EU Cyber Resilience Act (CRA) compliance: from business perspective
Cyberattacks on hardware and software are spiraling, causing major global losses and exposing some serious gaps in threat management. These issues have often been addressed reactively or inconsistently, leading to serious security incidents. This highlights the need and urgency of a robust consumer protection framework. The growth and development of digital products and connectable devices led the EU to initiate a harmonized and enforceable framework: the EU Cyber Resilience Act (CRA). Adopted in 2024, the regulation marks a significant shift in how the EU approaches cybersecurity for consumer electronics.
Whether you are a manufacturer, distributor, importer or a developer of digital products, understanding the CRA isn't just about compliance but rather future-proofing your business. The EU Cyber Resilience Act (CRA) puts forward essential requirements for everything from the product's design and development to vulnerability reporting and post-market surveillance.
This blog explores CRA in simpler terms, breaking down its requirements, scope, timelines, and how businesses can prepare effectively.
EU Cyber Resilience Act (CRA): an overview
The Cyber Resilience Act (CRA), officially referred to as Regulation (EU) 2024/2847, is a European Union regulation that was established to enhance the cybersecurity standards for products with digital elements (PDEs), such as the hardware and software that are either sold or distributed in the EU market. The CRA was officially published on October 23, 2024, entered into force on November 12, 2024, and will only apply from December 11, 2027, providing a transition period for manufacturers and stakeholders.
The CRA applies to both the hardware and software products that connect, whether directly or indirectly, to other devices or networks. This includes IoT devices, smartphones, laptops, smart home products, firewalls, and even software like antivirus. The exceptions include equipment such as medical devices, automobiles, and aviation products, certain open-source software or services which are already regulated under other EU laws. The products complying with the CRA will bear the CE marking as an indicator of compliance.
Objectives of the EU CRA:
- Establish a baseline of cybersecurity for digital products.
- Integrate security as a core element through every stage of the product's lifecycle.
- Improve transparency towards the consumers.
- Harmonize a cybersecurity-by-design framework for consumer products.
CRA requirements and obligations
The CRA puts forward essential cybersecurity and vulnerability handling requirements specified in Annex I of the regulation. These requirements apply to all PDEs, with specific obligations depending on the product's associated risk level.
Main requirements
- Risk assessment: The manufacturers must ensure that the products are designed, developed, and produced secure-by-default without any known vulnerabilities and minimize processing of data.
- Documentation: The manufacturers must be able to deliver the technical documentation demonstrating product design, delivery and vulnerability management along with Software Bill of Materials (SBOM), risk assessment and conformity declaration.
- Conformity assessment: The manufacturers must provide a declaration of conformity through self-assessment or through an independent third-party auditor.
- Vulnerability reporting: The manufacturers must offer a means to report any actively exploited vulnerabilities or security incidents. Valid issues to be notified to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of them.
CRA product risk classes: Default, Important, Critical:
The CRA introduces classes of products based on risk levels:
- Default (low-risk): Make up 90% of PDEs, such as smart toys, TVs, or fridges, which are eligible for self-assessment.
- Important (class I and II): High risk products.
Class I includes products like password managers, browsers which require rigorous assessment and documentation. Whereas Class II includes products such as firewalls, and secure microprocessors which require third-party assessments. - Critical: High-risk products, such as smart cards, smart meter gateways or hardware security-modules, requiring the most stringent third-party evaluations.
CRA timeline
The CRA provides a transition timeline, with full application starting December 11, 2027.
1.png "Cyber Resilience Act (CRA)")
Entities and products under scope
The CRA impacts various actors in the supply chain, from manufacturers, importers, distributors, resellers and even software developers.
- Manufacturers: Hold primary responsibility for ensuring PDE compliance which includes conducting risk assessments, conformity assessments, and vulnerability management.
- Importers: To confirm that the PDEs they import fully comply with all the CRA requirements.
- Distributors: To ensure the compliance conformity and CE marking for the product they place on the EU market.
- Developers: To establish cybersecurity policies and vulnerabilities handling mechanisms for commercial use software.
Product scope under the EU CRA:
CRA applies to most digital products, including:
- Smart consumer electronics (e.g., smart TVs, IoT devices)
- Industrial control systems (ICS)
- Operating systems, applications, cloud software
- Networking equipment and firmware
- Mobile apps and embedded systems
Out-of-scope products (primarily since they will be covered by other stringent regulations)
- Websites and SaaS products
- Medical devices
- Automotive components
- Aviation and defense systems
Note: All commercial use of open-source software falls under the scope of the CRA.
CRA compliance checklist for businesses
To take action and stay compliant in the future market, companies should be preparing for CRA.
- Identify: Determine if the product falls under CRA's scope and classify it according to the product classes.
- Risk assessment: Identify the cybersecurity gaps in each phase of product development and evaluate it against CRA requirements.
- Security implementation: Integrate security best practices and security standards from design to development.
- Conformity assessment: Perform self-assessment or independent third-party assessment depending on the product class.
- Technical documentation: Prepare the required documentation as per CRA requirements, such as Software Bill of Materials (SBOM), risk assessments.
- CE marking & Declaration of Conformity (DoC): Affix the CE mark and maintain an up-to-date Declaration of Conformity (DoC).
- Vulnerability management: Put in place vulnerability monitoring and secure update mechanisms.
Penalties for non-compliance with the CRA:
- Fines ranging from €5 - €15 million or 1 – 2.5% of global annual turnover, whichever is greater.
- Market restrictions or recalls from the EU market.
- Reputational damage and supply chain disruptions.
The EU Cyber Resilience Act (CRA) is not just a regulatory obligation. Amidst the rise of cyber threats this can act as a transformative step towards securing digital products in the EU. The enforcement of CRA compels the manufacturers, importers, and distributors to consider cybersecurity best practices throughout the product's entire lifecycle and set a global benchmark for cybersecurity. To prepare effectively, businesses must begin aligning with the CRA’s requirements and seek informed guidance to ensure compliance by December 2027.
Preparing for CRA proactively not only mitigates risks of fines and market restrictions. This can future proof their products with market trust and competitiveness and maintain access to the EU market.
While the CRA has sparked much conversation, it’s the Radio Equipment Directive (RED), enforceable from this August 2025, that is commanding even greater urgency. Non-compliance with RED poses a real risk of losing market access in the EU. On the other hand, aligning with RED not only ensures continuity but also puts you on the front foot for your CRA compliance journey.
For more information, explore our Radio Equipment Directive (RED) product testing services.
