reg/2024/2847/oj – there you can find the complete regulation text in all EU official languages, including all annexes with product lists and essential requirements.
The EU Commission also provides an information page on the CRA with FAQ and supplementary materials. ENISA offers technical implementation guides, and the European standardization organizations CEN and CENELEC are developing harmonized standards.
Next Steps
The CRA affects most manufacturers of digital products. If you are unsure whether and how it applies to your products, now is the right time for a stocktake.
Our free CRA readiness assessment evaluates your current status and shows you concretely which steps come next – from product classification through SBOM creation to conformity assessment.