Cyber Resilience Act (CRA): Complete Guide for Product Manufacturers
Everything you need to know about the EU Cyber Resilience Act — mandatory cybersecurity requirements for products with digital elements, CE marking, vulnerability handling, and compliance timelines.
Cyber Resilience Act (CRA): Complete Guide for Product Manufacturers
The Cyber Resilience Act (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU market. It's the first regulation of its kind globally — requiring security by design, lifecycle security updates, and transparent vulnerability handling for hardware and software products.
If you manufacture, import, or distribute connected products or software in Europe, the CRA affects you directly.
What Is the Cyber Resilience Act?
The CRA establishes horizontal cybersecurity requirements for products with digital elements across their entire lifecycle — from design and development through market placement to end of life. It addresses the fact that most products on the market today have no cybersecurity requirements at the regulatory level.
Key principles:
- Security by design: Products must be designed with cybersecurity in mind from the start
- Security by default: Products must be delivered with secure default configurations
- Lifecycle responsibility: Manufacturers must provide security updates for the expected product lifetime
- Transparency: Vulnerabilities must be reported and handled through coordinated processes
- Market access: Non-compliant products cannot be placed on the EU market (CE marking required)
Who Must Comply?
The CRA applies to three categories of economic operators:
Manufacturers
Any entity that designs, develops, or produces products with digital elements, or has them designed, developed, or produced, and markets them under their own name or trademark.
Importers
Any entity established in the EU that places a product from a manufacturer outside the EU on the market.
Distributors
Any entity in the supply chain (other than manufacturer or importer) that makes a product available on the market.
What Counts as a "Product with Digital Elements"?
The CRA covers:
- Hardware products with network connectivity: IoT devices, routers, smart home devices, industrial controllers, medical devices, automotive components
- Standalone software: Applications, operating systems, firmware, middleware, libraries
- Remote data processing: Cloud-based components essential to a product's core function
Exemptions
- Open source software developed in a non-commercial context
- Products already covered by sector-specific EU legislation (medical devices under MDR, automotive under type-approval regulations, aviation under EASA)
- Products exclusively developed for national security or defence purposes
Product Categories and Conformity Assessment
The CRA categorises products based on their criticality:
Default Category (Majority of Products)
- Conformity assessment: Self-assessment by the manufacturer
- Examples: Most consumer IoT, general-purpose software, smart home devices
- Procedure: Internal control (Module A) based on Annex VIII
Important Products (Annex III)
Class I — Important Products:
- Identity management and authentication software
- VPNs, network management systems
- SIEM systems
- Boot managers, BIOS firmware
- Firewalls, IDS/IPS for non-industrial use
- Routers and modems for internet connectivity
- Microprocessors and microcontrollers with security features
- Assessment: Self-assessment with harmonised standards, OR third-party assessment
Class II — Important Products (Higher Risk):
- Hypervisors, container runtime systems
- Firewalls and IDS/IPS for industrial use
- Tamper-resistant microprocessors/microcontrollers
- Assessment: Third-party conformity assessment required
Critical Products (Annex IV)
- Hardware devices with security boxes (HSMs, smart cards, secure elements)
- Smart meter gateways within smart metering systems
- Smartcards and similar devices, including secure elements
- Assessment: European cybersecurity certification required
Essential Cybersecurity Requirements
Annex I of the CRA defines the essential requirements:
Part I: Product Requirements
- Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity
- Products must be delivered without known exploitable vulnerabilities
- Products must have secure default configuration, with the ability to reset to factory defaults
- Protection against unauthorised access through appropriate control mechanisms
- Protection of confidentiality of stored, transmitted, or processed data (encryption where appropriate)
- Protection of data integrity
- Processing of only necessary data (data minimisation)
- Availability protections, including resilience against denial-of-service
