01What the CRA is
The Cyber Resilience Act is the first EU-wide law to set mandatory cybersecurity requirements for products with digital elements; hardware and software; across their entire lifecycle. It shifts responsibility for security onto the organisations that place these products on the market, rather than leaving it to users. Art. 1
In practice, a product may only be made available on the EU market if it meets the essential requirements set out in Annex I and the manufacturer has fulfilled the obligations attached to it. Compliance is signalled by the CE marking.
If your product has digital elements and reaches the EU market, it must be designed, built and maintained to a defined cybersecurity standard; and you must be able to demonstrate it.
02Who it applies to
The Regulation covers products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect data connection. Obligations are distributed across the supply chain: Art. 13–28
- Manufacturers; bear the primary obligations: design, documentation, conformity assessment and vulnerability handling.
- Importers; may only place compliant products on the market and must verify the manufacturer's duties were met.
- Distributors; must act with due care and check that the CE marking and documentation are present.
Products already covered by sector-specific rules; such as medical devices, motor vehicles and civil aviation; are excluded, as are non-commercial open-source components.
03Product classes
The required conformity route depends on how critical the product is. Most products self-assess; higher-risk categories listed in the annexes face stricter procedures. Art. 6–7 · Annex III–IV
| Class | Examples | Conformity route |
|---|---|---|
| Default | The majority of products with digital elements | Self-assessment |
| Important; I | Password managers, network management, VPNs | Standards or third-party |
| Important; II | Operating systems, firewalls, microprocessors | Third-party assessment |
| Critical | Smart meters, smart cards, secure elements | Mandatory certification |
04Key obligations
The essential requirements in Annex I fall into two groups; properties the product must have, and processes the manufacturer must run. Annex I
- Secure by design & default; delivered with a secure configuration and a minimised attack surface.
- No known exploitable vulnerabilities; shipped free of known exploitable flaws.
- Vulnerability handling; a process to identify, document, remediate and disclose issues.
- Security updates; free, timely updates throughout the defined support period.
- Software bill of materials; maintain an SBOM covering the product's components.
- Reporting; notify actively exploited vulnerabilities and severe incidents to ENISA and the relevant CSIRT, with an early warning within 24 hours.
05Timeline & penalties
The Act is already in force; its obligations phase in over the following years. Art. 71
- Oct 2024Adopted and signed into law.
- Dec 2024Entered into force.
- Sep 2026Reporting obligations apply (21 months after entry into force).
- Dec 2027Full application; most provisions apply (36 months).
Non-compliance with the essential requirements can attract fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
06What to do next
Begin by confirming whether the Act applies to your product, then follow the guidance written for your role.