The Cyber Resilience Act sets baseline cybersecurity rules for any hardware or software product with a digital element offered on the EU market.
It targets manufacturers, importers and distributors, meaning regular service businesses are outside scope unless they place such products on the market. This matters because CRA introduces strict pre-market security requirements and long-term vulnerability management obligations, so “who must comply with Cyber Resilience Act” is a key question for tech suppliers today.
Read also: What is Cyber Resilience Act?
Applicability criteria for Cyber Resilience Act (CRA)
CRA applies based on a few clear factors. Organizations must assess their products, their role in the supply chain, and where and how they operate.
- Industry / sector – any sector that places hardware or software with a digital element on the EU market, from consumer IoT to industrial control systems.
- Organization role – manufacturer, importer or distributor (including resellers) are covered; users of off-the-shelf products are not.
- Geography / region – applies if the product is made available in the EU, regardless of where the company is established.
- Product type / class – critical products (e.g., firewalls, password managers) face stricter conformity paths; non-critical products still need baseline controls.
- Exemptions – free and open-source software supplied on a non-commercial basis, and products developed solely for national security or defense are out of scope.
Is Cyber Resilience Act (CRA) mandatory and how to check if it applies to you?
Yes, adhering to CRA is mandatory, if your organization places in-scope digital products on the EU market. Here's how to check if it applies to you:
- Confirm the product contains digital elements and is placed on the EU market.
- Identify your role: manufacturer, importer or distributor.
- Check for exemptions (non-commercial open-source, defense-only use).
- Map the product against CRA Annex I cybersecurity requirements.
- Determine if the product falls in a critical class that needs a third-party assessment.
Examples of organizations that must comply
Here are a few typical company profiles that fall under CRA requirements:
- A Finnish startup selling smart lighting IoT devices across Europe (manufacturer).
- A German wholesaler importing network routers from Asia for EU retailers (importer).
- A SaaS vendor in Ireland shipping an on-premises security appliance to EU customers (distributor and manufacturer).
When does Cyber Resilience Act (CRA) come into effect
CRA is already in force, but specific obligations have staggered timelines. Key dates include:
- 10 December 2024 – Regulation enters into force.
- 10 September 2026 – first obligations (early incident and vulnerability reporting) start 21 months after entry into force.
- 10 December 2027 – full compliance required 36 months after entry into force.
Read how to comply with CRA requirements in this article.
What happens if you don’t comply?
Non-compliance carries serious financial and operational consequences. Here’s what can happen:
- Fines up to €15 million or 2.5 % of global turnover, whichever is higher
- Product withdrawal from the EU market
- Mandatory recalls for insecure products
- Sales bans across EU countries
- Investigations by national market-surveillance authorities
How Cyberday supports in-scope organizations
If your products fall under CRA, Cyberday gives you a clear structure to get compliant. Our platform maps Annex I requirements into trackable tasks, helps build technical documentation, and supports incident and vulnerability reporting workflows. It’s built to help you figure out how to comply with Cyber Resilience Act in a practical and ongoing way.
Start working on your CRA compliance today with the free trial of Cyberday!
