The Cyber Resilience Act (CRA) Explained: What You Need to Know

The Cyber Resilience Act (CRA) is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements. Adopted in 2024, it applies to hardware and software products connected to networks or other devices.

Key Principle: Security must be built into products by design, not bolted on afterward. Manufacturers are responsible for the security of their products throughout the entire lifecycle.

Why It Exists: The proliferation of insecure IoT devices, vulnerable software, and connected products has created massive security risks. The CRA ensures that products sold in the EU meet baseline security standards.

The CRA applies to "products with digital elements"—any software or hardware product and its remote data processing solutions, including:

Hardware Products:
• IoT devices (smart home, wearables, industrial sensors)
• Network equipment (routers, switches, firewalls)
• Industrial control systems
• Medical devices with connectivity
• Automotive components

Software Products:
• Operating systems
• Applications and mobile apps
• Firmware and embedded software
• Cloud services integrated with hardware

Exemptions:
• Open-source software (developed non-commercially)
• Products already covered by specific regulations (medical devices, vehicles, aviation)
• Services (SaaS without hardware component)
• Products exclusively for national security/military use

Security by Design:
Products must be designed with security from the start:
• Secure default configurations
• Protection against unauthorized access
• Confidentiality and integrity of data
• Minimal attack surface

Vulnerability Management:
Manufacturers must:
• Document and address known vulnerabilities before release
• Provide security updates for the product's lifetime (minimum 5 years)
• Monitor for new vulnerabilities continuously
• Report actively exploited vulnerabilities within 24 hours

Documentation:
Products must include:
• Technical documentation of security features
• Software bill of materials (SBOM)
• User instructions for secure configuration
• Information about security support period

Conformity Assessment:
Products must undergo assessment to verify compliance:
• Default category: Self-assessment with documentation
• Important products (Class I): Self-assessment or third-party audit
• Critical products (Class II): Mandatory third-party certification

The CRA creates risk-based categories with different requirements:

Default Category (Most Products):
Standard products can self-certify compliance. Manufacturers conduct their own conformity assessment and create declaration of conformity.

Important Products - Class I:
Higher-risk products including:
• Identity management software
• Password managers
• VPNs
• Network management systems
• Security information management (SIEM)
• Operating systems
Self-assessment allowed if harmonized standards followed; otherwise third-party audit required.

Important Products - Class II:
Critical products including:
• Hypervisors
• Firewalls and intrusion detection
• Tamper-resistant microprocessors
• Industrial control systems for essential entities
Mandatory third-party conformity assessment required.

2024: CRA adopted and entered into force

2026: Reporting obligations for vulnerabilities apply

2027: Full application of all requirements

Key Dates:
• December 2025: Reporting obligations for actively exploited vulnerabilities
• June 2026: Market surveillance authorities operational
• December 2027: Full compliance required for all products

Products placed on the market before December 2027 are exempt unless substantially modified.

The CRA includes significant penalties for non-compliance:

For Essential Requirements:
Up to €15 million or 2.5% of global annual turnover, whichever is higher

For Other Obligations:
Up to €10 million or 2% of global annual turnover

For Incorrect Information:
Up to €5 million or 1% of global annual turnover

Additional Consequences:
• Product withdrawal from market
• Product recall
• Prohibition of market placement
• Public warnings

Market surveillance authorities will enforce compliance through inspections, testing, and enforcement actions.

The CRA and NIS2 work together:

NIS2 Protects Organizations: Requires entities to implement security measures including supply chain security and product security assessments.

CRA Protects Products: Ensures products used by NIS2 entities meet baseline security requirements.

The Synergy: NIS2 entities must assess their suppliers' security. CRA makes this easier by ensuring products already meet established standards. Organizations using CRA-compliant products can demonstrate supply chain security for NIS2.

Together, they create a comprehensive framework: secure products (CRA) used by secure organizations (NIS2).

For Manufacturers:
• Inventory all products with digital elements
• Classify products by CRA category
• Assess current security practices against requirements
• Implement secure development lifecycle (SDL)
• Establish vulnerability management processes
• Create SBOM generation capability
• Plan conformity assessment approach

For Importers/Distributors:
• Ensure suppliers understand CRA requirements
• Verify products have required documentation
• Establish processes for handling security updates
• Prepare to withdraw non-compliant products

For Buyers:
• Include CRA compliance in procurement requirements
• Request SBOMs from suppliers
• Verify security support periods match your needs
• Plan for update and vulnerability management