The EU Cyber Resilience Act (CRA) sets mandatory cybersecurity standards for almost every hardware or software product that connects to a network. Think of it as the “CE‑mark for security”: before a product with digital elements (PDE) can be sold in the EU, the manufacturer must show that it was built securely, is shipped without known exploitable vulnerabilities, and can be kept secure throughout its life. 

Overview of CRA

The CRA is an EU regulation (Regulation (EU) 2024/2847) that entered into force on 10 December 2024 and will apply in full from 11 December 2027. Being a regulation, it is directly binding in every Member State without national transposition.

Goal: Close the security gap for connected products by moving responsibility to the economic operators that profit from them.

Scope: All “products with digital elements” (hardware, software and their remote data‑processing components) placed on the EU market, unless covered by another sector‑specific regime such as medical devices or automotive type‑approval. Open‑source software that is provided free of charge and not commercialised is outside scope.

Authority: Market‑surveillance authorities in each Member State will verify compliance; non‑compliance can trigger recalls and fines of up to €15 million or 2 percent of global turnover.

Read more: What is Cyber Resilience Act?

What are the key requirements of CRA?

The Cyber Resilience Act sets out clear security and compliance expectations for any business placing digital products on the EU market. These requirements cover product design, documentation, supply chain responsibilities, and incident reporting.

Understanding how these obligations are grouped helps you plan implementation work, assign responsibilities, and avoid missed requirements during audits. Below is a practical breakdown of the CRA’s main requirement categories, following the structure used in the official regulation.

You can find the full legal text on the official EU website.

1. Secure design, development and production (Annex I Part I)

• Ship the product without known exploitable vulnerabilities.
• Provide a secure‑by‑default configuration and allow a secure factory reset.
• Protect confidentiality and integrity of data in transit and at rest (e.g., encryption, integrity checks).
• Implement robust authentication and access control.
• Limit attack surface and include exploitation‑mitigation techniques.
• Log security‑relevant events and let users erase personal data securely.

2. Vulnerability handling and lifecycle support (Annex I Part II)

• Maintain an internal vulnerability management process backed by a risk assessment.
• Address reported vulnerabilities “without undue delay” and provide security updates for the declared support period.
• Publish a contact point and a coordinated vulnerability disclosure (CVD) policy.
• Within 24 hours of becoming aware of an actively exploited vulnerability or incident, notify ENISA via the European vulnerability database and issue mitigation information to users.

3. Technical documentation and conformity assessment (Annex II + Articles 23–29)

• Produce a risk‑based technical file including threat model, secure‑development evidence and Software Bill of Materials (SBOM).
• Default‑risk products may use self‑assessment; “important” class I/II products (e.g., firewalls, identity providers) require third‑party certification.
• Affix the CE marking and draw up an EU declaration of conformity once assessment is passed.

4. Obligations for economic operators (Articles 13–20)

• Manufacturers: carry out the assessment, keep documentation for 10 years, provide updates for at least the support period declared in the EU‑DoC, and cooperate with authorities.
• Importers: verify that the product bears the CE mark and that documentation and updates are available.
• Distributors: ensure labelling and CE mark are intact and stop sales if they suspect non‑compliance.

5. Market monitoring and incident reporting (Articles 30–35)

• Keep a register of incidents and vulnerabilities; supply SBOMs to authorities on request.
• Report any exploitation of an unpatched vulnerability within 24 hours, and provide a final incident report within two weeks.

Are the requirements mandatory for everyone?

CRA is broad but not universal. It is mandatory for organisations in scope, but for others it's optional.

• Full coverage: Any organisation that places a product with digital elements on the EU market for commercial gain, regardless of size or location.
• Important exemptions:
  • Open‑source software supplied free of charge and not monetised.
  • PDEs already regulated by stricter sectoral laws (medical devices, aviation, automotive, qualified eID wallets, etc.).
  • Spare parts for legacy products.
• Light‑touch regime: “Open‑source stewards” that provide sustained support for OSS components intended for commercial use face reduced obligations (security attestation instead of full CE process).

Read more: Who does Cyber Resilience Act apply to?

Common challenges with meeting CRA requirements

1. Generating an accurate SBOM. Many teams rely on multiple package managers and private repositories, which makes complete dependency lists hard to assemble.
2. Coordinated vulnerability disclosure. Setting up a public process, secure intake channel and 24‑hour response workflow is new for many SMEs.
3. Long‑term update commitment. Declaring a support period means budgeting for three‑plus years of patching, including older Major versions.
4. Evidence collection. Developers must preserve threat models, test results and secure‑coding records for the technical file.
5. Class determination. Deciding whether a product falls into default, important I or important II changes the conformity‑assessment route and deadlines.

How Cyberday helps with CRA requirements

Cyberday turns CRA compliance into manageable tasks. All framework requirements are mapped into actionable controls and policies. With Cyberday it's easy to manage multi-compliance, with dashboards that show current CRA compliance status alongside NIS2, ISO 27001 or any other framework or regulation that might be important to you.

Need to align your product roadmap, security engineering and legal teams? Cyberday provides the structure, templates and automated checks you need for efficient, evidence‑backed CRA compliance.

Start your free Cyberday trial today!