The CRA, explained

The Cyber Resilience Act (EU) is a complex piece of legislation.

For manufacturers, software developers and device importers, distributors and resellers, understanding the purpose of this legislation is the first step on the path towards compliance.

In this page, we summarize the goals and main tenets of the Act to provide clarity to its stakeholders.

The CRA puts resilience at the CORE of IoT

Why does the Cyber Resilience Act matter?

benefits for both businesses and consumers


The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.


The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.


The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.


With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.


This increase in demand can translate to more customers and increased profits for manufacturers and importers/distributors/resellers.


The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.


A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.

Related Links
European flag

To whom does the Cyber Resilience ACt Apply?

The Cyber Resilience Act applies to economic operators such as manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.

There are some important exceptions:

  • Free and open-source software does not fall under the purview of the CRA. However, open-source software from which its developers derive some source of income (such as paid technical assistance or commercial use of data generated by software users) are subject to the Act’s requirements.
    ⚠️ According to Article 53 (10.a), fines for non compliance DO NOT apply to them.


  • Other pure SaaS also do not need to comply with the CRA, so long they do not process remote data.
  • For all other types of software, in the event that they meet other European regulations (such as the NIS 2 Directive, the AI Regulation, etc.) with similar level of cyber-resilience requirements, they do not need to further comply with the CRA for the cyber-resilience features already covered by these other regulations.
    For instance, high-risk AI systems that are covered by the AI Regulation may not meet the full requirements of the CRA. In that case, the software would need to be certified for both AI Regulation and the CRA, but for the latter, only for features that are not already covered by the AI Regulation.
  • In general, IoT products that are covered by other European Regulations (such as with the European Health Data Space Regulation for Electronic Health Records systems) similar level of cyber-resilience requirements do not need to further comply with the CRA providing that all CRA requirements are already fulfilled via these other Regulations.

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers, importers, distributors and third parties supplying digital products to the European market. 

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

In particular, manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data (this is closely related to the GDPR). 

Products must be updateable and patchable to address vulnerabilities that may appear. Information about products’ cybersecurity features must also be provided in a clear and comprehensive way to users.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the CSIRTs – this may change in the future as several within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as of fine of 15 millions euros or 2.5% of annual turnover, which ever is higher.


Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.