- Minimisation of negative impact on other devices/networks
- Minimal attack surface design
- Mitigation of impact through exploitation mitigation techniques
- Security-relevant information recording and monitoring (logging)
- Secure software update mechanisms, with user notification
Part II: Vulnerability Handling Requirements
- Identify and document vulnerabilities and components (including SBOM)
- Address vulnerabilities without delay through security updates
- Apply effective and regular testing and review
- Public disclosure of fixed vulnerabilities, including CVE identifiers
- Coordinated vulnerability disclosure policy
- Mechanisms for secure distribution of security updates
- Free security updates for the expected product lifetime (minimum 5 years)
Vulnerability Reporting Obligations
Manufacturers must report:
Actively Exploited Vulnerabilities
- Within 24 hours of becoming aware: Early warning to ENISA (via single reporting platform)
- Within 72 hours: Vulnerability notification with available corrective measures
- Within 14 days: Final report with description, severity, impact, and remediation
Severe Incidents
- Report severe incidents impacting the security of the product
- Same timeline structure as vulnerability reporting
CRA Timeline
| Date | Milestone |
|---|---|
| 20 Nov 2024 | Published in Official Journal |
| 10 Dec 2024 | Entered into force |
| 11 Jun 2026 | Conformity assessment body provisions apply |
| 11 Sep 2026 | Vulnerability reporting obligations apply |
| 11 Dec 2027 | Full application of all requirements |
Products placed on the market before 11 December 2027 that are not substantially modified do not need to comply. However, any substantial modification after this date triggers full compliance requirements.
Penalties
| Violation | Maximum Fine |
|---|---|
| Non-compliance with essential cybersecurity requirements | €15 million or 2.5% of global turnover |
| Non-compliance with other CRA obligations | €10 million or 2% of global turnover |
| Providing misleading information to authorities | €5 million or 1% of global turnover |
Market surveillance authorities can also:
- Order products withdrawn from the market
- Require corrective measures
- Prohibit or restrict market availability
- Order product recalls
CRA Compliance Roadmap
Step 1: Scope Assessment
Determine which of your products fall under the CRA and their category (default, important, critical).
Step 2: Gap Analysis
Map your current product security practices against the essential requirements in Annex I. Common gaps:
- No formal SBOM management
- Vulnerability handling not aligned with CRA timelines
- No secure update mechanism for deployed products
- Security testing not systematic
Step 3: Security by Design Integration
Embed cybersecurity requirements into your product development lifecycle — requirements, design, implementation, testing, deployment.
Step 4: Vulnerability Management Programme
Establish coordinated vulnerability disclosure, SBOM maintenance, and the 24/72h/14-day reporting workflow.
Step 5: Conformity Assessment
Prepare technical documentation, conduct the appropriate conformity assessment procedure, and prepare the EU declaration of conformity.
Step 6: Lifecycle Security
Plan for providing free security updates throughout the expected product lifetime (minimum 5 years from market placement).
CRA and Other EU Regulations
| Regulation | Relationship to CRA |
|---|---|
| NIS2 | CRA addresses product security; NIS2 addresses organisational security. Complementary. |
| GDPR | CRA's data protection requirements complement GDPR for product-level data handling. |
| AI Act | High-risk AI systems that are products with digital elements must comply with both. |
| MDR/IVDR | Medical devices are exempt from CRA (covered by their own regulations). |
| Radio Equipment Directive | CRA will eventually replace RED's cybersecurity delegated acts. |
How Orbiq Supports CRA Compliance
Orbiq helps manufacturers manage the documentation and evidence requirements that the CRA introduces:
- Supply chain documentation: Track components and dependencies across your product portfolio
- Compliance evidence: Centralise security testing results, vulnerability assessments, and conformity documentation
- Trust Center: Share your product security posture with customers and market surveillance authorities
- Vendor management: Monitor the security status of components and third-party dependencies
Further Reading
- Cyber Resilience Act: Articles 13 & 14 in Detail
- NIS2 Compliance Guide — Organisational security requirements
- DORA Compliance Guide — Financial sector requirements
This guide is maintained by the Orbiq team. Last updated: March 2026.