A new era of digital security for products sold in the European Union
The CRA is the EU's answer to a growing global problem. It establishes mandatory cybersecurity requirements for all hardware and software products with digital elements.
The Cyber Resilience Act will ensure that connected products placed on the European market are secure by design.
— Thierry Breton, former EU Commissioner for Internal Market
The Cyber Resilience Act (CRA) is a landmark EU regulation establishing mandatory, horizontal cybersecurity requirements for all hardware and software products with digital elements. Its goal is to protect consumers and businesses by ensuring products are secure by design and throughout their entire lifecycle.
Global Impact
Estimated global annual cost of cybercrime by 2021 (Source: CRA Recital 2, Regulation (EU) 2024/2847).
The estimated global annual cost of cybercrime reached EUR 5.5 trillion by 2021. Connected products suffer from a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates.
— Regulation (EU) 2024/2847, Recital 2
The CRA applies to all 'economic operators' placing products on the EU market. While manufacturers bear the primary burden, importers and distributors have crucial verification roles.
Design, develop, and produce compliant products. Must handle risk assessment, vulnerability management, and reporting.
Verify manufacturer compliance (e.g., CE marking, documentation) before placing products on the market.
Ensure products have the required markings and information before making them available to end-users.
Most products fall under a default category where manufacturers self-assess their security compliance. More critical products require stricter, independent verification.
Default Products
Important & Critical Products
Take this quick assessment to find out if your product requires CRA compliance
Requirements
The CRA shifts the security paradigm from reactive fixes to proactive, lifecycle-long responsibility. These are the foundational requirements.
Products must be developed with security as a core component from the outset and ship with secure configurations enabled by default.
Manufacturers must have processes to handle vulnerabilities effectively for the product's expected lifecycle (min. 5 years), providing free and timely security updates.
Any actively exploited vulnerability or severe security incident must be reported to the appropriate EU authorities (like ENISA) within 24 hours of awareness.
Clear documentation, including a Software Bill of Materials (SBOM) and user instructions on secure usage, must be provided.
Products must undergo a conformity assessment and bear the CE mark to demonstrate they meet CRA standards before being sold in the EU.
Products must include mechanisms to prevent unauthorized access, ensuring the confidentiality and integrity of data.
Timeline
The Cyber Resilience Act officially enters into force, starting the clock for implementation.
The 24-hour vulnerability and incident reporting obligations for manufacturers begin.
Full enforcement begins. All new products placed on the EU market must comply with all CRA requirements.
The regulation comes with significant financial penalties to ensure adherence and deter corner-cutting on security.
Of total worldwide annual turnover
Penalties are enforced at the national level
EU member states have the authority to impose these fines for non-compliance with the Cyber Resilience Act requirements.
The CRA explicitly accounts for the reality of smaller companies. Article 3(19) and Recital 5 establish targeted relief measures — but they are not distributed equally across all SME categories.
No fine exemption, no simplified documentation, no dedicated helpdesks, no priority sandbox access.
Important: These measures reduce the procedural burden, not the cybersecurity standard itself. All Annex I requirements apply regardless of size.
The CRA applies to a wide range of sectors — from industrial machinery and IoT to software and smart home. Find out what the CRA means specifically for your industry.
Explore IndustriesFAQ
Common questions about CRA compliance
Key milestones, SME challenges, and how to meet the September 2026 reporting deadline.
Read articleA 5-step implementation roadmap from product inventory to audit-ready documentation.
Read articleScaling challenges and why spreadsheets can't handle CRA at enterprise scale.
Read articleThe EU Cyber Resilience Act represents the most significant shift in product cybersecurity regulation since the introduction of the CE marking. For the first time, the European Union establishes a unified legal framework requiring all manufacturers, importers, and distributors of products with digital elements to meet comprehensive cybersecurity standards before placing products on the EU market. The regulation covers hardware products with embedded software (industrial controllers, IoT devices, network equipment), standalone software (desktop applications, mobile apps, SaaS platforms), and remote data processing solutions. Key requirements include performing risk assessments during product design, delivering products with secure default configurations, maintaining and sharing Software Bills of Materials (SBOMs), establishing coordinated vulnerability disclosure processes, providing free security updates for the expected product lifetime (minimum five years), and reporting actively exploited vulnerabilities to ENISA within 24 hours. Products are classified into Default, Important Class I, Important Class II, and Critical categories, with higher categories requiring third-party conformity assessments. The CRA entered into force on December 10, 2024, with a transition period until December 11, 2027, for most requirements. Vulnerability reporting obligations begin September 11, 2026. Kunnus helps companies navigate this regulatory landscape with automated compliance tools tailored to each industry's specific needs.
Our free readiness assessment shows you in 15 minutes where your organization stands — and what to do next.
Start Free AssessmentRegulation (EU) 2024/2847 — Cyber Resilience Act — Official Journal of the European Union
ENISA — European Union Agency for Cybersecurity — Responsible for CRA vulnerability reporting
European Commission — CRA Overview — Official CRA information page by the European Commission
Our platform makes CRA compliance straightforward with automated SBOM management, continuous vulnerability monitoring, and expert guidance every step of the way.