EU Cyber Resilience Act

Applies To

Overview

The EU Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, entered into force on 11 December 2024 following publication in the Official Journal of the EU. It represents the first horizontal EU legislative instrument imposing binding cybersecurity obligations on manufacturers, importers, and distributors of products with digital elements (PDEs), a category that encompasses connected hardware devices, standalone software, and increasingly, AI-enabled products. The CRA fills a regulatory gap identified in the EU Cybersecurity Strategy: while sector-specific rules addressed cybersecurity in critical infrastructure and financial services, no baseline applied uniformly to the broad universe of commercial digital products. The regulation is structured around essential cybersecurity requirements covering secure-by-design and secure-by-default principles, vulnerability handling obligations, and mandatory incident reporting to ENISA and national authorities. Products are classified into three risk categories, default, important (Class I and Class II), and critical, each carrying progressively stringent conformity assessment obligations. Default products may self-certify; higher-risk products require third-party assessment or compliance with harmonized European standards. Manufacturers must provide a minimum five-year support period or the expected product lifetime, whichever is shorter, during which they must deliver security updates without charge. The CRA's phased implementation timeline means that the vulnerability and incident reporting obligations apply from 11 September 2026, and the full requirements apply from 11 December 2027. For enterprises deploying AI systems as part of connected products or embedding AI in software distributed in the EU, the CRA interacts significantly with the EU AI Act, particularly for AI systems qualifying as high-risk under Annex III of the AI Act, where conformity assessments may be partially consolidated.

Key Requirements

• •Secure-by-design and secure-by-default product architecture throughout the development lifecycle
• •Mandatory vulnerability disclosure and coordinated vulnerability handling process, including a dedicated point of contact
• •Notification to ENISA and relevant national CSIRTs within 24 hours of becoming aware of an actively exploited vulnerability, with a more detailed notification within 72 hours
• •Provision of free security updates for a minimum of five years or the product's expected operational lifetime
• •Preparation and maintenance of a Software Bill of Materials (SBOM) for all PDEs
• •CE marking to demonstrate conformity with CRA requirements before placing products on the EU market
• •Conformity assessment via self-declaration for default products; third-party assessment for Class I and Class II important products; European cybersecurity certification scheme for critical products
• •Imposition of equivalent obligations on importers and distributors where they materially modify PDEs
• •Documentation of cybersecurity risk assessment and maintenance of technical file for ten years post-market placement
• •Prohibition on placing products with known exploitable vulnerabilities on the EU market

What Your Organization Must Do

• →Conduct a product inventory audit by Q1 2025 to classify all products with digital elements against CRA risk categories (default, Class I, Class II, or critical), assigning the Head of Product Security as responsible owner for each classification decision.
• →Establish a coordinated vulnerability handling process and designate a named point of contact for vulnerability disclosure before the September 11, 2026 deadline, ensuring the process supports 24-hour ENISA notification and 72-hour detailed reporting for actively exploited vulnerabilities.
• →Engage a notified body now for Class I and Class II important products requiring third-party conformity assessment, as assessment backlogs are expected; schedule assessments to allow CE marking completion before December 11, 2027.
• →Commission a Software Bill of Materials (SBOM) for every PDE in the portfolio and integrate SBOM generation into the secure development lifecycle, with the CISO setting a mandatory milestone for all new product releases no later than Q3 2026.
• →Update supplier and importer contracts to include CRA conformity warranties and audit rights, requiring importers and distributors who materially modify PDEs to provide documented evidence of their own conformity assessments before products enter the EU market.
• →Build a ten-year technical file retention program, including cybersecurity risk assessments and conformity documentation, and confirm that the five-year minimum security update commitment is reflected in product roadmaps and support budgets approved by the CFO and product leadership.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

Does the EU Cyber Resilience Act apply to SaaS and cloud-based services?

No. The CRA explicitly excludes pure SaaS and cloud-based services from its scope. It applies to products with digital elements, meaning hardware and software distributed as standalone products, including embedded AI components. If a cloud service incorporates a client-side software component distributed to users, that component may still fall within scope.

When do the CRA's vulnerability and incident reporting obligations take effect?

The vulnerability disclosure and incident reporting obligations apply from 11 September 2026, ahead of the full regulation deadline. Manufacturers must notify ENISA within 24 hours of discovering an actively exploited vulnerability, followed by a more detailed report within 72 hours. Full CRA compliance, including CE marking, is required by 11 December 2027.

What are the penalties for non-compliance with the EU Cyber Resilience Act?

Fines for breaching the essential cybersecurity requirements can reach up to 15 million euros or 2.5 percent of global annual turnover, whichever is higher. Non-compliance with other obligations, such as documentation requirements, can attract fines up to 10 million euros or 2 percent of global turnover. Providing false or misleading information to authorities can result in fines up to 5 million euros.

How does the CRA interact with the EU AI Act for AI-enabled products?

For AI systems embedded in connected products or distributed as standalone software, both the CRA and the EU AI Act may apply simultaneously. Where an AI system qualifies as high-risk under Annex III of the AI Act, conformity assessments may be partially consolidated to reduce duplication. Compliance teams should map overlapping requirements early, particularly for secure-by-design obligations and technical documentation.

What conformity assessment route applies to Class I and Class II important products under the CRA?

Class I important products require either third-party assessment by a notified body or conformity with harmonized European standards. Class II important products must undergo mandatory third-party assessment. Given expected backlogs at notified bodies, manufacturers should engage assessment bodies well before the December 2027 deadline. Default products may self-certify through an internal conformity assessment.

Does the CRA impose obligations on open-source software maintainers?

Direct obligations under the CRA do not apply to open-source software developed entirely outside a commercial context. However, when a commercial entity incorporates open-source components into a product with digital elements and places it on the EU market, that entity assumes full manufacturer obligations, including SBOM documentation and vulnerability handling for those components. Open-source maintainers whose software is commercialized by third parties face indirect exposure through pressure to provide timely security fixes.